PCI Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard defined by the Payment Card Industry Security Standards Council.
Chances are, if your organization processes credit cards, your bank has asked you to become “PCI Compliant”.
The goal of PCI Compliance is to prevent credit card fraud through increased security. The standard applies to all organizations that hold, process, or exchange credit card data.
Contents
Becoming PCI Compliant
Being branded “PCI Compliant” relies on working with a third party security assessor to review your servers and policies. Your bank or credit card processor will generally have a suggestion on what company to use, and may offer discounts for partnerships they have setup.
There’s two components to being PCI Compliant. One is a self-assessment questionnaire that you’ll need to review. We’re not going to tackle that part here 🙂
The second part, the security scan, is what this document will help with. The security assessor is going to perform a scan of your servers, and notify you of any problems it sees. What we’ll do here is go over some changes that need to be made in order to pass the security scan.
With that in mind, let’s get started!
Disable the old v2 SSL protocol
An older version of the SSL protocol, dubbed “SSLv2”, is enabled by default in many services running on Linux. It’s considered insecure, and would need to be disabled to pass the security scan.
Disable SSLv2 in Webmin
After logging into Virtualmin, click Webmin -> Webmin -> Webmin Configuration -> SSL Encryption. Where it says “Allowed SSL ciphers”, set the option “Only strong PCI-compliant ciphers”, and click “Save”.
Disable SSLv2 in Apache
You’ll need to login to the command line as root over SSH. From there, on CentOS-based systems, you’ll need to edit /etc/httpd/conf/httpd.conf. On Debian/Ubuntu-based systems, you’ll need to edit /etc/apache2/mods-enabled/ssl.conf.
After opening that file, you’ll need to set “SSLProtocol” and “SSLCipherSuite” to the following:SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
Then restart Apache —
On CentOS, run: /etc/init.d/httpd reload
On Debian/Ubuntu, run: /etc/init.d/apache2 reload
Disable SSLv2 in Postfix
Edit /etc/postfix/main.cf, and set smtpd_tls_mandatory_protocols and smtpd_tls_mandatory_ciphers as follows:
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high
Disable SSLv2 in Dovecot
Edit /etc/dovecot/dovecot.conf, and set the “ssl_cipher_list” option as follows:
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Then restart Dovecot:
/etc/init.d/dovecot restart
Apache Settings
By default, Apache allows users to access a lot of information about the service remotely. To become PCI Compliant, you’ll typically need to configure Apache to give away less information.
On CentOS, edit /etc/httpd/conf/httpd.conf, on Ubuntu, edit /etc/apache2/apache2.conf, and on Debian, edit /etc/apache2/conf.d/security, and set ServerTokens, ServerSignature, and TraceEnable to the following:
ServerTokens Minimal
ServerSignature Off
TraceEnable Off
On CentOS, run: /etc/init.d/httpd reload
On Debian/Ubuntu, run: /etc/init.d/apache2 reload
Disable Protocol 1 in SSH
SSH may have protocol 1 enabled, which is considered insecure. To disable it, edit /etc/ssh/sshd_config, and change the “Protocol” line to read:
Protocol 2
Then restart SSH: /etc/init.d/sshd restart
List Apache security patches
Some PCI providers will request a list of security updates Apache has been patched for. You can generate such a list with this command:
rpm -qa --changelog httpd|grep CVE
Package Backports
Although the various package versions in use on your server may not appear to be the latest, the Linux distribution vendor (such as RedHat, CentOS, Ubuntu, and Debian) will all backport security changes and fixes into the software versions they ship. That’s a process known as “backporting”. RedHat has documentation explaining that process here:
Key Terms:
- Becoming PCI Compliant ,
- PCI Complaince Hosting Server Configuration ,
- PCI Compliance