To make a Plesk server PCI Compliance

How to make a Plesk server PCI Compliant?

Nowadays many of the Banks And Credit Card companies ask you to implement security standards on your server for client data protection which is known as PCI Compliance. Follow the below steps to achieve security standards on your server.

1 ) To turn off SSLv2 for port 8443 (Plesk port), create a file /usr/local/psa/admin/conf/httpsd.custom.include and insert the following lines:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Once you insert the above lines, restart the ‘psa’ service and run the ‘openssl’ command to test:

service psa stopall
service psa start all
openssl s_client -connect localhost:8443 -ssl2

2) To turn off SSLv2 for port 443 (Apache SSL port), edit the file /etc/httpd/conf.d/ssl.conf and insert the following lines:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Once you insert the lines, restart the ‘httpd’ service and run the ‘openssl’ command to test:

service httpd restart
openssl s_client -connect localhost:443 -ssl2

3) To turn off SSLv2 for 995 (POP3) and 993 (IMAP) ports, edit the following files

vi /etc/courier-imap/imapd-ssl
vi /etc/courier-imap/pop3d-ssl

comment the line which starts with “TLS_CIPHER_LIST” and insert the following line:

TLS_CIPHER_LIST=”ALL:!ADH:RC4+RSA:!SSLv2:!LOW:@STRENGTH”

restart the ‘courier-imap’ service and execute the ‘openssl’ command to test:

service courier-imap restart
openssl s_client -connect localhost:995 -ssl2
openssl s_client -connect localhost:993 -ssl2

4) To turn off SSLv2 for port 465(SMTPS), create the following files:

vi /var/qmail/control/tlsserverciphers
vi /var/qmail/control/tlsclientciphers

and insert the following code:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

Once done, restart the ‘qmail’ service and test the connection on SSLv2:

service qmail restart
openssl s_client -connect localhost:465 -ssl2

This will disable SSLv2 for all the SSL ports of your server.

5) To disable TRACE and TRACE for Apache, place the following lines in the Apache configuration file + in the VirtualHost of each domain:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE|TRACK
RewriteRule .* – [F]

TraceEnable off

Save the file and restart the ‘httpd’ service.

6) I would recommend to use the secure port 8443 to access Plesk and block the non-secure one 8880.

iptables -A INPUT -p tcp -s 0/0 -–dport 8880 -j DROP
service iptables save
service iptables restart

7) In order to upgrade the PHP version, refer the post:

http://linuxhostingsupport.net/blog/?p=218

8 ) To turn off recursion for the bind service, edit the named configuration file:

vi /etc/named.conf

add the following line in the “options” section:

recursion no;

Save the file and restart the ‘named’ service.

This entry was posted on Sunday, September 27th, 2009 and is filed under PCI Compliance. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

12 Responses to “To make a Plesk server PCI Compliance”

  1. Josh

    Great tutorial! This is a must for any ecommerce store running under plesk. Saves a lot of searching around. Thanks!

  2. ManagingDirector

    Nice job. Thanks very much. My servers now pass the PCI scans.

  3. Michael Velik

    Thank you very much for posting this. It is most helpful.

  4. Fran

    My server doesn’t have /etc/courier-imap/imapd-ssl or /etc/courier-imap/pop3d-ssl but I still get nailed for having weak cyphers on port 995.

    Running Apache 2.

    Anybody know where to go from here?

  5. admin

    Is your server a Linux/Plesk server? If yes, you have to create the above mentioned files, add the code and restart the ‘courier-imap’ service. If the problem persists, I would love to take a look at your server and see where the problem is.

  6. Matt Toste

    Hi,

    First I would like to say thanks for all the great info here! The problem is that even with all of these things implemented it still says sslv2 is available. I am at my wits end trying to solve this as I keep failing the PCI tests. I just don’t understand what the problem could be? Thanks for your time!

  7. admin

    Hello,

    Thanks for sharing the info. Do you have a Plesk server and where does your PCI tests fails? If you could provide some additional info with error message if any, we can guide you further?

  8. Matt Toste

    Yes it is a VPS running plesk 9.5. The PCI test fails on:
    openssl being 0.9.8 instead of 1.0.0 (I tried yum upgrade but it won’t allow me to), sslv2 detection, ssl weak cipher suites supported, ssl medium strength cipher suites supported, ssl certificate signed using weak hashing algorithm.

    That was after applying the changes listed on your site. When I run the tests on the ports via ssh this is what I get:
    8443- write:errno=104
    443- 7817:errno=1407F0E5:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428
    995,993,465- (numbers):error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

    When I restart httpd I get
    stop [OK]
    [warn] module ssl_module is already loaded, skipping
    [OK]

    Any help or advice would be awesome! Thank you very much!

  9. admin

    There is always a risk of breaking Plesk as well as OS while upgrading OpenSSL. However, a fix is available for Plesk but if it breaks the OS, it’s hard to recover. You option is to create an alternate installation of OpenSSL 1.0.0. If yours is not a production server as of yet, you can very well give a try. If you need any help, contact me on MSN or via Email given on the ‘Contact’ page.

  10. Matt

    Everything in your post worked. What I had to do for port 443 was put the directives right below the listen directive and it works now. I had them where they were at originally in the file and for some reason it wasn’t working. Thanks again.

  11. admin

    Nice to hear everything worked for you.

  12. AlexK

    Thanks for this page! To those with OpenSSL vunls, read this:

    You should never need to update OpenSSL, OpenSSH, or Bind on a centOS server, especially cent5. From root as SSH, run:

    rpm -qa |grep openssl

    Output should have several packages, pick one like: openssl-0.9.8e-20.el5

    Then run this one-line command:

    rpm -q openssl-0.9.8e-20.el5 –changelog > changelog_openssl.txt

    Open that file in vim or download it to your local machine. You can then search for your problem CVE’s in that file. Almost always this will serve as sufficient proof of back-porting to your PCI vendor.