If you have just purchased a new VPS or Dedicated server and you plan on storing or processing credit card data you must also look into the hardening and PCI compliance on the server. By default many measures are in place, but there are serious high priority PCI compliance issues that still need to be resolved. This article will detail all common issues and how to fix them.

These instructions are based on:
– Plesk 11.5.30 Micro Update 9
– CentOS 6.2 X64

Firewall

This should be obvious, but you need to either install the firewall module available in the Plesk Modules section or activate and configure the firewall in Virtuozzo (VPS). If you have a Virtuozzo container and would rather configure the firewall in Plesk that is an option as well. You should only need the following ports to be enabled:

– 80 HTTP
– FTPS OR SFTP PORT
– 25 SMTP Send
– 995 POP3s
– 465 SMTPs
– 443 SSL
– 53 DNS
– 8443 Plesk Panel
– 8447 Panel Updater
– 4643 Virtuozzo (if applicable)
– Loopback Any Any Localhost
– Hi Port Allowance (if applicable)

If you are in a Virtuozzo container you have blocked port 8880 by using the above rules. In order to block port 8880, which is the non-secure admin port we need to open up shell and type the following command:

iptables -I INPUT -p tcp --dport 8880 -j DROP

Remember to save the iptables otherwise the rule will be deleted when the server is restarted. Do this by typing:

/sbin/service iptables save

Optionally, and what I would recommend, is to install the Plesk firewall module, if it’s not already, and make all of your port allowances and blocking in the GUI. The Plesk firewall module is in it’s simplest form a GUI that modifies iptables for you. Create firewall rules here to block 8880 and also turn off all ports not listed above that are default values.

With Virtuozzo and Plesk installed on the same container we’ve seen that the Plesk firewall overides the Virtuozzo firewall. Therefore, we would recommend that all firewall changes be made in Plesk.

Disable Weak and Medium Ciphers for the Plesk Panel

Issue the following command:

/usr/local/psa/admin/bin/pci_compliance_resolver --enable all

Navigate to /usr/local/psa/admin/conf/ and nano or vi cipher.lst. Remove everything from the file and replace it with:

ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5-DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5

Save and restart using the following command:

/etc/init.d/sw-cp-server restart

Nginx

We need to send the CA with the certificate otherwise some browsers will have issues. As of 07/31/2013 there’s a error in the way Plesk configures the SSL chain and therefore we need to find the client certificate reference by opening the file located at:

/etc/nginx/plesk.conf.d/vhosts/[domain].[tld].conf

Look for the line below and copy the which should be a bunch of random characters.

ssl_client_certificate      /usr/local/psa/var/certificates/[cert_name];

Now add the below line replacing the with the same name that we located in the above step into the web server settings of the domain in the control panel. The below line will go into the “Additional nginx directives” box.

ssl_trusted_certificate /usr/local/psa/var/certificates/[cert_name];

Again, as of this writing, Plesk configures the SSL ciphers incorrectly and it’s not something that can be overwritten by the Additional nginx directives. In order to make it so that all domains mitigate beast and have correct ciphers we must configure the server to use custom php files that control the creation of the configuration files. Lets get started:

cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php

cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

Now edit both files:
nano /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
nano /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php

Replace the below two lines in each file to look like this:

ssl_protocols               SSLv3 TLSv1;
ssl_ciphers                 ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM;

Now reconfigure all domains:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Alternatively, you can download the Plesk Custom Configuration Files for Nginx here and place the contents of this folder including the folder itself and sub-folders in /usr/local/psa/admin/conf/templates/.

Disable Weak Ciphers Apache

We need to locate ssl.conf which should be in /etc/httpd/conf.d/. On some servers the file that needs to be modified is the httpd.conf file located in /etc/httpd/conf/. It wont hurt to add the lines to both files to be sure that the changes are applied. You can also make the changes in one file, check the server and adjust accordingly. We need to add or modify the following lines:

SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM
SSLInsecureRenegotiation off

Restart using the below command:

service httpd restart

Test that you receive a failure using:

openssl s_client -connect localhost:443 -cipher EXP:LOW

openssl s_client -connect localhost:443 -cipher EXP:MEDIUM

And test that you are able to connect using:

openssl s_client -connect localhost:443 -cipher EXP:HIGH

Mitigate BEAST

In order to mitigate BEAST I would recommend creating a vhost_ssl.conf file in /var/www/vhosts/domain.com/conf/
Place the following in that file

SSLHonorCipherOrder On
SSLProtocol all -SSLv2
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM
SSLInsecureRenegotiation off

Save and then we are going to recompile the domain by running the following command:

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain domain.com

Restart httpd and test.

Mitigate CRIME

Run the following command:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1

SMTP PCI Compliance and Hardening – Qmail

If you’re running Qmail you need to run the following two commands in shell:

echo 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM' > /var/qmail/control/tlsserverciphers

echo 'ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM' > /var/qmail/control/tlsclientciphers

That’s it!

