Tag Archives: dv

PCI Compliance – Continued

So after many both my own nmap and openssl and the PCI tests we are finally PCI compliant.

For MediaTemple customers however one thing kept failing the test.

This was the port 8443 which used by Plesk Virtuozo Service and is caused by having the “Offline Management” enabled.

To solve this I asked Mediatemple for help and they gladly disabled the “Offline Management”. This however did not completely solve the issue, since it still left the port open, and since Plesk was still installed it would still overwrite any customization I did to the iptables to block this port, even if I would go though the process of adding it correctly (at least what I could find).

So to solve this I did the following:

I edited the crontab:

crontab -e

and added the block line for iptables:
* * * * * /sbin/iptables -A INPUT -p tcp --dport 8443 -j REJECT

additionally to make sure I did not risk locking myself out I also added a ACCEPT line for my SSH port:
* * * * * /sbin/iptables -A INPUT -p tcp --dport MYPORTNUMBER -j ACCEPT

Cron runs this every minute so as soon as Plesk overwrites the iptables rules, the crontab runs and it’s added again.

This solved the issue which failed the PCI compliance test for me.

In theory this should also work with “Offline management” enabled which is going to be my next experiment. Additionally I am going to try adding an exception for my ip into the iptables to se if that works.

For now though we are PCI compliant and the cron will, for now, make sure it stays that way until I find a more permanent solution or Mediatemple updates the Plesk installation.

PCI Compliance, Weak SSL Ciphers, Plesk, etc

For all those struggling with the marketing stunt that is PCI compliance here are some pages I found that help to make our DV Base at Mediatemple pass the PCI test

Please check out the following links for help on this:

Weak SSL:
465 (smtps/qmail) – http://www.qmailwiki.org/index.php/Qmail-control-files#control.2Ftlsserverciphers
imap/pop – follow instructions http://www.oscommerceuniversity.com/lounge/index.php?topic=265.0

Server wide ssl2 disable and weak ciphers for all virtual domains:
create new file:
vi /etc/httpd/conf.d/zz000_psa_httpd_weak_ssl_disable.conf
press ‘i’ to insert
SSLProtocol ALL -SSLv2

press ‘esc’ > ‘shift+q’ > ‘wq’ > ‘enter’
/etc/init.d/httpd stop
/etc/init.d/httpd start

Also found this page very helpful: http://www.linux-advocacy.org/web-servers/making-plesk-more-pci-compliant

Question and additions welcome of course..