The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

P.C.I. Data Security Standards compliance

Discussion in 'Security' started by HappyPappy, Mar 10, 2007.

  1. HappyPappy

    HappyPappy Active Member

    Joined:
    Mar 17, 2002
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Hi there,

    I have read that "cPanel Partners with ScanAlert to Strengthen Web Hosting Security Features" here: http://www.dedicatedserverdir.com/news/articles/shownews.asp?id=19781

    It seems to be specifically to bring things up to P.C.I (Payment Card Industry) Data Security Standards standards. This is what I'm after.

    I would like very politely ask if there is an end result to this, in other words is there a cPanel package that I can work to or install that brings my current WHM/cPanel VPS up to PCI DSS strandards? I mean is there an end service that is the product of the partnership between cPanel and ScanAlert?

    I have a VPS with only two domains, each with their own IP address and each with their own SSL. Tiny little things, total space usage for both accounts is under 10 MEGS and of course I don't have a whole lot of money either but I do need PCI DSS compliance.

    My current VPS host (Known Host) is an absolutely first class operator so I would like to stay with them. I have read that it is possible to bring a WHM/cPanel VPS to be PCI DSS compliant, but where to start? Is this something cPanel themselves can assist with?

    I'm not too up on things as people can obviously tell so any advice would be highly appreciated.

    Thank you

    HappyPappy
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think this is on the way in the next version of cPanel. You might do well to call the phone number listed in the article and see what they say.

     
  3. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The first thing you need to have done is a PCI scan and the price varies considerably among providers. I called Scan Alert and they have a pretty good deal if you can hook up with a reseller you can get it for free then $19/year after that which is a steal.

    But the problem is that the last time I ran a PCI scan some of the items that were required for compliance would basically be not good for a shared server. I am getting ready to run another one soon so i hope that has changed.

    From the article it sounds to me like its going to be built into cPanel maybe as a setting like "click here to enable PCI compliance" so that your server will validate the quarterly scan.

    I am hoping that is what the plan is because it would be fantastic if that was the case.

    I am hoping someone from cPanel can comment on this and any rough time estimates on when this sort of functionality might begin to appear in cPanel based servers, if it will be like this "out of the box" of if additional configuration (manual or automated) will be required.

    Currently if you fail your PCI validation you will need to patch your server and make config changes manually, and after you run the scan if gives you a results page with suggestions of how to do so.

    Unfortunately those scans are not entirely accurate so some of your patches may be illegitimate to "make it work"

    I remember it was reading software headers which were inaccurate and claiming them to be out of date, and some other strange things.

    Can cPanel comment?
     
  4. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
  5. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi Dave,

    Thanks for the reply.

    I talked to them already, they said they didn't know about "phase two" as outlined here:

    http://www.cpanel.net/company/news/partnerscanalert.htm
    They just said to ask cPanel if it was something being built in or not. So davedark are you Dave Kosten? I figure that would be the person to know best...

    How many Kostens are there at cPanel, and how many Dave's!?! Hehe

    What's the best way to find this info out? I'd like to know if becoming PCI compliant on a cPanel box is going to require customers to get their own dedicated server or if a shared server will be suitable. Yes arguments aside about how e-commerce SHOULD be dedicated the underlying question is CAN a shared cPanel server be easily configured through the automation software should one desire to do so without potentially affecting other sites on the server due to the standards requirements.

    It would be a great thing indeed to click "Make PCI complient now" instead of having to patch something like 40 line-items on the last PCI report I saw, one by one.

    Now that PCI is required for everyone I can see this being a real time consumer when people start asking for compliance, which is not going to be very far away I dont think.
     
    #5 myusername, Apr 27, 2007
    Last edited: Apr 27, 2007
  6. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    Yup, I'm Dave Koston

    Haha, many of both


    This really depends on the standards put in place by the payment card industry and what level of e-commerce sites your are hosting. Low traffic sites can get away with a self-assessment and a quick scan while higher traffic sites require more strict rules. Check with VISA, MC or AMEX to see their specific requirements for the types of sites you host. If I listed them here, the thread would be 30 pages or so :(



    Of note: We'll be working with ScanAlert in the near future to make sure that cPanel servers are PCI compliant (minus your self-assessment, and other non-software factors) out of the box. Certification will still be necessary as scanning is required to verify they stay compliant.
     
