|
|
|
Getting Your cPanel Linux Server PCI Compliant
By Terry N.
With the Payment Card Industry Security Standards Council releasing their new standards version, PCI DSS 2.0, it is important to take a look at the security of your Linux server.
Since the cPanel brand control panel and Web Host Manager software is the most popular control panel for Linux servers, we will cover achieving PCI compliance on a cPanel server.
In this article we will also be using a CentOS server, and the commands should be the same/similar on CentOS, RedHat Enterprise and Fedora. The information below will help you
keep your cPanel server secure, and pass a PCI compliant scan.
cPanel PCI Compliance Step 1
First thing first, run a package update.
yum -y update
If it installed a new kernel, reboot the server so the new kernel takes affect. If its a live production server you may want to wait until an off-peak hour to do the reboot and
continue with this article.
cPanel PCI Compliance Step 2
Now that you have the OS packages secure, its time to setup a firewall if you don't have one already.
A good free IPtables based firewall is the APF (Advanced Policy Firewall) firewall from RF-X Networks, you can download that here:
wget http://www.rfxn.com/downloads/apf-current.tar.gz
While your at it, get and install the BFD (Brute Force Detector) and LSM (Linux Socket Monitor) which are also available on the RF-X Networks site.
The main things you want to configure are the allowed ports in the APF config file, both ingress AND egress, and then you want to setup an ACL by using the allow and deny hosts files that come with APF.
For the ACL's you want to block everything you don't want public access to, but still need certain IPs to access. For example SSH, cPanel, WHM, and maybe webmail. For example your allow line for cpanel will look like this:
tcp:in:d=2083:s=123.123.123.123
Noticed, we used port 2083 and not the insecure cpanel port 2082, which we have blocked in the APF config file. And then so you have a deny from all that are not explicitly allows, add this to the deny hosts file:
tcp:in:d=2083:s=0/0
The reasoning behind this is to not even give anyone a chance to get in, if #1, they have your password, #2, they are trying to brute force their way in, #3, there is an exploit in which they are able to bypass the authentication means.
cPanel PCI Compliance Step 3
Back to Linux hardening, you want to do a few things here, first disable any unused packages/services, for example cups and portmap, delete any unneeded users, disable shell for any users that don't need it in /etc/passwd.
You also want to change the SSH port, disable SSH version 1, and disallow direct root login:
pico /etc/ssh/sshd_config
Remember to allow the new SSH port in the APF config file, and add an underprivileged user to the wheel group, so you can su to root. and then restart the firewall and sshd.
cPanel PCI Compliance Step 4
Run a couple cpanel scripts, the first upcp, and the second easyapache. For upcp its recommend to use the "current" build, this is set in the update config in WHM.
/scripts/upcp
Remember to run upcp before running easyapache
/scripts/easyapache
When running easyapache, select the latest apache and PHP versions, and also ensure the following PHP options are checked:
CGI
Mod suPHP
suhosin fo PHP
Mod Security
This will ensure the most secure way to run PHP.
cPanel PCI Compliance Step 5
Install a ModSecurity rule set, ModSecurity, your layer 7, Web Application Firewall (WAF) is only as good as the rule set you are using. GotRoot.com is a good place for free ModSecurity rules.
wget http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz
Download, untar and install the different rules files, and then test and edit if needed.
cPanel PCI Compliance Step 6
The next step is to disable dangerous and PCI unfriendly PHP functions. For example a phpinfo page will cause you to fail a PCI scan. You disable line should contain at least the following functions:
phpinfo,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,
show_source,escapeshellarg,escapeshellcmd,inject_code
cPanel PCI Compliance Step 7
Now its time to go to WHM. There are a number of built-in WHM security features, and PCI friendly features.
