pci compliance help

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Hi Guys.

For PCI compliance I need to disable TRACK and TRACE.
I used to be able to to do this by adding the following to httpd.conf
Code:
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
Anyone have been able to get these disabled lately?

Thanks in advance for any help.
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
Hi Guys.

For PCI compliance I need to disable TRACK and TRACE.
I used to be able to to do this by adding the following to httpd.conf
Code:
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
Anyone have been able to get these disabled lately?

Thanks in advance for any help.
how about in a .htaccess file in the root of one of the sites? just for the hell of it??
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Hi,

Yes, that would help for one site. We need it to be server-wide.

I have found that the code above does not work for trace anymore for whatever reason.
Instead you need to add TraceEnable Off to httpd.conf

So what I did was edit /usr/local/apache/conf/includes/pre_main_global.conf and added:
Code:
<Directory "/">
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
</Directory>
Also added TraceEnable Off to httpd.conf and that seems to have done the trick.

Thanks for the help and I hope this info helps someone else looking for the same. ;)
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
mod_security

This can also be addressed via mod_security (installed via Easy Apache) with the default configuration:

Code:
# allowed request methods
SecRule REQUEST_METHOD "!^(?:GET|POST|OPTIONS|HEAD)$" \
    "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"