Author Topic: Getting Plesk Servers PCI Compliant  (Read 15934 times)

Offline inetbiz

  • eCommerce Strategy Consultant
  • Administrator
  • Full Member
  • *****
  • Posts: 135
  • Karma: 22
  • SKYNET; T3; Apple Inc. Coincidence?
    • View Profile
    • Hosting for Creloaded Cart
Re: Getting Plesk Servers PCI Compliant
« Reply #2 on: June 21, 2009, 04:06:28 PM »
Would anyone possibly like to take over maintaining this topic as a moderator? Must be SME in Plesk Security.

Offline inetbiz

  • eCommerce Strategy Consultant
  • Administrator
  • Full Member
  • *****
  • Posts: 135
  • Karma: 22
  • SKYNET; T3; Apple Inc. Coincidence?
    • View Profile
    • Hosting for Creloaded Cart
Getting Plesk Servers PCI Compliant
« Reply #1 on: June 18, 2008, 08:20:45 AM »
Making Plesk More PCI Compliant
April 25th, 2008 by Pizon | Subscribe to feed here

PCI Compliance Scans are becoming more and more common as more credit card processors require them. There still is a lot of debate regarding whether or not these scans really do anything to protect the security and privacy of those making online purchases but regardless, they’re here and anyone who works on Internet facing servers will eventually have to make a server compliant. Most of the scans use a tool like Nessus and the scan results often contain many false positives. For example, the scans do not take into account practices such as back porting security fixes. Distributions such as Redhat Enterprise Linux have very clear policies regarding backports.

The open source nature of Linux makes it relatively easy to maintain compliance. When you add commercial control panel software such as Plesk into the equation it gets a bit more complicated. When Plesk is installed on a Linux server it takes over the e-mail and web services. You can make custom changes to the configuration but if you don’t do it the “Plesk way” the next time a domain is added or modified through the control panel your changes will be lost. Plesk installs the Courier for pop3 and imap services qmail provides almost no customization, especially where PCI Compliance is concerned. Courier, being open source, can easily be configured to be PCI compliant.

Courier
The most common flaw uncovered by a PCI compliance scan is that a service is allowing SSL connections using weak SSL ciphers. You can disable SSLv2 in Courier by adding the following line to both /etc/courier-imap/imapd-ssl and /etc/courier-imap/pop3d-ssl:

Code: [Select]
TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:!SSLv2:@STRENGTH"
After restarting Courier you should test with openssl to verify SSLv2 has been disabled properly:

# openssl s_client -connect localhost:995 -ssl2
CONNECTED(00000003)
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify return:1
2983:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:


PCI scans will also raise a red flag if plain text authentication is enabled on non-encrypted connections. This should not be an issue on Plesk version 8.3.0 and newer. If you have an older version of Plesk look for the following line in /etc/courier-imap/imapd:

Code: [Select]
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=PLAIN IDLE"
And in /etc/courier-imap/pop3d look for this line:

Code: [Select]
POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
Remove AUTH=PLAIN from /etc/courier-imap/imapd and LOGIN from /etc/courier-imap/pop3d to disable these authentication methods. Restart courier and your pop3 and imap services should now be compliant.

qmail
qmail is a pathetic excuse for an MTA. The software hasn’t been updated in 10 years. The only way to add modern features such as SMTP-AUTH is to apply “unauthorized” and unofficial third party patches. And finally, the developer is an egomaniac who believes his precious qmail is infallible. Unfortunately, due to these design flaws there is no way to disable weak SSL ciphers without recompiling the software. Isn’t it ironic how such an unimpeachable piece of software makes it all but impossible to disable a weak SSL cipher?

Apache
Plesk takes almost complete control of the Apache configuration once it is installed on a server. Fortunately it leaves enough flexibility to allow one to disable features that will cause a server to fail a PCI scan. The TRACE and TRACK methods are the most common causes of PCI failures on web servers. For basic HTTP websites you can create a file named zz000_psa_httpd_disable_trace.conf in /etc/httpd/conf.d and add the following directives:



Code: [Select]
<VirtualHost \
xxx.xxx.xxx.xxx:80 \
xxx.xxx.xxx.xxx:80 \
>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]
</IfModule>
</VirtualHost>


Make sure you change the ip addresses to match the ip addresses you are using on your server.

Disabling TRACE and TRACK for SSL-enabled sites is slightly more involved. You can put the following directives in zz001_psa_httpd_disable_trace_ssl.conf. Replace our xx's with your information:


Code: [Select]
<VirtualHost xxx.xxx.xxx.xxx:443 >
ServerName xxxxxxxxxxxxxxxx
UseCanonicalName Off
DocumentRoot /var/www/vhosts/default/httpsdocs
ScriptAlias /cgi-bin/ "/var/www/vhosts/default/cgi-bin/"
SSLEngine on
SSLVerifyClient none
SSLCertificateFile /usr/local/psa/var/certificates/xxxxxxx
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]
</IfModule>
<Directory "/var/www/vhosts/default/cgi-bin/">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/vhosts/default/httpsdocs>
SSLRequireSSL
</Directory>
</VirtualHost>


You will need to add a VirtualHost container for every SSL-enabled virtual host you are hosting on your server.

In addition to the above changes you will need to add one more file to /etc/httpd/conf.d to disable weak SSL ciphers in Plesk. Adding the following directives to /etc/httpd/conf.d/zz050_pci_disable_weak_ssl.conf will disable weak SSL ciphers for all SSL virtual hosts:

Code: [Select]
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-LOW


These changes will persist even after adding new virtual hosts or updating Plesk.

Plesk
Assuming you don’t use a firewall to limit access to the Plesk ports you will have some additional configuration to do before being able to pass a PCI scan. To modify the Apache configuration for the Plesk control panel you need to add your custom configuration to /usr/local/psa/admin/etc/httpd.include.custom. Adding the next directives to this file will disable weak SSL ciphers, TRACK and TRACK methods, and userdir capabilities:

Code: [Select]
UserDir disabled
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

<VirtualHost xxx.xxx.xxx.xxx:8880>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]
</VirtualHost>

<VirtualHost xxx.xxx.xxx.xxx:8443>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]
</VirtualHost>
After adding all of the above custom configuration files and directives you will need to restart Plesk to apply the changes. On a Redhat server it is a simple matter of issuing service psa restart.

iptables
If your Plesk license does not allow you to use the firewall module and you do not already have a hardware firewall in front of you will want to add a few iptables rules to bring your server into compliance:


Code: [Select]
iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-reply -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j DROP
iptables -A INPUT -i eth0 -p udp --dport 111 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 111 -j DROP


The last two rules block access to the portmap service which should not be running on your server unless absolutely necessary. The ICMP rules will make it more difficult to guess which operating system is running on your server. The idea is to slow down attackers although OS identification has become increasingly inaccurate as more people deploy firewalls in front of their servers.

If you’ve made it this far your server should be ready for a follow-up scan. Remember, the above advice is just that, advice. If your server fails another scan then you probably need to seek out a company that specializes in auditing and hardening servers or migrate to a server that does not include Plesk[/b]. StrikeHawk eCommerce Inc. is one such corporation. They suggest you sign up for an account and submit a trouble ticket to get a quote estimate based on your operating system.
« Last Edit: October 29, 2009, 03:24:44 PM by inetbiz »