Going down the list on the left hand side of WHM you want to look at:
Apache mod_userdir Tweak - Here Check "Enable mod_userdir Protection" and click save
Compiler Access - Click "Disable Compilers"
Configure Security Policies - Check the first 3 and next 2 if necessary, and click save
cPHulk Brute Force Protection - Enable cPhulk, and under White/Black list Management enter your IP(s)
Password Strength Configuration - Set this to 100
PHP open_basedir Tweak - Check "Enable php open_basedir Protection." click save
Shell Fork Bomb Protection - Click "Enable Protection"
SMTP Tweak - Click "Disable"
Apache Configuration-->Global Configuration
- For SSLCipherSuite Change the + by Medium to a -, you line should look like this "ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP"
- Set TraceEnable and ServerSignature to Off
- Set ServerTokens to ProductOnly
- Set FileETag to None
- For Directory '/' Options uncheck "indexes"
Now click save, then click Rebuild Configuration and Restart Apache
For Manage Service SSL Certificates, make sure all your services have a valid SSL cert
Under Service Manager, disable any services you don't need, for example if you don't have your database on this server, disable mySQL, if you don't use it for email, disable the email related services
cPanel PCI Compliance Step 8
Finally document your versions. A part of your PCI docs file, you should have a screen shot of the version you are running of at least the following:
Apache, PHP, ModSecurity, Linux Kernel, CentOS, OpenSSH, and OpenSSL. Your output will look something like this:
root@server [/]# httpd -v
Server version: Apache/2.2.17 (Unix)
Server built: Dec 14 2010 17:23:57
Cpanel::Easy::Apache v3.2.0 rev5277
root@server [/]# php -v
PHP 5.3.4 (cli) (built: Dec 14 2010 17:30:39)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with the ionCube PHP Loader v3.3.20, Copyright (c) 2002-2010, by ionCube Ltd.
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
root@server [/]# uname -r
2.6.18-194.32.1.el5
root@server [/]# cat /etc/redhat-release
CentOS release 5.5 (Final)
root@server [/]# cat /home/cpeasyapache/src/modsecurity-apache_1.9.5/apache2/mod_security.c
|grep MODULE_RELEASE |head -1
#define MODULE_RELEASE "1.9.5"
root@server [/]# rpm -qa |grep openssl
openssl-devel-0.9.8e-12.el5_5.7
openssl-0.9.8e-12.el5_5.7
root@server [/]# rpm -qa |grep openssh
openssh-4.3p2-41.el5_5.1
openssh-server-4.3p2-41.el5_5.1
openssh-clients-4.3p2-41.el5_5.1
Since RedHat type operating systems, including CentOS and Fedora, use backporting for OpenSSH and OpenSSL, you may get a false positive on your PCI scan for these. If that happens
to you, send the screen shots showing your OpenSSH, OpenSSL, as well as your CentOS version and kernel version to your PCI scanner and let them know your a running a seucre,
backported version, and request that they test that version manually.
If your PCI ASV requests more proof you are running a secure version of OpenSSH and OpenSSL, you can send them a screen shot of the following commands, which show specifically
what patches have been applied to your version.
rpm -q --changelog openssh | head -50
rpm -q --changelog openssl | head -50
This will produce output similar to:
# rpm -q --changelog openssl | head -50
* Tue Dec 07 2010 Tomas Mraz 0.9.8e-12.7
- fix CVE-2010-4180 - completely disable code for
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (#659462)
* Fri Mar 12 2010 Tomas Mraz 0.9.8e-12.6
- fix CVE-2009-3245 - add missing bn_wexpand return checks (#570924)
(output truncated)
Another common false positive with cPanel servers, is your scan might detect Exim as an open relay, this is because the server will sending the mail headers before authentication, even though a successful authentication is needed before it will allow email to go through. If this shows up on your scan you will want to ask the scanning vendor to test this vulnerability manually.
We hope you have enjoyed this article and found it useful for helping make your cPanel Linux server PCI compliant. Please remember to try and test the steps listed here on a test server before applying them to your production cPanel servers.
In addition this article does not cover everything your need to do to be PCI compliant, and it meant to be a starting point, and provide information for a cPanel, CentOS specific server.
We plan on bringing your future articles and howto's to cover the PCI compliant information missing from this article.
|
|
|
|
|
