Today, I am going to discuss how we at InstaCarma were able to help one of our clients in achieving PCI Compliance and hence increase their customer base..
Now, this client is basically a provider of e-commerce based hosting solutions. They deal with plenty of sensitive and important data. Hence, becoming PCI Compliant was mandatory for them. Recently they were getting too many potential customer queries whether they are PCI Compliant. Achieving this has helped them grow their business by almost 50% in last couple of quarters.
A PCI Scan tells you what could be potentially insecure about your server. This is particularly important where storage of sensitive data occurs. Therefore, PCI Compliance is something which is preferred by most credit-card companies these days.
The PCI Security Standards Council talks about 12 basic requirements broadly divided into 6 categories. This is called the PCI-DSS (Payment Card Industry Data Security Standard)
This is required in order to avoid data frauds where card information is stored.
You can find these details at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Following are the important steps that we took in order to ensure that their cPanel servers pass the PCI Scan :-
– Installed a firewall : A server is not likely to pass the PCI Scan if there are unnecessary open ports. We installed CSF on the server. Alternatively, APF can also be used. We closed all the ports except for the ones required for the essential services. Certain standard ports like 2082, 2086 and 2095 could produce a negative result. So, we configured WHM to use the secure ports only.
– Updating the packages : Just run /scripts/upcp to update all the packages. Also, we had to make sure that Apache , PHP and MySQL were running the latest version.
The suggested versions are :
MySQL 4.1.22 or above
PHP 5.2.5 or above
Apache 1.3.39 or above ( Certain scans might require Apache 2.0.x )
OpenSSL 0.9.7j or above
cPanel suggests that you should keep cPAddons up to date as well.
– Disabled mod_userdir : If a site on the server can be accessed as http://serverip/~username
then it means that mod_userdir is ‘enabled’. We can disable it through WHM > Security Center > Apache mod_userdir Tweak
– SSL : At least, one SSL certificate from a recognized certificate authority is required. We
installed SSL for Apache. SSL can be installed for other services as well.
– Apache Setup should not be revealed: We all have seen the ‘404 Error’ page at some point. Information about the Apache Setup
should not be available on that page. This can be achieved by adding the following lines to the ‘httpd.conf’ file :
ServerSignature Off
ServerTokens Prod
FileETag None
– Disable SSLv2 and other weak encryption methods : Some services doesn’t allow you to
choose between SSL protocols but most PCI Scan overlook it.
The Weak SSL cipher issue has been an headache for people who want to pass the scan.
Thankfully, cPanel 11.24 has got an in-built solution for that.
Just go to WHM > Apache Configuration > Global configuration and copy paste the following :
ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1
– mod FrontPage – It is likely to cause a scan failure. Therefore, we kept it disabled.
– Separate services – cPanel recommends that you keep services separate like MySQL server on
a local subnet, remote DNS only, no local BIND etc
– 2 factor authentication – This is another suggestion by cPanel that we adopted. A 2-factor
authentication procedure which requires a key and a passphrase.
– Besides all these, another important measure that we took was running the Nessus Scan.
It is a wonderful freely available tool to find any vulnerabilities on your server. You can find the details on the official Nessus website – http://nessus.org
Nessus basically consists of two parts, the server and the client. Once you are done with the two installations you need to add an user for the scanner and then you can start a scan on any remote server. The scan might take a while. It will give you a detailed report about all the package related vulnerabilities and any security loopholes. The best thing about Nessus is that it will also give you suggestions on how to fix those.
Thus, Nessus will tell you almost everything that needs to be done in order to achieve PCI Compliance.
I will be discussing about the installation and working of Nessus in the coming articles.
Let me tell you that different scan companies have a different approach . Hence, the requirements vary and they might have many more than the ones mentioned above. But these are the very basic ones that need to implemented for sure. I hope this article would be helpful for those looking forward to achieving PCI Compliance.
