SysAdmin | sys·ad·min | noun - A system administrator. The duties of a system administrator are wide-ranging, and vary widely from one organization to another. Sysadmins are usually charged with installing, supporting, and maintaining servers or other computer systems, and planning for and responding to service outages and other problems.

PCI compliance on a Plesk Server

on Nov 19, 2011 | Case studies | 3667 comments

A client needed help to get a Plesk website through PCI compliance.
The main fails on the scan were to do with OpenSSH and Apache versions being out of date.
The client's server was running CentOS 5.5 and the versions of these packages in the standard repository were not current enough to satisfy the test, as several vulnerabilities had not been addressed in them.

First, I enabled RPM rollbacks - this was a live webserver and I didn't want to take any risks.

Next I needed to add a different repository with newer packages available:

# vi /etc/yum.repos.d/centalt.repo
[CentALT]
name=CentALT Packages for Enterprise Linux 5 - $basearch
baseurl=http://centos.alt.ru/repository/centos/5/$basearch/
enabled=1
gpgcheck=0
# yum update opens apache

However, there was still a problem with SSLv2 and weak ciphers being enabled.

To configure Apache to not use SSLv2 connections, modify the SSLProtocol directive inhttpd.conf or ssl.conf - for example:

SSLProtocol -ALL +SSLv3 +TLSv1

Restart Apache and everything is working.

Check that connections using SSLv2 are not accepted (assuming port 443 for https):

# openssl s_client -ssl2 -connect localhost:443

If Apache does not accept SSLv2 you should receive an error like this:
CONNECTED(00000003)
458:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

To configure Apache to not use weak SSL ciphers, modify the SSLCipherSuite directive in the httpd.conf or ssl.conf for example:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart Apache and check everything is working.

Check that connections using weak SSL ciphers are not accepted (assuming port 443 for https):

# openssl s_client -connect localhost:443 -cipher LOW:EXP

If Apache does not accept weak SSL ciphers you should receive an error like this:

CONNECTED(00000003)
461:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

The server was running Plesk - this has its own webserver, lighttpd, separate to Apache - this also allowed SSLv2 and weak ciphers:
# vi /etc/lighttpd/lighttpd.conf
ssl.use-sslv2 = "disable"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"

This can be tested in the same way as Apache, substituting post 8443 for 443 (or whichever port Plesk is using for its secure connections)

Plesk stores its per vhost Apache config in include files in:
/var/www/vhosts/domain.tld/httpsdocs/.
I needed to add the Apache config changes to those files too.

I ran the PCI scan again, and it failed on the same SSLv2 and weak ciphers!
My config changes on the vhost had disappeared! It must have been changed back by Plesk.
At this point, I discovered a Plesk script to harden their servers to meet PCI compliance:

# /usr/local/psa/admin/bin/pci_compliance_resolver --enable all

This did the trick.

The only remaining issues to resolve was:
"Web Application Transmits Login Credentials Without Encryption"
All vhosts set up by Plesk have a non https admin console on port 8880
It turned out that no-one needed to log in in this way, so just block it with firewall rules (saving the changes):

# iptables -I INPUT -p tcp --dport 8880 -j DROP

# /etc/init.d/iptables save


Comments

Comments: