• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer
sharadchhetri.com

sharadchhetri.com

Linux,Cloud Computing And DevOps

  • Home
  • Linux
  • CloudComputing
    • Introduction Cloud Computing
    • Amazon AWS
  • Free E-Books
  • About Me

Protect from SSL Drown Attack in AWS ELB, Apache and Nginx

March 4, 2016 by Sharad Chhetri Leave a Comment

DROWN, stands for Decrypting RSA using Obsolete and Weakened eNcryption and is a Man-in-the-Middle (MITM) attack against servers running TLS for secure communications. On 1-March-2016, academic researcher uncover the DROWN vulnerability.

The SSL DROWN vulnerability has received the CVE identifier number as cve-2016-0800. For more detail, you can also read OpenSSL security advisory for DROWN.

Solution: Disabling the SSLv2 is the solution against SSL DROWN vulnerability. Also note that, SSLv2 is already deprecated but still there are millions of website which are still running with SSLv2 protocol.

NOTE: In 2014, we have already seen the POODLE attack where SSL v3 was vulnerable. Hence, SSLv3 should be disable also.

AWS has recently published the solution for SSL Drown vulenerability in its Security Advisory bulletin.

Solution For SSL DROWN vulnerability in AWS ELB

Because of POODLE and DROWN vulnerability now AWS also disable the SSLv2 and SSLv3 from its predefined ELB Security Policy. AWS recommends to use the predefined ELB Security Policy called ELBSecurityPolicy-2015-05.

Follow the given below steps in AWS ELB –

SSL DROWN
Source: https://aws.amazon.com/security/security-bulletins/cve-2016-0800-advisory/

Solution For SSL DROWN vulnerability in Apache Webserver

We will disable SSLv2 and SSLv3 both protocols . SSLv2 is for DROWN and SSLv3 is for POODLE vulnerability.
In Apache webserver configuration file, find the SSL section and edit/add the line as given below.

SSLProtocol all -SSLv3 -SSLv2

Restart the Apache service after editing the Apache configuration file.

## In Debian/Ubuntu

sudo service apache2 restart
## In RHEL 5.x,6.x / CentOS 5.x,6.x

sudo service httpd restart
## In RHEL 7.x / CentOS 7.x

sudo systemctl restart httpd.service

Solution For SSL DROWN/POODLE vulnerability in Nginx Webserver

In Nginx configuration file, we will disable the SSLv2 and SSLv3 both. As already described in above section, disabling SSLv2 is for DROWN and SSLv3 is for POODLE.

Find the SSL block in Nginx config file and edit the line as given below.

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Now restart the Nginx webserver.

## In Debian/Ubuntu

sudo service nginx restart
## In RHEL 5.x,6.x / CentOS 5.x,6.x

sudo service nginx restart
## In RHEL 7.x / CentOS 7.x

sudo systemctl restart nginx.service

How to check SSL Drown vulnerability

You can check SSL Drown vulnerability through online tool.

As a Linux System Admin of your infrastructure, we recommend to check via command line. And is the command to check SSL/TLS ciphers. In output it will show if SSLv2 or SSLv3 is enabled.

nmap --script ssl-cert,ssl-enum-ciphers -p 443 [hostname-or-IP-address]

NOTE:Install nmap for using above command.

It may be possible, network is secured with nmap scan. This generally you can find with CDN providers which do not allow nmap scan.

We have another alternate command in case nmap do not provide satisfactory result.

By using openssl command, you can check the SSLv2 and SSLv3 protocol status.

Note: Replace example.com with your target domain name/website name.

To check SSLv2

openssl s_client -ssl2 -connect example.com:443

To check SSLv3

openssl s_client -ssl3 -connect example.com:443

If SSLv2/SSLv3 is disbaled you will receive the error.The error may be something like this –

419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

In case of SSLv2/SSLv3 is enabled, the connection will be established and show more details.

Do'nt be greedy, share the knowledge!

  • Click to share on Facebook (Opens in new window)
  • Click to share on WhatsApp (Opens in new window)
  • Click to share on Twitter (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pocket (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Filed Under: Linux Tagged With: openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Help To Needy

If you like our posts and tutorials, please support/donate to ANY “Open Source Project” or do some Charity work. Hope this will make someone happy in this world. Drop me an email if you want to inspire others!

Thank You!

Follow Us

  • Facebook
  • Twitter
  • GitHub
  • YouTube

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Top Posts & Pages

  • How to fix read only USB pen drive in Ubuntu
  • How to delete mail queue in Postfix
  • How to start / stop / restart / reload iptables on CentOS 7 / RHEL 7
  • How to find absolute path of command on Linux / Unix : which command
  • Install KVM on Ubuntu 14.04 LTS Desktop
  • type command : display information about command type on Linux
  • How to zip the directory in linux with command line
  • How to set hostname and FQDN on CentOS 7 and RHEL 7
  • 4 different commands to check the load average in linux
  • CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )

Recent Posts

  • Install and setup maven in Linux for Jenkins
  • How to setup Jenkins Credentials for Git repo access
  • How to manage Jenkins Credentials
  • Managing Jenkins plugins from command line and GUI
  • How to create Jenkins user by command line and GUI

Footer

Sharad Chhetri is an experienced Linux - Cloud Engineer & freelancer. Working on Open Source Technology since RHEL 4.0 (Red Hat Enterprise Linux). He loves sharing the knowledge which earned from real scenarios. Don't be surprised if you find him in technology seminars and meetup groups. You can contact him on email for freelance projects at admin@sharadchhetri.com. Read More…

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Our GitHub Repo

sharadchhetri @ GitHub
  • java-samples
    Java Sample Project For Tutorial
    December 25, 2018 - 2:29 pm UTC
  • misc
    OpenSSH rpm created from tar ball
    November 21, 2018 - 3:12 am UTC
  • scripts
    Cassandra Backup Script
    November 21, 2018 - 3:09 am UTC
  • packer
    Packer : Create server images in automated way
    November 21, 2018 - 3:08 am UTC
  • Nagios
    My Nagios custom plugins
    November 21, 2018 - 3:07 am UTC

Recent Comments

  • Sharad Chhetri on CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )
  • Dave on CentOS 7 / RHEL 7 : change OpenSSH port number ( SELINUX enabled )
  • Prafulla S on Install Shotcut on Ubuntu 16.04 LTS desktop
  • Sujata on Install Telnet Server on CentOS 7 / RHEL 7
  • kishen sharma on How to install redis server on CentOS 7 / RHEL 7
  • Sharad Chhetri on Secondary Logging : save all users history command output as log
  • Anand on Secondary Logging : save all users history command output as log
  • Sharad Chhetri on Install redis 3.0 from source on Ubuntu 14.04 / CentOS 7 / RHEL 7

Copyright © 2009 - 2019 · All Rights Reserved sharadchhetri.com · · Privacy Policy ·
· sitemap.xml · ·The content is copyrighted to sharadchhetri.com and may not be reproduced on other websites without our permission. ·