More and more I am seeing customers that require for their server to be PCI compliant.  With the increasing frequency of requests for this, I have decided to put together a “cheat sheet” so to speak.

Disabling TRACE and TRACK (HTTP).

Make sure to add the following Mod_Rewrite rules to every VirtualHost block configured on the server. Please note that if one is missed TRACE/TRACK will not be disabled.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

You can use the following command to test:

telnet domain.com 80
Trying 72.3.227.33...
Connected to domain.com.
Escape character is '^]'.

Once prompted you will enter in the following commands:

TRACE / HTTP/1.0
A:b
B:c
host:foo

You will then hit enter and should receive a forbidden response.

Disabling TRACE and TRACK (HTTPS).

You can use the following commands to test https:

$ openssl s_client -connect domain.com:443

If the results spit out a certificate then TRACK/TRACE has not been disabled correctly for HTTPS.

Disabling TRACK and TRACE on Plesk.

http://kb.parallels.com/en/4638

Disabling SSLv2 and Weak Encryption (HTTPS).

# vi /etc/httpd/conf.d/ssl.conf

Look for the following line:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Add the – in front of SSLv2 and the ! in front of LOW.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:-SSLv2:+EXP

Disable SSLv2 and Weak Encryption (Dovecot).

Add the following line in /etc/dovecot.conf:

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Disabling Weak Encryption and SSLv2 (Courier-IMAP).

POP3 and IMAP:

Edit the following files:

/usr/lib/courier-imap/etc/pop3d-ssl
/usr/lib/courier-imap/etc/imapd-ssl

Comment out the existing TLS_CIPHER_LIST line and replace it with the following and restart courier-imap:

TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:!SSLv2:!LOW:@STRENGTH"

Test with the following commands:

openssl s_client -connect localhost:995 -ssl2
openssl s_client -connect localhost:993 -ssl2

Disabling SSLv2 Port 8443 (Plesk).

# vi /usr/local/psa/admin/conf/httpsd.custom.include

And add the following lines:

SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
SSLProtocol all -SSLv2

Command to test the configuration:

# openssl s_client -connect localhost:8443 -ssl2

Disabling SSLv2 Port 443 (Plesk).

Add the following to /etc/httpd/conf.d/ssl.conf:

SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
SSLProtocol all -SSLv2

Command to test the configuration:

# openssl s_client -connect localhost:443 -ssl2

Disabling SSLv2 for port 465(Plesk):

Add the following line:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

To the following files:

#  vi /var/qmail/control/tlsserverciphers
#  vi /var/qmail/control/tlsclientciphers

Then you will need to restart qmail.

Bind ‘recursion’ Issue.

To eliminated the recursive DNS issue by adding the following line in the ‘options‘ section of /etc/named.conf:

allow-recursion {127.0.0.1;};
Leave a Reply