Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable.
Replace xxx.xxx.xxx.xxx with your server IP.
In cPanel/WHM, 7 services need to be secured; viz, HTTP, POP3, IMAP, FTP, SMTP, Control Panel, Web Disk. Here is how we disabled SSL 3.0 in our servers:
HTTP – Apache / Nginx
To fix Apache,
In WHM, go to Home >> Service Configuration >> Apache Configuration >> Global Configuration, and set the SSL Cipher Suite to the one below:
AES128+EECDH:AES128+EDH
Then go to Home >> Service Configuration >> Apache Configuration >> Include Editor, and include the following in Pre Main Include
SSLCipherSuite AES128+EECDH:AES128+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLSessionTickets Off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff # Requires Apache >= 2.4 SSLCompression off SSLUseStapling on SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Restart Apache.
To fix Nginx,
Go to Nginx configuration, and change the line:
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
to
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart Nginx.
SMTP – Exim
In WHM, go to Home >> Service Configuration >> Exim Configuration Manager >> Advanced Editor, and change tls_require_ciphers to:
-ALL:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
Restart Exim.
POP/IMAP – Courier-IMAP / Dovecot
In WHM, go to Home >> Service Configuration >> Mailserver Configuration, and change SSL Cipher List to:
-ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
FTP – Pure-FTP / Pro-FTP
In WHM, go to Home >> Service Configuration >> FTP Server Configuration, and change the TLS Cipher Suite to:
!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
cPanel Web Services
In WHM, go to Home >> Service Configuration >> cPanel Web Services Configuration, and change TLS/SSL Cipher List to:
!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
cPanel Web Disk
In WHM, go to Home >> Service Configuration >> cPanel Web Disk Configuration, and changeTLS/SSL Cipher List to:
!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5