The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance

Discussion in 'Security' started by eglwolf, Sep 20, 2012.

  1. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    I just ran a quarterly scan on my server and it failed with this notice (see below). How do I fix this?


    and


     
  2. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    16
    Can anyone help?
     
  3. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Have you searched Google for these? PCI compliance errors should be helped by the company who is charging for the scan as far as I'm concerned. Most companies charge a large fee and then don't even assist in trying to decipher what they are claiming is failing.
     
  4. RealAdmins

    RealAdmins Registered

    Joined:
    Sep 24, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    As someone with a couple of decades of enterprise hosting experience, I'd have to disagree with that. The scan vendor's job is to check for vulnerabilities and report them back. The server admin, provider, and/or software vendor is responsible for fixing their vulnerabilities.

    Anywho... To help:

    In the first case the "vulnerability" is kind of interesting. The server itself is not vulnerable at all and the attack requires a compromised browser. It seems that most of the PCI scan vendors are triggering on this if any cipher other than RC4 is in use. This could be an issue with about 0.09% of the internet connecting to you (the better bet is to allow for fallback to a CBC based cipher if RC4 isn't supported, but the scan vendors aren't allowing this.).

    The fix in cPanel's poorly implemented SSL configuration via cpanel would be to:
    Go to Service Configuration ->Apache Configuration -> Global Configuration
    Select the custom value for SSL Cipher Suite and set it to: RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM

    It's also best if you add these two lines to your /usr/local/apache/conf/includes/pre_main_global.conf
    # CVE-2011-3389
    SSLHonorCipherOrder On
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


    Then run the following commands:
    /usr/local/cpanel/bin/build_apache_conf
    /etc/init.d/httpd restart

    Rerun your scan and you should be set on the BEAST attack stuff.


    The second is something that's pretty annoying to server admins with cpanel-type installations. The major problem here is that you have mail running on the SSL site IP. I recommend pointing the domain's email to a dedicated mail IP and firewalling out email to the SSL IP. To just pass this scan you can likely go to Service Configuration ->Exim Configuration Manager ->Basic Editor ->Security and turn "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" ON. Note: any clients sending mail using that IP will need to make sure they have encrypted authentication turned on in their client.

    Regards,

    Doug
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,451
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  6. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    actually for the Beast attach which is what Security Metrics is failing folks over its an isse that needs to be addressed by cPanel NOT Security Metrics and there is a bug report in about it
    The issue is that cpanel says that SM shouldnt be scanning for it, and SM says its a valid issue.

    So the documents that were linked to are absolutly worthless
     
Loading...

Share This Page