SMTP PCI Compliance and Hardening – Postfix

Locate main.cf which should be in /etc/postfix/ and add the following lines towards the end of the file using nano or vi:

smtpd_tls_protocols = SSLv3, TLSv1 
smtpd_tls_ciphers = medium 
smtpd_tls_exclude_ciphers = aNULL 
smtpd_sasl_security_options = noanonymous, noplaintext

Save the file and restart Postfix by running:

/etc/init.d/postfix restart

With newer PCI compliance standards you may see that the server fails PCI compliance because of a self-signed certificate. Lets go over how to fix this.
We should already be in the correct directory so lets create a new folder by using the following command:

mkdir ssl

Lets jump into the ssl directory and we are going to create 3 files. We need to create a SSL Certificate, Private Key and a Chain File. You should have obtained these from your third party SSL provider. If you have the files in a zip you can upload them and extract them here. For the sake of those that are going to use cut and past we’ll continue by creating the files. Create public.crt, private.key and intermediate.crt. Put your certificate text in the public.crt file, your private key text in the private.key file and your CA in the intermediate.crt file. Save all and jump back a directory to /etc/postfix/. Lets create a backup on the main.cf file with the following command:

cp main.cf main.cf.old

Scroll down and locate smtpd_tls_key_file. Remember that we are using the files created. Change the file name if you uploaded your files. Change things to look like this:

smtpd_tls_key_file = /etc/postfix/ssl/private.key
smtpd_tls_cert_file = /etc/postfix/ssl/public.crt
smtpd_tls_CAfile = /etc/postfix/ssl/intermediate.crt

There’s a good chance the the line including the CAfile was not in your config. You can create that line.
Once done, save and restart Postfix.

/etc/init.d/postfix restart

Test the certificate:

openssl s_client -connect localhost:465 -cipher EXP:HIGH

IMAP/POP3 PCI Compliance and Hardening – Courier

By defaul Plesk will use Courier to handle the IMAP and POP3. We are going to discuss disabling of weak ciphers and also changing the SSL certificate.
In order to locate the courier install type the following:

updatedb
locate imapd-ssl
locate imapd.pem

You should see pop3d-ssl and imapd-ssl which are most likely located in /etc/courier-imap/ and we are also looking for imapd.pem and pop3d.pem which should be located in /usr/share/courier-imap/. You may find that the 2 .pem files are also located in /usr/share/. Personally, I don’t like files floating in upper general directories so if the 2 .pem files are in /usr/share/ feel free to create a directory for them. IF you do create a directory for them be sure to reflect the changes in the imapd-ssl and pop3d-ssl files.
We are going to un-comment and change the below line in first 2 files, imapd-ssl and pop3d-ssl:

TLS_CIPHER_LIST="ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM"

Make sure that if your 2 .pem files are moved that you reflect that change in the aforementioned files. TLS_CERTFILE is the line that contains the location of the .pem.
Restart the courier services by typing the following:

service courier-imaps restart

service courier-pop3s restart

Now test the ciphers by using the following command your connection should be refused:

openssl s_client -connect localhost:995 -ssl2

Attempting the same command without the “-ssl2” should result in a successful connection.
Most PCI compliance scanners will also tell you that you failed PCI compliance due to a self signed certificate. Self-Signed certificates are on the newer end of the PCI compliance spectrum (2012). Let’s now address that issue by going to the last 2 files that we located earlier, impad.pem and pop3d.pem.
You’ll need to acquire a third party certificate from a certificate provider. Once you obtain the certificate you will have multiple parts. We need to open any text editing software and combine the parts to make a pem file. Some certificate authorities will provide the pem without the need to combine them. If you are combining the certificates please make sure that the private key is the first part of the pem followed by the certificate. It should look like this:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE----- 

I would advise that you make a backup of the two current files by typing the following for each pem:

cp imapd.pem imapd.pem.old

Now use nano or vi to replace the old certificate with the new one that we received and compiled in both of those files.
Again use the above command to restart the courier service.
Now if you check the certificate you may see that it returns “Verify return code: 21 (unable to verify the first certificate)”. This means that the certificate is valid but the CA or intermediate certificate can’t be located. To fix this we need to do the following. Download the Root CA from whoever you purchased the certificate from and place the crt file in /usr/share/courier-imap/ and then edit pop3d-ssl and impad-ssl modifying this line:

TLS_TRUSTCERTS=/usr/share/courier-imap/{certfile}.crt

Restart the courier-imaps and courier-pop3s services and you should be good to go.
Test with:

openssl s_client -connect localhost:993

FTPS PCI Compliance and Hardening – ProFTP

First of all I would suggest that users not be given the option of FTP or FTPS. FTP is insecure in all aspects and will not pass PCI compliance and therefore shouldn’t even be considered part of “harderning”. FTPS is a secure method of FTP over TLS or SSL. We would still not recommend using this method as active FTPS requires that the client not have any NAT and guarantying that this is the case for all clients is impracticable. Our only option would be to allow passive connections via FTPS. The problem with this approach is that we have to open a slough of ports. Again, this would not be hardening considering that SFTP would only require 1 open port.

So before we continue, please remember that I DO NOT CONDONE USING FTP OR FTPS OVER SFTP.

First, lets change the port and get some configuration changes put in place used by ProFTP:

nano /etc/proftpd.conf

Change the port to anything other than 21

Replace everything in <IfModule> with the below

<IfModule mod_tls.c>
    TLSProtocol SSLv3
    TLSCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AEDH:!AESGCM

    # Server's certificate
    TLSRSACertificateFile /etc/xinetd.d/ssl/pfoftpd.pem
    TLSCertificateChainFile /etc/xinetd.d/ssl/pfoftpd-ca.pem

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off
</IfModule>

We don’t need to include:

    TLSEngine on
    TLSRequired on

Because they are included in /etc/proftpd.include which is generated by Plesk.
Save and close.
Now we need to edit:

nano /etc/services

Change the ftp port for udp and tcp to the port that you assigned in proftpd.conf
Save and close.
As you see we created 2 .pem files so lets get to those:

mkdir /etc/xinetd.d/ssl

nano /etc/xinetd.d/ssl/pfoftpd.pem

Get your certificate key file and cert and combine them in this file like so:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----

Now:

nano /etc/xinetd.d/ssl/pfoftpd-ca.pem

And place in this file your combined intermediate and trusted CA like so:

-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE----- 

Restart ProFTP:

service xinetd restart