The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Advice

Discussion in 'General Discussion' started by Stuart05, Jan 2, 2009.

  1. Stuart05

    Stuart05 Registered

    Joined:
    Feb 5, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi, am looking to update a few of my servers to comply with PCI. i done some checked with Hacker Guardian, I am just a little unsure how to them and if it would cause other things to stop working or give me errors etc.

    My specs are :

    Centos 5
    Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    PHP5.25
    MYSql&Mysqli 4.1.22

    Hacker Guardian has suggested

    Major edits i need
    1) Frontpage Disable
    2) PHP Upgrade to version 5.26 or 5.2.8
    3) OpenSSL Upgrade to version 0.9.6m / 0.9.7d or newer

    What is the best way to update these i have looked around whm but not seen anything and updating some manualy i read there has been errors on things.

    Thanks

    Some the other medium suggestions are:
    Security warning found on port/service "https (443/tcp)"

    Note: this warning was first detected on 2009-01-02 01:40:09
    Plugin "Deprecated SSL Protocol Usage"
    Category "General remote services (General)"
    Priority Ranking "Medium Priority" Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf

    Solution : Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
    ----
    Security warning found on port/service "https (443/tcp)"

    Note: this warning was first detected on 2009-01-02 01:40:09
    Plugin "Weak Supported SSL Ciphers Suites"
    Category "General remote services (General)"
    Priority Ranking "Medium Priority" Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers.html

    Solution : Reconfigure the affected application if possible to avoid use of weak ciphers.

    Risk factor : Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}


    Any help or suggestions would be really great

    Thanks a lot in advanced.
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Regarding OpenSSL, that is not maintained by cPanel/WHM itself. Refer to the following for more information:

    http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#openssl

    Disabling FrontPage Extensions as well as upgrading PHP can be done via EasyApache. Just go to WHM -> Software -> EasyApache and use the wizard interface to select to use the latest version of PHP as well as to un-check FrontPage Extension support.

    As far as fixing the cypher support, are you using cPanel/WHM 11.24, or an earlier version of cPanel/WHM (such as 11.23)?
     
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Hi David. I have similar questions, also for PCI compliance.

    The PCI audit suggested that we MIGHT have a bad version of FrontPage extensions. Can you remind me how I would know what version we have?

    Regarding the cypher support, I am still on the latest Stable, which means I'm on 11.23. You asked Stuart05 about that, but he didn't answer. But I'm answering. :) How does that affect your answer?

    Thanks!

    - Scott
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    We have some literature addressing FrontPage PCI compliance issues in cPanel/WHM environments at: http://www.cpanel.net/support/docs/notes/pci-falsepositives.htm#frontpage

    In 11.24, all you need to do is go to WHM -> Apache Configuration -> Global Configuration if you want to change the SSLCipherSuite. However, the default in 11.24 (ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP) is generally sufficient for most PCI Compliance scans. This ability to change the SSLCipherSuite is not available in 11.23.

    I have no ETA on when 11.24 will reach STABLE.
     
  5. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    David, thanks for the speedy response!

    The advice in the link, regarding OpenSSL, is giving me some grief, because I'm seeing older versions than what are suggested that I should be seeing:

    # openssl version
    OpenSSL 0.9.7a Feb 19 2003

    # rpm -qa | grep openssl
    openssl-0.9.7a-43.17.el4_6.1
    xmlsec1-openssl-1.2.6-3
    openssl096b-0.9.6b-22.46
    openssl-devel-0.9.7a-43.17.el4_6.1

    And when I do this:

    # rpm --changelog -q openssl-0.9.7a-43.17.el4_6.1 | less

    I am not seeing some of the fixes, such as these:

    - fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321221)
    - make ssl session ID matching strict (#233599)
    - compile with -march=z900 on s390 for performance improvements (#250818)
    - fix CVE-2007-3108 - side channel attack on private keys (#250581)
    etc.

    So, I can't really tell the PCI folks that I'm back-ported and all is well.

    Running CentOS 4.7. A push in the right direction would be appreciated! :)

    - Scott
     
  6. Andrew Boring

    Andrew Boring Member

    Joined:
    Sep 27, 2006
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    You may be able to get away with telling the scanning vendor that the "version of OpenSSL contains backported security patches from Red Hat Enterprise Linux / CentOS." I've success with some scanning companies using that exact statement and including the Red Hat/CentOS package version.

    If they do ask for specific changelogs or CVE info, then you can reference the output of rpm --changelog command.

    What is likely to happen in that case is they'll reduce the score to account for the patches that were backported, but not reduce the score to a full zero. They may mark it down from 5 to 3, for example. Still showing vulnerabilities, but still passing for that test.

    .
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This will need addressed by the OS vendor ( RedHat ). If they haven't back ported fixes it may be possible that specific version is not vulnerable. It may also be too painful to back port the fix, hence upgrading to CentOS 5 would be the solution.

    Some people advocate replacing OpenSSL from source. We don't advocate that.
     
Loading...

Share This Page