/poodle_protector

Python script for automatically protecting your systems against POODLE vulnerability (CVE-2014-3566)
linux-server daemon poodle
  1. Python 100.0%
Switch branches/tags
Nothing to show
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop...

If nothing happens, download GitHub Desktop and try again.

Launching Xcode...

If nothing happens, download Xcode and try again.

Launching Visual Studio...

If nothing happens, download the GitHub extension for Visual Studio and try again.

Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
LICENSE
README.md
poodle_protector.py

README.md

poodle_protector

poodle_protector.py is a Python script for automatically protecting your systems against POODLE vulnerability (CVE-2014-3566). It scans your Apache server configuration directories for unsecure configuration directives and ensures security by disabling SSL 2.0 and 3.0. It can also restart your server instantly after customizing the configuration.

Currently this only works for Linux servers running Apache, the support for other affected daemons (Tomcat, vsftpd, Dovecot, Postfix, openLDAP, CUPS) is planned (see nightly branch). The following Linux distros are detected automatically:

  • CentOS / Red Hat Enterprise Linux
  • openSUSE / SUSE Linux Enterprise Server
  • Debian / Ubuntu
  • Fedora

Parameters

# ./poodle_protector.py -h
Usage: poodle_protector.py [options]

poodle_protector.py is used to protect your servers against POODLE
vulnerability (CVE-2014-3566). It automatically detects apache configuration
files vulnerable to POODLE and customizes them after creating backups.
Checkout the GitHub page for updates:
https://github.com/stdevel/poodle_protector

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -c STRING, --custom-string=STRING
                        defines a custom SSLProtocol configuration string
  -p PATH, --custom-path=PATH
                        defines a custom path for apache configuration files
                        in case you're not using distribution defaults
  -q, --quiet           don't print status messages to stdout
  -d, --debug           enable debugging outputs
  -n, --no-backup       don't create backups if you like to like dangerously
  -l, --dry-run         only simulates what would be done
  -r, --service-restart restarts the affected service(s) using the appropriate
                        wrapper

Examples

Just do a dry-run to see what the script would do:

# ./poodle_protector.py -lr
I'd like to create a backup of '/etc/apache2/mods-available/ssl.conf as '/etc/apache2/mods-available/ssl.conf.20141016-1303' ...
I'd like to insert 'SSLProtocol All -SSLv2 -SSLv3' into /etc/apache2/mods-available/ssl.conf using the following command: sed -i '/SSLProtocol/ c\SSLProtocol All -SSLv2 -SSLv3' /etc/apache2/mods-available/ssl.conf ...
I'd also like to restart the service using: 'service apache2 restart'

Ensure security by customizing the configuration and restart the service:

# ./poodle_protector.py -r
Restarting web server: apache2 ... waiting .

Simulate setting a special SSLProtocol value (only TLSv1.2 instead of everything except SSLv2/v3) and reloading the daemon on a Enterprise Linux server:

# ./poodle_protector.py -lrc "SSLProtocol TLSv1.2"
I'd like to create a backup of '/etc/httpd/conf.d/ssl.conf as '/etc/httpd/conf.d/ssl.conf.20141017-1112' ...
I'd like to insert 'SSLProtocol TLSv1.2' into /etc/httpd/conf.d/ssl.conf using the following command: sed -i '/SSLProtocol/ c\SSLProtocol TLSv1.2' /etc/httpd/conf.d/ssl.conf ...
I'd also like to restart the service using: 'service httpd restart'