PCI Compliance

From Server Knowledge Base
Revision as of 12:49, 6 March 2013 by Rootadminacc (talk | contribs) (→‎Clickjacking vulnerability)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

End of life software is not PCI compliant

http://blog.fido.net/how-tos/server-pci-compliant
http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-plesk-server-pci-compliance.html
http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/65871.htm
http://blog.serverbuddies.com/disable-sslv2-on-cpanel-and-apache-ports
/usr/local/psa/admin/bin/pci_compliance_resolver --enable all

403 Forbidden

Download directories or Forbidden areas may need proper access control via a .htaccess file or remove all together.

Clickjacking vulnerability

This can normally be resolved in the website files by presenting users/browsers with the X-FRAME-OPTIONS header.

HTTP Slow post vulnerability

Edit the Apache config file and add in this line:

LoadModule reqtimeout_module modules/mod_reqtimeout.so

Create the file /etc/httpd/conf.d/reqtimeout.conf with the following contents and save:

<IfModule reqtimeout_module>

# Wait max 10 seconds for the first byte of the request line+headers
# From then, require a minimum data rate of 500 bytes/s, but don't
# wait longer than 20 seconds in total.
RequestReadTimeout header=10-20,minrate=500

# Wait max 10 seconds for the first byte of the request body (if any)
# From then, require a minimum data rate of 500 byte/s.
RequestReadTimeout body=10,minrate=500

</IfModule>
service httpd restart

FTP Supports Clear Text Authentication

Firewall off 21, use SFTP (Secure FTP) over 22 which uses SSH.

rxmon (Dell OpenManage)

This operates over port 1311. The scan will complain about the self-signed certificate.

  • firewall off the port to 127.0.0.1
  • if it continues to flag this can be ignored as it is an internal connection from the software to the hardware that does not send anything other than hardware data, and uses a valid self-signed SSL within the server.
  • If you really wish you can buy an SSL for your servers hostname on it's primary IP.

SMTP Service Cleartext Login

To check if the server is Qmail or Postfix do:

/usr/local/psa/admin/sbin/mailmng --features | grep SMTP_Server

To fix for Postfix, uncomment the last two lines in /etc/postfix/main.cf, check this guide and restart Postfix.

To fix for Qmail, run the following three commands:

echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsserverciphers
echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsclientciphers
/etc/init.d/qmail restart

This item can be fixed by disabling plain text authentication however this means all mail clients will have to be altered to only connect via secure SMTP. Please see below for new settings:

POP3:

  • Incoming mail server: Remains the same
  • Outgoing mail server: Remains the same
  • Outgoing server (SMTP) requires authentication: Yes, use same setting as my incoming mail server
  • Incoming server port: 995
  • This server requires an encrypted connection (SSL): Yes

Outgoing server port: 465

  • Use the following type of encrypted connection: SSL

IMAP:

  • Incoming mail server: Remains the same
  • Outgoing mail server: Remains the same
  • Outgoing server (SMTP) requires authentication: Yes, use same setting as my incoming mail server
  • Incoming server port: 995
  • This server requires an encrypted connection (SSL): Yes

Outgoing server port: 465

  • Use the following type of encrypted connection: SSL

As this will stop non secure connections, reconfigure the clients then enable the setting.

SSLv2 (Port 25)

Vulnerability: SSLv2 Supported

This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted during the SSL session. Secure web applications should only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996 with numerous security enhancements over SSLv2. TLSv1 was introduced in 1999 as an enhancement to the security features of SSLv3. All modern browsers have support for both SSLv3 and TLSv1, and often disable support for SSLv2 in the interests of security. The PCI ASV Operational Requirements requires that if SSLv2 is used in the transmission of cardholder data, this must result in a failure. This was clarified in the PCI "Assessor Update: November 2008" (see the reference link in this finding). CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N(5.00) Reference: http://support.microsoft.com/kb/187498, http://httpd.apache.org/docs/2.2/ssl/, http://www.schneier.com/paperssl.pdf

Service: smtp
Evidence:
Cipher: DES-CBC3-MD5
Cipher: DES-CBC-MD5
Cipher: EXP-RC2-CBC-MD5 Cipher: RC2-CBC-MD5
Cipher: EXP-RC4-MD5
Cipher: RC4-MD5

Remediation:

If this service is used for the transmission of cardholder data, then SSLv2 should be disabled, and SSLv3, TLSv1, and/or newer should be implemented. For Apache and mod_ssl, the "SSLProtocol" configuration option is commonly used to limit the protocol versions for web servers which use OpenSSL: SSLProtocol -ALL +SSLv3 +TLSv1. (See the reference link to apache.org for more information). For Microsoft IIS server, refer to the Microsoft Knowledge Base article kb187498 to remove SSLv2 support. (See the reference link to support.microsoft.com for more information). For information on disabling SSLv2 in other HTTP web servers or other services, contact the service vendor for support information. If any of the following circumstances take place, please state something to this effect in an appeal against the finding. - Credit card holder data is not sent or received using SSLv2 (even though SSLv2 is supported) - SSLv2 appears to be supported due to the use of Akamai but the system does in fact drop any SSLv2 connections - Initial SSLv2 connections are accepted but then dropped (and no further conversation can take place) - SSLv2 connections are accepted but users are forcibly redirected to an informational page (and no further

vim /etc/postfix/main.cf

smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext

/etc/init.d/postfix restart

SSL General

DHE-RSA-RC4-SHA:RC4+SHA1+RSA
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

My guide for vanilla Apache 2.2.22 + Ubuntu 12 SSL PCI compliance. Proof of concept can be seen here

Webalizer

Port 80 and 443, version has XXS vulnerability