thorko.deLinux / Unix systems administrator

Latest SysadminDB entries


Poodle-Attack - Disable SSLv3 in apache, postfix, dovecot

Apache

In your site configuration add

SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.2 +TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

 

Postfix

In your main.cf file

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

 

Dovecot

In your 10-ssl.conf file

ssl_protocols = !SSLv2 !SSLv3
# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:!SSLv3:!LOW:!SSLv2:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

 

To test if SSLv3 is disabled you can run

openssl s_client -connect www.thorko.de:443 -ssl3

 




Install dependency when compiling from source

When you install some software from source it is always a pain to get the packages which are needed for dependency. Auto-apt is a package which solves this issue.

~$ apt-get install auto-apt
~$ auto-apt update
~$ auto-apt update-local
~$ auto-apt -y -x run ./configure .....

auto-apt will check during the configure run which packages are needed and installs them automatically.




Use perl to compare version numbers

~$ perl -wle 'print 1 unless "7.0.23-1" gt "7.0.25-2"'



Show memory consumption by process

~$ ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS



Bash hints

change to previous directory

cd -

change to home

cd

rename many files at once

for f in *;do mv $f ${f/test/prod};done

ctrl-aMove cursor to beginning of line
ctrl-eMove cursor to end of line
meta-bMove cursor back one word
meta-fMove cursor forward one word
ctrl-wCut the last word
ctrl-uCut everything before the cursor 
ctrl-kCut everything after the cursor
ctrl-yPaste the last thing to be cut
ctrl-_Undo

do a fast backup of file

cp test1.cfg{,.bak}

do a fast copy and replace

a=/tmp/test1
cp $a ${a/1/2}

 

untar a gzipped file
$ gzip -dc | tar -tf -        # show content of file
$ gzip -dc | tar -xvf -     # extract files




(c) 2014 by thorko.de