The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard defined by the Payment Card Industry Security Standards Council.
Chances are, if your organization processes credit cards, your bank has asked you to become "PCI Compliant".
The goal of PCI Compliance is to prevent credit card fraud through increased security. The standard applies to all organizations that hold, process, or exchange credit card data.
Becoming PCI CompliantBeing branded "PCI Compliant" relies on working with a third party security assessor to review your servers and policies. Your bank or credit card processor will generally have a suggestion on what company to use, and may offer discounts for partnerships they have setup.
There's two components to being PCI Compliant. One is a self-assessment questionnaire that you'll need to review. We're not going to tackle that part here :-)
The second part, the security scan, is what this document will help with. The security assessor is going to perform a scan of your servers, and notify you of any problems it sees. What we'll do here is go over some changes that need to be made in order to pass the security scan.
With that in mind, let's get started!
Disable the old v2 SSL protocolAn older version of the SSL protocol, dubbed "SSLv2", is enabled by default in many services running on Linux. It's considered insecure, and would need to be disabled to pass the security scan.
Disable SSLv2 in WebminAfter logging into Virtualmin, click Webmin -> Webmin -> Webmin Configuration -> SSL Encryption. Where it says "Allowed SSL ciphers", set the option "Only strong PCI-compliant ciphers", and click "Save".
Disable SSLv2 in ApacheYou'll need to login to the command line as root over SSH. From there, on CentOS-based systems, you'll need to edit /etc/httpd/conf/httpd.conf. On Debian/Ubuntu-based systems, you'll need to edit /etc/apache2/mods-enabled/ssl.conf.
After opening that file, you'll need to set "SSLProtocol" and "SSLCipherSuite" to the following:
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULLThen restart Apache --
On CentOS, run: /etc/init.d/httpd reload
On Debian/Ubuntu, run: /etc/init.d/apache2 reload
Disable SSLv2 in PostfixEdit /etc/postfix/main.cf, and set smtpd_tls_mandatory_protocols and smtpd_tls_mandatory_ciphers as follows:
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, highDisable SSLv2 in Dovecot
Edit /etc/dovecot/dovecot.conf, and set the "ssl_cipher_list" option as follows:
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Then restart Dovecot:
/etc/init.d/dovecot restart
Apache SettingsBy default, Apache allows users to access a lot of information about the service remotely. To become PCI Compliant, you'll typically need to configure Apache to give away less information.
On CentOS, edit /etc/httpd/conf/httpd.conf, on Ubuntu, edit /etc/apache2/apache2.conf, and on Debian, edit /etc/apache2/conf.d/security, and set ServerTokens, ServerSignature, and TraceEnable to the following:
ServerTokens Minimal
ServerSignature Off
TraceEnable OffOn CentOS, run: /etc/init.d/httpd reload
On Debian/Ubuntu, run: /etc/init.d/apache2 reload
Disable Protocol 1 in SSHSSH may have protocol 1 enabled, which is considered insecure. To disable it, edit /etc/ssh/sshd_config, and change the "Protocol" line to read:
Protocol 2
Then restart SSH: /etc/init.d/sshd restart
Add to Favourites Print this Article
Powered by WHMCompleteSolution