{"id":74,"date":"2009-09-27T13:56:32","date_gmt":"2009-09-27T17:56:32","guid":{"rendered":"http:\/\/linuxhostingsupport.net\/blog\/?p=74"},"modified":"2013-03-20T08:39:37","modified_gmt":"2013-03-20T12:39:37","slug":"to-make-a-plesk-server-pci-compliance","status":"publish","type":"post","link":"https:\/\/linuxhostingsupport.net\/blog\/to-make-a-plesk-server-pci-compliance","title":{"rendered":"To make a Plesk server PCI Compliance"},"content":{"rendered":"

How to make a Plesk server PCI Compliant?<\/strong><\/span><\/p>\n

Nowadays many of the Banks And Credit Card companies ask you to implement security standards<\/strong> on your server for client data protection which is known as PCI Compliance. Follow the below steps to achieve security standards on your server.<\/p>\n

1 )<\/strong><\/span> To turn off SSLv2 for port 8443 (Plesk port), create a file \/usr\/local\/psa\/admin\/conf\/httpsd.custom.include<\/strong> and insert the following lines:<\/p>\n

SSLProtocol all -SSLv2
\nSSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL<\/strong><\/span><\/p><\/blockquote>\n

Once you insert the above lines, restart the ‘psa’ service and run the ‘openssl’ command to test:<\/p>\n

service psa stopall
\nservice psa start all
\nopenssl s_client -connect localhost:8443 -ssl2<\/strong><\/span><\/p><\/blockquote>\n

2)<\/span> <\/strong>To turn off SSLv2 for port 443 (Apache SSL port), edit the file \/<\/strong>etc\/httpd\/conf.d\/ssl.conf and insert the following lines:<\/p>\n

SSLProtocol all -SSLv2
\nSSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL<\/strong><\/span><\/p><\/blockquote>\n

Once you insert the lines, restart the ‘httpd’ service and run the ‘openssl’ command to test:<\/p>\n

service httpd restart
\nopenssl s_client -connect localhost:443 -ssl2<\/strong><\/span><\/p><\/blockquote>\n

3)<\/strong><\/span> To turn off SSLv2 for 995 (POP3) and 993 (IMAP) ports<\/strong>, edit the following files<\/p>\n

vi \/etc\/courier-imap\/imapd-ssl
\nvi \/etc\/courier-imap\/pop3d-ssl<\/strong><\/span><\/p><\/blockquote>\n

comment the line which starts with “TLS_CIPHER_LIST” and insert the following line:<\/p>\n

TLS_CIPHER_LIST=”ALL:!ADH:RC4+RSA:!SSLv2:!LOW:@STRENGTH”<\/strong><\/span><\/p><\/blockquote>\n

restart the ‘courier-imap’ service and execute the ‘openssl’ command to test:<\/p>\n

service courier-imap restart
\nopenssl s_client -connect localhost:995 -ssl2
\nopenssl s_client -connect localhost:993 -ssl2<\/strong><\/span><\/p><\/blockquote>\n

4)<\/strong><\/span> To turn off SSLv2 for port 465(SMTPS)<\/strong>, create the following files:<\/p>\n

vi \/var\/qmail\/control\/tlsserverciphers
\nvi \/var\/qmail\/control\/tlsclientciphers<\/strong><\/span><\/p><\/blockquote>\n

and insert the following code:<\/p>\n

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM<\/strong><\/span><\/p><\/blockquote>\n

Once done, restart the ‘qmail’ service and test the connection on SSLv2:<\/p>\n

service qmail restart
\nopenssl s_client -connect localhost:465 -ssl2<\/strong><\/span><\/p><\/blockquote>\n

This will disable SSLv2 for all the SSL ports of your server.<\/p>\n

5)<\/span> <\/strong>To disable TRACE and TRACE for Apache<\/strong>, place the following lines in the Apache configuration file + in the VirtualHost of each domain:<\/p>\n

RewriteEngine On
\nRewriteCond %{REQUEST_METHOD} ^TRACE|TRACK
\nRewriteRule .* – [F]<\/strong><\/span><\/p>\n

TraceEnable off<\/strong><\/span><\/p><\/blockquote>\n

Save the file and restart the ‘httpd’ service.<\/p>\n

6)<\/strong><\/span> I would recommend to use the secure port 8443<\/strong> to access Plesk and block the non-secure one 8880<\/strong>.<\/p>\n

iptables -A INPUT -p tcp -s 0\/0 -\u2013dport 8880 -j DROP<\/strong><\/span>
\nservice iptables save<\/strong><\/span>
\nservice iptables restart<\/strong><\/span><\/p><\/blockquote>\n

7)<\/strong><\/span> In order to upgrade the PHP version<\/strong>, refer the post:<\/p>\n

https:\/\/linuxhostingsupport.net\/blog\/?p=218<\/a><\/span><\/strong><\/p><\/blockquote>\n

8 )<\/strong><\/span> To turn off recursion for the bind service<\/strong>, edit the named configuration file:<\/p>\n

vi \/etc\/named.conf<\/strong><\/span><\/p><\/blockquote>\n

add the following line in the “options” section:<\/p>\n

recursion no;<\/strong><\/span><\/p><\/blockquote>\n

Save the file and restart the ‘named’ service.<\/p>\n","protected":false},"excerpt":{"rendered":"

How to make a Plesk server PCI Compliant?
\nNowadays many of the Banks And Credit Card companies ask you to implement security standards on your server for client data protection which is known as PCI Compliance. Follow the below steps to achieve security standards on your server.
\n1 ) To turn off SSLv2 for port 8443 (Plesk port), create a file \/usr\/local\/psa\/admin\/conf\/httpsd.custom.include and insert the following lines:
\nSSLProtocol all -SSLv2
\nSSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
\nOnce you insert the above lines, restart the ‘psa’ service and run the ‘openssl’ command to test:
\nservice psa stopall
\nservice psa start […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[88],"tags":[134,132,133,131,340,339,473,220,475,1494,474,89,90,91,92,337,338,221],"_links":{"self":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/74"}],"collection":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/comments?post=74"}],"version-history":[{"count":23,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/74\/revisions"}],"predecessor-version":[{"id":2105,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/74\/revisions\/2105"}],"wp:attachment":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/media?parent=74"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/categories?post=74"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/tags?post=74"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}