ShareWiz Ultra Secure Server Setup

PCI DSS Security

pci-dss

PCI DSS Security

Synopsis

This section describes the steps that you should perform if you want to secure your server and achieve compliance with PCI DSS.

Secure Apache Web Server

Issue the following command:

sudo vi /etc/apache2/apache2.conf

and add the following lines:

ServerTokens ProductOnly

TraceEnable OFF

then locate the line:

FileETag INode MTime Size

and change it to:

FileETag MTime Size

Save the file.

Restart the web server, by issueing the following command:

sudo /etc/init.d/apache2 restart

top

Conceal the version of DNS server

Issue the following command:

sudo vi /etc/named.conf

and locate the options {} section, and add the version "none" line there.

Restart the named service:

sudo /etc/init.d/bind9 restart

top

Secure Postfix Email Server

Issue the following command:

sudo vi /etc/postfix/main.cf

and add the following lines to the file:

smtpd_tls_protocols = SSLv3, TLSv1

smtpd_tls_ciphers = medium

smtpd_tls_exclude_ciphers = aNULL

smtpd_sasl_security_options = noplaintext

Save the file.

Restart the mail server, by issueing the following command:

sudo /etc/init.d/postfix restart

top

Secure Plesk

Issue the following command:

sudo /usr/local/psa/admin/bin/pci_compliance_resolver --enable all

OptionDetail
--enable all | --disable allThe option "-- enable all" switches off weak SSL ciphers and protocols for Web and e-mail servers. The option "--disable all" reverts all changes made by the utility and restores original configuration files, thereby allowing weak SSL ciphers and protocols for connections to Web and e-mail servers.
--enable courier | --disable courierSwitches off or switches on weak SSL ciphers and protocols for connections to Courier IMAP mail server.
--enable apache | --disable apacheSwitches off or switches on weak SSL ciphers and protocols for connections to the Apache Web server that serves users' sites.
--enable panel | --disable panelSwitches off or switches on weak SSL ciphers and protocols for connections to Parallels Plesk Panel.

Switch off medium strength SSL ciphers for access to the Panel, by issueing the following command:

sudo vi /usr/local/psa/admin/conf/cipher.lst

Delete all lines from the file, and then insert the following line:

ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5

KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5

Save the file

Restart the Web server, by issueing the following command:

sudo /etc/init.d/sw-cp-server restart

top

Use the firewall that comes with your Parallels Plesk Panel (Optional)

Log in to the Panel as administrator.

If you did not install the firewall component, install it:

  • Go to Home > Updates (in the Help & Support group).
  • Click the link corresponding to your version of the Panel.
  • Locate Plesk Firewall module, select the corresponding check box, and click Install.

Configure the firewall rule that blocks external MySQL connections and switch the firewall on:

  • Click the Settings link in the navigation pane.
  • Click Manage Firewall Rules, and then Edit Firewall Configuration.
  • Click the MySQL server link.
  • Select the Deny option and click OK.
  • Click Activate to apply the configuration, and then click Activate again to switch on the firewall.

top

Disable SSL v2 and weak SSL ciphers for the single sign-on service Plesk

Issue the following command:

sudo vi /etc/sw-cp-server/applications.d/sso-cpserver.conf

and locate the two lines ssl.engine = "enable".

After each of these lines, add the following:

ssl.cipher-list = "ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:ADH-AES128-SHA:

DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:ADH-DES-CBC3-SHA:

EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:

KRB5-RC4-SHA:ADH-RC4-MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5"

ssl.use-sslv2 = "disable"

Save the file.

Restart the Plesk server, by issueing the following command:

sudo /etc/init.d/sw-cp-server restart

top

Hide the PHP version when using Plesk

Issue the following command:

sudo vi /etc/sw-cp-server/php.ini

and add the following to this file:

expose_php = Off.

Save the file.

Issue the following command:

sudo vi /etc/sw-cp-server/applications.d/sso-cpserver.conf

and locate the following line:

var.intertpreter = "/usr/bin/sw-engine-cgi"

and replace it with the following line:

var.intertpreter = "/usr/bin/sw-engine-cgi -c /etc/sw-cp-server/php.ini"

Save the file.

Restart the Plesk server, by issueing the following command:

sudo /etc/init.d/sw-cp-server restart

top

Secure QMail Email Server

Issue the following command:

sudo sh -c "echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsserverciphers"

sudo sh -c "echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsclientciphers"

top

Continue to the Apache Security...