Turn off TLSv1 for port 4643

Discussion in 'Containers and Virtual Machines Discussion' started by Josh_Harrington-Lunt, Oct 20, 2015.

  1. Josh_Harrington-Lunt

    Josh_Harrington-Lunt Kilo Poster

    Messages:
    13
    Hi all,

    After jumping through a lot of hoops a few months back to get a Plesk 12.0 on Centos 6.6 to be PCI compliant, this quarterly scan has come back and now wants TLSv1 turned off for port 4643 which I believe is Virtuozzo.

    Does anyone have any ideas how to go about this?

    Thanks
    Josh
     
  2. Pavel

    Pavel A.I. Auto-Responder Staff Member

    Messages:
    475
    Hello Josh,

    PVA PP is running on VZ host in apache. Thus configuration should be performed on a hardware node, not in the container or VM.
    This is configured in ssl.conf:

    Code:
    [root@vz ~]# grep -n SSLProtocol  /etc/httpd/conf.d/ssl.conf
    94:# SSLProtocol all -SSLv2
    
    Directive is well-described in apache documentation.
    If you have openssl 1.0.1 (that is what I've got on my Virtuozzo 6.0) you can edit above-mentioned line (first, uncomment it) to:
    Code:
    [root@vz ~]# grep SSLProtocol /etc/httpd/conf.d/ssl.conf -n
    94:SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    
    Note, TLSv1.1 and TLSv1.2 are separate from TLSv1 in OpenSSL 1.0.1 thus we can safely disable it like that.
     
  3. Josh_Harrington-Lunt

    Josh_Harrington-Lunt Kilo Poster

    Messages:
    13
    Thank you for replying so fast.

    I've just tried this and ran another PCI scan, this did fix my issue of TLSv1 being open for port 443 however it is still failing on port 4643?
     
  4. Pavel

    Pavel A.I. Auto-Responder Staff Member

    Messages:
    475
    Hello Josh,

    Indeed, I forgot that offline services have their individual ssl config.
    Easy to find the config using "httpd -S" command:

    Code:
    [root@vz ~]# httpd -S
    VirtualHost configuration:
    wildcard NameVirtualHosts and _default_ servers:
    _default_:80  vz.sw.ru (/etc/httpd/conf.d/parallels.conf:3)
    _default_:443  vz.sw.ru (/etc/httpd/conf.d/parallels.conf:26)
    _default_:4643  vz.sw.ru (/etc/httpd/conf.d/z.pva.pp.10.conf:5)
    _default_:8443  vz.sw.ru (/etc/httpd/conf.d/z.pva.pp.20.plesk.conf:3)
    _default_:4646  vz.sw.ru (/etc/httpd/conf.d/z.pva.soap.conf:5)
    _default_:8080  vz.sw.ru (/etc/httpd/conf.d/z.pva.soap.conf:13)
    Syntax OK
    [root@vz ~]# grep ssl /etc/httpd/conf.d/z.pva.pp.10.conf  
     Include /etc/opt/pva/pp/plugins/httpd/include.ssl.conf 
    
    These files contain SSLProtocol configuration, just add exclusion for TLSv1 as you did in ssl.conf earlier:
    Code:
    [root@vz ~]# grep SSLProtocol /etc/opt/pva/pp/plugins/httpd/include.ssl.conf
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    [root@vz ~]# grep SSLProtocol /etc/httpd/conf.d/z.pva.pp.20.plesk.conf
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1
    
    Please let me know if you'll experience any issues even after adjusting these configuration files.
     
    Last edited: Oct 20, 2015
  5. Josh_Harrington-Lunt

    Josh_Harrington-Lunt Kilo Poster

    Messages:
    13
    Thank you for this. I've tried it but don't seem to get the same results as you.

    Running httpd -S port 4643 does not appear in the list, I only get 80 and 443.

    Then doing grep SSLProtocol /etc/opt/pva/pp/plugins/httpd/include.ssl.conf and grep SSLProtocol /etc/httpd/conf.d/z.pva.pp.20.plesk.conf both return No such file or directory?
     
  6. Pavel

    Pavel A.I. Auto-Responder Staff Member

    Messages:
    475
    PVA Power Panel is accessed via container IP, however, it is running on a Virtuozzo hardware node side since version 4.6, prior to this version it was running in a Service Container.
    There are only 2 possible reasons why you cannot find the files:

    1) your server is running PVCfL 4.0 or PVCfL 4.6 with an outdated VZAgent instead of PVA Agent (which is why Power Panel is running in a Service Container). What is your Virtuozzo version? What is the Agent version?
    Please post results from the following command:
    Code:
    # rpm -qa | egrep 'release|agent'
    2) you're checking it in the wrong place. It must be checked in a hardware node, not inside of a container.
     
  7. Josh_Harrington-Lunt

    Josh_Harrington-Lunt Kilo Poster

    Messages:
    13
    Sorry for the late reply.

    It is more likely I'm not checking in the hardware node. I rent this VPS from a hosting company so pretty sure I only have access to inside the container. I'll contact them then report back here.
     
  8. Pavel

    Pavel A.I. Auto-Responder Staff Member

    Messages:
    475
    Hello Josh,

    It makes sense now.
    Even though you check port 4643 for your IP, this port is being listened on the hardware node, thus this adjustment must be performed by your hoster, on the hardware node.

    I'll be waiting for your reply, your feedback is highly appreciated.
     
  9. Josh_Harrington-Lunt

    Josh_Harrington-Lunt Kilo Poster

    Messages:
    13
    So I've spoken to my hosting company and they are refusing to do anything about it, just suggest I switch to a dedicated server instead of a VPS.

    The PCI compliance company have suggested closing port 4643. At the moment I am using Plesk to manage the Firewall rules, obviously Virtuozzo doesn't appear in that list. Is there a way to restrict port 4643 to just certain IP addresses inside of the container?
     
  10. Pavel

    Pavel A.I. Auto-Responder Staff Member

    Messages:
    475
    Hello Josh,

    Probably you can try to reach out to a higher-tier support of your hoster to persuade them.
    Even if they refuse to change the supported SSL protocols list (which is kind of understandable, because the change would be global for entire host) you might ask them to disable offline-management for your VPS (Virtuozzo Power Panel).

    If your hoster does not use Automation solution, it's a simple command:
    Code:
     vzctl set CTID --offline_management off --save 
    If they're using Odin Service Automation (new name for Parallels Operation Automation) it's still easy to change, one-click in the VPS management screen.
    Disabling offline management for your VPS would prevent port 4643 from listening for your IP entirely, and the change will affect only your container. This option should sound acceptable for your hoster.

    As for your initial query, since port is listened not inside your VPS, but on a Virtuozzo host there is no way for you to block connection from inside of the VPS.
    The only way to get compliance is to continue dialogue with your hoster.
     

Share This Page