PCI Compliance

[vajjas1]

Hi i recently started using VPS for my clients, lot of clients are asking the same question, is your server PCI Compliant?.

How can i make my VPS PCI Compliant?

[UBERHOST]

Hi i recently started using VPS for my clients, lot of clients are asking the same question, is your server PCI Compliant?.

How can i make my VPS PCI Compliant?

First of all I would recommend that you install the ConfigServer Security & Firewall (CSF) if you haven't already. From the Plugins section of WHM you can access CSF and run "Check Server Security" to obtain a report on many things you can do secure your VPS. If you can achieve a perfect security score with CSF then you should only have to block port 21 (FTP) to be PCI compliant.

It's not absolutely necessary to get a perfect CSF score, but you will have to get close and also pay particular attention to the following items:

• In php.ini: disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
• Block ports 2082 and 2086 (force secure ports)
• Block port 21 and ask users to make use of SFTP on your SSH port instead
• Block SSLv2 and use SSLv3

Hope this helps,
Rick

[sirdopes]

Generally, your clients will need to sign up with a 3rd party pci scanning company. They will scan the server and provide some kind of report with any items that need to be fixed. Some things will probably be false positives and information will need to be submitted to get this marked correctly.

[twhiting9275]

• In php.ini: disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
• Block ports 2082 and 2086 (force secure ports)
• Block port 21 and ask users to make use of SFTP on your SSH port instead
• Block SSLv2 and use SSLv3

This is all rubbish. Pay no attention to anything but the second point here (secure ports).
I've had a PCI compliant server for years, while still allowing clients to properly use ftp AND php (disabling nothing). Disabling functions in php isn't the solution here.

A few things to look for in cPanel:
#1 In WHM -> service configuration -> apache configuration, make sure EVERYTHING is set to 'PCI recommended'.
#2 You will most likely have to disable mailman and it's logins, as this is considered (by most PCI scanners) to be a problem. Simply disabling this won't do, you have to actually redirect the /mailman/ url. Here's how you do this:

In /usr/local/apache/conf/includes/pre_main_global.conf, add

Code:

Alias /mailman/ /usr/local/apache/htdocs/
Alias /mailman /usr/local/apache/htdocs/

<Files ~ ".(pl|tpl|inc)$">
    Order allow,deny
    Deny from all

    Satisfy All
</Files>

then restart apache.
The first bit of code (re: mailman) is all you really need, but the second bit of code disallows individuals from viewing certain types of files directly (.inc, .tpl, .pl) which is a security risk in many cases.

Do all of that, then find a PCI compliance scanner (not cheap for a simple VPS) and have it run a scan on your server, then fix what it comes back with to be errors. This will be a painstaking process, but if ANYONE is storing, or processing CC info on your server, it's mandated by the providers.

[Infopro]

There's really no need to be rude on these forums. Please lighten up a bit.

[twhiting9275]

There's really no need to be rude on these forums. Please lighten up a bit.

Nobody was 'rude' here whatsoever. Misinformation was given, and it was corrected.

[vajjas1]

Thank you twhiting, i will get this done. Hopefully that will prvent some opensource hacking too..

[twhiting9275]

Thank you twhiting, i will get this done. Hopefully that will prvent some opensource hacking too..

Being PCI compliant does not necessarily mean that hacking will be prevented. In fact, the two are rarely together. While some of the tips in this thread might throw you less of a chance of being hacked, they will also come with problems attached, such as not being able to use certain php scripts if you disable functions, or giving ssh access out to simply transfer files (bad idea, period).

Security is never all about following some 'standard' set forth by a company, but about knowing your server and what it's telling you is going on. This is one of the reasons that PCI compliance, as of now, is a joke, because these "companies" that supposedly certify you know nothing about what they're certifying.

Good luck in getting certified!!!

[UBERHOST]

This is all rubbish.

The steps I shared have been required each and every time we've helped clients pass SecurityMetrics scans. YMMV.

Rick

[twhiting9275]

The steps I shared have been required each and every time we've helped clients pass SecurityMetrics scans

disabling php functions is not required by any PCI compliance provider, nor is moving ssh ports, ftp ports, or anything else. I've dealt with a number of them over the past few years (including SM), and none of them have been that insane.
I've gotten clients by SM as early as July of last year, and late as October/November this year without having to change any ports, disable any functions, or any of the other nonsense you posted, except for the clear text login (changing cPanel ports).