Some of my clients are being hassled with these new PCI checks... not that they're really all that new, but PDQ companies are certainly using them a lot more.
A really helpful article can be found here: Making Plesk more PCI compliant
On the last check, the servers were failing on several fronts, and I thought I'd note down some pointers for the future.
1.
SSH host keys. Being Debian, the servers fell fowl of a packaging mistake with SSH in which the keys became less than secure... need to re-generate them.
2.
PHP version. Problem with Plesk 8.4 is that is uses one version of PHP for Apache and one for the control panel. And, the version used for the control panel was horribly out of date.
The version used for the forward facing pages is not completely up to date either, so I've used the dotdeb repros to get the latest versions.
The version that is used for the Plesk control panel is independant on that installed on the system and is shipped separately. According to the Forum, it will be upgraded to 5.2.6 from the next release... 8.5... whenever that will be... have posted to the thread to find out.
As well as this, the scores for psa were being counted twice because port 8880 and port 8443 were both open and creating the same errors. As far as I can tell, port 8880 isn't used in a standard setup. So, until the next release, I thought I'd just try and block its use.
3.
Somebody had left a phpinfo() file in a forward facing position. (5 points)
4.
Apache needs to be over 2.2.8 and if it's not, that's another 6 points.
5.
Port 53 was open
Close it using the Firewall module in Plesk (DNS server)
6.
SSL 2.0 was being used... that added another 4 points.
You can double check that the server doesn't respond to a SSL2.0
A really helpful article can be found here: Making Plesk more PCI compliant
On the last check, the servers were failing on several fronts, and I thought I'd note down some pointers for the future.
1.
SSH host keys. Being Debian, the servers fell fowl of a packaging mistake with SSH in which the keys became less than secure... need to re-generate them.
sudo -sThen all you need to do is go around the update all the known_host files... yawn
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
2.
PHP version. Problem with Plesk 8.4 is that is uses one version of PHP for Apache and one for the control panel. And, the version used for the control panel was horribly out of date.
The version used for the forward facing pages is not completely up to date either, so I've used the dotdeb repros to get the latest versions.
sudo -sMake sure that you keep your old config files, or at least do a diff to work out which bits have been changed.
joe /etc/apt/sources.listdeb http://dotdeb.netmirror.org/ stable allapt-get update
deb-src http://dotdeb.netmirror.org/ stable all
apt-get upgrade
The version that is used for the Plesk control panel is independant on that installed on the system and is shipped separately. According to the Forum, it will be upgraded to 5.2.6 from the next release... 8.5... whenever that will be... have posted to the thread to find out.
As well as this, the scores for psa were being counted twice because port 8880 and port 8443 were both open and creating the same errors. As far as I can tell, port 8880 isn't used in a standard setup. So, until the next release, I thought I'd just try and block its use.
sudo -sYou can then test the connection to port 8880 from a remote location.
joe /opt/psa/admin/conf/httpds.conf#Listen 8880/etc/init.d/psa restart
telnet servername 8880
3.
Somebody had left a phpinfo() file in a forward facing position. (5 points)
4.
Apache needs to be over 2.2.8 and if it's not, that's another 6 points.
5.
Port 53 was open
Close it using the Firewall module in Plesk (DNS server)
6.
SSL 2.0 was being used... that added another 4 points.
sudo -sYou also need to alter the psa (Plesk Server Admin):
joe /etc/apache2/httpd.confSSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM/etc/init.d/apache2 restart
SSLProtocol all -SSLv2
sudo -s(If the .custom.include file doesn't exist, create it: it will ensure that the config changes persist on package upgrade)
/opt/psa/admin/conf/httpsd.custom.includeSSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM/etc/init.d/psa restart
SSLProtocol all -SSLv2
You can double check that the server doesn't respond to a SSL2.0
openssl s_client -connect hostname:443 -ssl2If SSL2.0 is disabled, you should get the following returned.
openssl s_client -connect hostname:8443 -ssl2
openssl s_client -connect hostname:25 -starttls smtp -ssl2
419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:.
420:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
No comments:
Post a Comment