Results 1 to 5 of 5

Thread: pci compliance help

  1. #1
    EWD
    EWD is offline
    Registered Member cPanel Partner NOC Badge
    Join Date
    Aug 2003
    Location
    NY
    Posts
    167

    Default pci compliance help

    Hi Guys.

    For PCI compliance I need to disable TRACK and TRACE.
    I used to be able to to do this by adding the following to httpd.conf
    Code:
    RewriteEngine On 
    RewriteCond %{REQUEST_METHOD} ^TRACE 
    RewriteRule .* - [F] 
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
    Anyone have been able to get these disabled lately?

    Thanks in advance for any help.
    Emerson

  2. #2
    Registered Member rpmws's Avatar
    Join Date
    Aug 2001
    Location
    back woods of NC, USA
    Posts
    1,853

    Default

    Quote Originally Posted by EWD View Post
    Hi Guys.

    For PCI compliance I need to disable TRACK and TRACE.
    I used to be able to to do this by adding the following to httpd.conf
    Code:
    RewriteEngine On 
    RewriteCond %{REQUEST_METHOD} ^TRACE 
    RewriteRule .* - [F] 
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
    Anyone have been able to get these disabled lately?

    Thanks in advance for any help.
    how about in a .htaccess file in the root of one of the sites? just for the hell of it??
    Just keeping my "eye" on things....
    R. Paul Mathews
    RPMWS - diehard cPanel Nutcase

  3. #3
    EWD
    EWD is offline
    Registered Member cPanel Partner NOC Badge
    Join Date
    Aug 2003
    Location
    NY
    Posts
    167

    Default

    Hi,

    Yes, that would help for one site. We need it to be server-wide.

    I have found that the code above does not work for trace anymore for whatever reason.
    Instead you need to add TraceEnable Off to httpd.conf

    So what I did was edit /usr/local/apache/conf/includes/pre_main_global.conf and added:
    Code:
    <Directory "/">
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^TRACK
    RewriteRule .* - [F]
    </Directory>
    Also added TraceEnable Off to httpd.conf and that seems to have done the trick.

    Thanks for the help and I hope this info helps someone else looking for the same.
    Emerson

  4. #4
    Registered Member
    Join Date
    Mar 2008
    Posts
    122
    cPanel/WHM Access Level

    Root Administrator

    Default mod_security

    This can also be addressed via mod_security (installed via Easy Apache) with the default configuration:

    Code:
    # allowed request methods
    SecRule REQUEST_METHOD "!^(?:GET|POST|OPTIONS|HEAD)$" \
        "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
    Rob

  5. #5
    Registered Member
    Join Date
    May 2005
    Location
    Auburn, CA
    Posts
    308
    cPanel/WHM Access Level

    Root Administrator

    Default

    Quote Originally Posted by rpmws View Post
    how about in a .htaccess file in the root of one of the sites? just for the hell of it??
    They (the PCI Compliance scanners) will ding you for having an .htaccess.
    cPanel: Latest RELEASE Version [11.44.x]
    PHP 5.4.30, Apache 2.2.27, MySQL 5.5.36, Perl 5.10.1, CentOS 6.4 64-bit

Similar Threads

  1. PCI Compliance
    By RyanM in forum Security
    Replies: 6
    Last Post: 09-09-2011, 11:16 AM
  2. PCI Compliance
    By mickalo in forum Security
    Replies: 3
    Last Post: 12-15-2009, 12:41 PM
  3. PCI Compliance
    By mickalo in forum E-mail Discussions
    Replies: 2
    Last Post: 08-20-2009, 12:34 PM
  4. PCI Compliance
    By FourMat in forum cPanel & WHM Discussions
    Replies: 10
    Last Post: 02-19-2009, 10:09 AM
bargain