PCI Scanning stands for “Payment Card Industry” scanning. It involves having a PCI ASV (Approved Scanning Vendor) scan any and all IP addresses that the public has access to, related to your website or your site’s transaction process.

The following guide assumes you are working with a Plesk 8.6 (or above) installation on RedHat Enterprise or CentOS Linux. You will need shell / root access to your server running Plesk, if you do not have shell / root access then you will need to ask your server hosts to make the changes.

WARNING:This document does not serve as a comprehensive source for PCI compliance advice. The reader is expected to have some basic systems administration experience. Do not copy and paste examples directly from this document without first understanding their implications.

Courier IMAP/POP3

Weak SSL Ciphers and SSLv2

The most common flaw uncovered by a PCI compliance scan is that a service is allowing SSL connections using weak SSL ciphers. Disable SSLv2 in Courier IMAP by adding the following line to both /etc/courier-imap/imapd-ssl and /etc/courier-imap/pop3d-ssl:

TLS_CIPHER_LIST="HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"

After you have edited both files then restart courier-imap:

service courier-imap restart

After restarting Courier, test with openssl to confirm SSLv2 has been disabled properly:

openssl s_client -connect localhost:995 -ssl2

Test that weak ciphers have been disabled with the following:

openssl s_client -connect localhost:995 -cipher EXP:LOW

You should get something back like:

CONNECTED(00000003)
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated POP3 SSL key/CN=localhost/emailAddress=postmaster@example.com
verify return:1
2983:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

Qmail

Weak SSL ciphers can be disabled in qmail by adding the following to /var/qmail/control/tlsserverciphers and /var/qmail/control/tlsclientciphers:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

Testing with openssl is highly recommended:

openssl s_client -connect localhost:25 -starttls smtp

Apache

Disable TRACE and TRACK

Plesk takes almost complete control of the Apache configuration once it is installed on a server. Fortunately it leaves enough flexibility to allow one to disable features that will cause a server to fail a PCI scan. The TRACE and TRACK methods are the most common causes of PCI failures on web servers.
Upgrade Plesk to version 8.6.0, it’s as simple as that. Previous fixes presented do not work in all situations and therefore I would suggest upgrading plesk is the easiest option.

Weak SSL Ciphers

Disabling weak SSL ciphers can be accomplished by introducting /etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf into /etc/httpd/conf.d. Place the following directives into this file:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH

Standard testing methodology applies.

UserDir and ServerTokens

Disabling UserDir and changing the Apache ServerTokens directive lowers the profile of the web server software through obscurity. As a result, the attacker will have a more difficult time targeting attacks against. See below for an example of how these directives can present a security risk to your server.

The attacker begins requesting URLs from the server in the following format:

http://www.example.com/~joedoe

An error code of 403 is presented to the attacker indicating the directory exists but access is restricted. The error pages also contains an interesting string of test:

Apache/2.0.53 (Linux)

It has now been determined by the attacker that a user named joedoe is present on the target. The target is a Linux server running Apache 2.0.53. Attempts can now be made to guess the password for the joedoe user. The attack may escalate if the user account becomes compromised. For example, if joedoe has been granted shell access the attacker may be able to obtain root access if a privilege escalation vulnerability exists in the underlying operating system. With shell access to the server an attacker can initiate denial of service attacks against other hosts or being spamming and phishing activity.

This can be prevented by some degree by modifying the UserDir and ServerTokens directives. These directives can be found in /etc/httpd/conf/httpd.conf. Change them to the following:

UserDir disabled
ServerTokens Prod

After restarting Apache the server will present generic software version information to the public. Any request for UserDir URLs will receive a 404 result code.

Plesk Sub-System

Additional configuration may be required if a firewall is not installed to limit access to the Plesk service ports. Modifications to the Parallels supplied Apache are added to /usr/local/psa/admin/conf/httpsd.custom.include or /usr/local/psa/admin/etc/httpsd.custom.include. Adding the following directives to this file will disable weak SSL ciphers, TRACK and TRACK methods, UserDir, and ServerTokens capabilities:

UserDir disabled
ServerTokens Prod
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH
<VirtualHost 192.168.22.33:8880>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* – [F]
</VirtualHost>
<VirtualHost 192.168.10.210:8443>
SSLEngine on
SSLCertificateFile "/usr/local/psa/admin/conf/httpsd.pem"
SSLVerifyClient 0
SSLVerifyDepth 0
RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* – [F]
</VirtualHost>

A standard service restart is required to apply the changes.

Note:

To only disable weak SSL ciphers in Plesk add the following:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH

IPTABLES Firewall

PCI compliance scans may highlight vulnerabilities in the operating system’s ip stack. Certain icmp types may help an attacker determine the version of the operating system installed through a technique known as operating system fingerprinting. If your Plesk license does not allow you to use the firewall module and you do not already have a hardware firewall in front of you will want to add a few iptables rules to bring your server into compliance: The following iptables rules can be applied to mitigate this threat:

iptables -N OSFP
iptables -A OSFP -i eth0 -p icmp –icmp-type redirect -j DROP
iptables -A OSFP -i eth0 -p icmp –icmp-type timestamp-request -j DROP
iptables -A OSFP -i eth0 -p icmp –icmp-type timestamp-reply -j DROP
iptables -A OSFP -i eth0 -p icmp –icmp-type address-mask-request -j DROP
iptables -A OSFP -i eth0 -p icmp –icmp-type address-mask-reply -j DROP
iptables -A OSFP -j RETURN
iptables -I INPUT 1 -j OSFP

This will create a new chain named OSFP (Operating System FingerPrinting) that filters the icmp types that may allow an attacker to determine the host operating system. This ruleset may to be added to any existing iptables firewall.

OS fingerprinting can be disabled using sysctl as well:

echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf

Run sysctl -p after editing to apply the change.

The server now be ready for a follow-up scan. Remember, security is more of a journey than a destination. If a server fails to achieve compliance after following the above advice, a company that specializes in auditing and hardening servers should be consulted.

Update

It seems PCI scans are also picking up A Header Cross-Site Scripting Vulnerability on the plesk port check out the following link

Also an easter egg in php effecting plesk link

A good way to test SSL dates on certificates link

Locations of SSL certs for POP3, IMAP and SMTP link

Related Posts

  1. PCI Compliance Expect Header Cross-Site Scripting Vulnerability (8443, plesk)
  2. SSL certs for POP3, IMAP and SMTP on Plesk
  3. PCI Scan – Plesk PHP easter egg issue
  4. You may have exceeded the maximum number of connections to this server. (Linux)
  5. Where Do I Change the Server Default Plesk Holding Page (linux)