  7. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Understood, and the level 3 and higher merchants I assume can figure it out themselves, and definately have the money to do so. But with a predominate number of level 4 merchants, which if I were to guess make up the greatest number of the merchant market and certainly the greatest segment of cPanel site owners, it would be great to get those level 4 people covered, minus the self-assessment and software issues of course.

    Excellent news there! I know you probably cannot say for certain, but do you have a rough ETA? It will really help me in determining the way we should tackle this topic which is becoming more frequently asked and talked about.
     
  8. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18

    Depends on how close we are on default settings when they scan. I'll set up PCI compliance scanning on one of my servers next week and see what it'll take to get things moving.
     
  9. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Thanks again Dave, looking forward to hearing how it goes. :)
     
  10. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    I contacted ScanAlert regarding PCI compliance certification. They referred me back to cPanel for an "enrollment code". Is such an "enrollment code" available, and what are the terms?

    Thanks, I know it's still early days in the cPanel & ScanAlert partnership, possibly making my inquiry somewhat premature ;)
     
  11. spaceman

    spaceman Well-Known Member

    Joined:
    Mar 25, 2002
    Messages:
    481
    Likes Received:
    0
    Trophy Points:
    16
    I'd also be very interested to learn about PCI Compliance in relation to cPanel, and in regard to this "enrollment code".

    fyi: we outsource our cPanel server security, hardening, etc. to Touch Support who we're very happy with. So we anticipate that even if cPanel 'out of the box' isn't PCI Compliant right now, our servers would probably be close to it thanks to TS.
     
  12. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    If you go to our Partner Products page at http://www.cpanel.net/products/partnerproducts.htm

    Then click on the banner that says "Free PCI Compliance ... Enroll Now", it will bring you to a page with the enrollment code already filled out.
     
  13. Stefaans

    Stefaans Well-Known Member

    Joined:
    Mar 5, 2002
    Messages:
    451
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Vancouver, Canada
    We recently obtained PCI compliance using ScanAlert -- thank you cPanel :)

    The biggest challenge was to get our internal security policy and e-commerce procedure complaint, rather than server security. In the end it was all common sense really, and the processed to improve our business.

    On the server security side, our cPanel server (still on version 10) and our e-commerce application had no problems passing the tests. We only had to justify the number of open ports -- more than 10 open ports raises an alarm that the server might not be secured.
     
  14. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    We had a PCI vuln alert come out today for MySQL.

    Whats the best way to get this updated and make sure that after we update (if we do it manually) that we will not find that cpanel has rolled back our original mysql version that failed the recent PCI scan?

    Is it right to send an email to your security email address with the details of the vuln or hope someone from cP sees this post instead?
     
  15. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    If you don't mind me asking, which version of MySQL are/were you using?
     
  16. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi David.

    This particular machine in question is running: 5.0.27-standard which is the latest I can get with /scripts/mysqlup

    The recommendation is: Upgrade to MySQL version 5.0.45 or later.


    Would you like details of the vuln?
     
  17. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator

    Touch /etc/mysqlupdisable

    That will prevent MySQL from being upgraded by cPanel.
     
  18. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Thanks.

    Does this also prevent it from updating when a version later then the current version is available?

    For example if we upgrade to 5.0.45 and then 5.0.46 is a supported cPanel version at some date in the future, will this update not be applied until we remove mysqldisable?
     
  19. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    While that file exists, all MySQL updates must be done manually, barring a bug in our update code.
     
  20. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Is there any chance of getting this into the new builds soon so we don't have to rely on that and can maintain automatic updates? I know there was some talk about getting these boxes up to, (and maintained) to PCI standards so I figured I would ask if its still part of the agenda.
     
Loading...

Share This Page