To make a Plesk server PCI Compliance
September 27, 2009 | Posted byHow to make a Plesk server PCI Compliant?
Nowadays many of the Banks And Credit Card companies ask you to implement security standards on your server for client data protection which is known as PCI Compliance. Follow the below steps to achieve security standards on your server.
1 ) To turn off SSLv2 for port 8443 (Plesk port), create a file /usr/local/psa/admin/conf/httpsd.custom.include and insert the following lines:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
Once you insert the above lines, restart the ‘psa’ service and run the ‘openssl’ command to test:
service psa stopall
service psa start all
openssl s_client -connect localhost:8443 -ssl2
2) To turn off SSLv2 for port 443 (Apache SSL port), edit the file /etc/httpd/conf.d/ssl.conf and insert the following lines:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
Once you insert the lines, restart the ‘httpd’ service and run the ‘openssl’ command to test:
service httpd restart
openssl s_client -connect localhost:443 -ssl2
3) To turn off SSLv2 for 995 (POP3) and 993 (IMAP) ports, edit the following files
vi /etc/courier-imap/imapd-ssl
vi /etc/courier-imap/pop3d-ssl
comment the line which starts with “TLS_CIPHER_LIST” and insert the following line:
TLS_CIPHER_LIST=”ALL:!ADH:RC4+RSA:!SSLv2:!LOW:@STRENGTH”
restart the ‘courier-imap’ service and execute the ‘openssl’ command to test:
service courier-imap restart
openssl s_client -connect localhost:995 -ssl2
openssl s_client -connect localhost:993 -ssl2
4) To turn off SSLv2 for port 465(SMTPS), create the following files:
vi /var/qmail/control/tlsserverciphers
vi /var/qmail/control/tlsclientciphers
and insert the following code:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
Once done, restart the ‘qmail’ service and test the connection on SSLv2:
service qmail restart
openssl s_client -connect localhost:465 -ssl2
This will disable SSLv2 for all the SSL ports of your server.
5) To disable TRACE and TRACE for Apache, place the following lines in the Apache configuration file + in the VirtualHost of each domain:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE|TRACK
RewriteRule .* – [F]TraceEnable off
Save the file and restart the ‘httpd’ service.
6) I would recommend to use the secure port 8443 to access Plesk and block the non-secure one 8880.
iptables -A INPUT -p tcp -s 0/0 -–dport 8880 -j DROP
service iptables save
service iptables restart
7) In order to upgrade the PHP version, refer the post:
8 ) To turn off recursion for the bind service, edit the named configuration file:
vi /etc/named.conf
add the following line in the “options” section:
recursion no;
Save the file and restart the ‘named’ service.