Recently, we had to update a few essential packages for one of our production servers to become fully PCI compliant, I thought I’d share some tips I found on the way to help others having to do the same thing!
Update (31/07/12): Added disabling WebDisk Update (16/09/12): Added SSL Cipher Settings
Before proceeding with any of the following instructions, I highly recommend you perform a full system backup, I made use of Linode‘s Manual Snapshot tool to make a backup of the entire disk. I’m assuming you’re running CentOS as you’re running WHM, although these should work for RedHat too.
This was the biggest and most urgent issue according to our test report from Trustwave. The first step is to establish what version is currently installed.
Once you’ve confirmed you’re running a really old version of openssl (thanks cPanel…) you will need to grab the latest stable version. You can grab the url from the openssl source page. I’d recommend getting the item marked with [LATEST]. At the time of writing, the latest version is 1.0.1c.
mkdir /root/src && cd /root/src wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz tar -xvzf openssl-1.0.1c.tar.gz cd openssl-1.0.1c ./config make && make install
Once that’s all (successfully) finished we should be able to check the version again and you should get the new version installed!
openssl version #OpenSSL 1.0.1c 10 May 2012
We’re not there just yet, we need to copy the updated header files over so that future compiles use the new version of openssl instead of the old one (this is one of the reasons why I asked you to backup – we’ll be overwriting old files here). You are free to remove the -f from each copy and go through and check each file, but there are quite a few!
cd /root/src/openssl-1.0.1c/include/openssl cp -f * /usr/include cp -f * /usr/local/ssl/include cp -f * /usr/local/ssl/include/openssl cd /root/src/openssl-1.0.1c cp -f lib* /usr/local/ssl/lib/ cp -f lib* /usr/lib/ ldconfig
We should now be good to re-compile apache via Easy Apache.
Disabling WebDisk (WebDav) on port 2077
Another point of failure is cPanel’s fault. They don’t offer the ability to disable or move the WebDisk to SSL only so the basic auth offered is picked up by PCI scans as a failable vuneralbility.
The quickest and easiest way to do this is by blocking the port with iptables, this can be done in two simple commands. Assuming you are logged in as root:
/sbin/iptables -I INPUT -p tcp --destination-port 2077 -j DROP service iptables save
Now try and access yourserver.example:2077 and you should get a timeout!
Disabling Weak SSL Ciphers
(copied straight from a fantastic post on the cPanel forums)
# General: # - Disable FrontPage in WHM/EasyApache. # WHM: Main >> Service Configuration >> Apache Configuration # (or /etc/httpd/conf/includes/pre_virtualhost_global.conf) # SSL Cipher Suite: -ALL:!aNULL:!eNULL:!NULL:!ADH:!EXP:!kEDH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2 # TraceEnable Off # ServerSignature: Off # ServerTokens: ProductOnly # FileETag: None # WHM: Main >> Service Configuration >> Exim Configuration Editor tls_require_ciphers = SSLv3:TLS
As we’re running dovecot at Netsells, we didn’t do the next two tasks and instead entered the cipher list on the “Mailserver Configuration” section of WHM.
# /usr/lib/courier-imap/etc/pop3d-ssl TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH" TLS_PROTOCOL="SSL3" # /usr/lib/courier-imap/etc/imapd-ssl TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH" TLS_PROTOCOL="SSL3" # Test your apache configs: /usr/local/apache/bin/apachectl configtest # If it's fine, distill the config to make it permanent: /usr/local/cpanel/bin/apache_conf_distiller --update --main # /usr/local/cpanel/etc/stunnel/default/stunnel.conf # Add this below the Authentication block: options = NO_SSLv2 # Reload configurations /usr/local/cpanel/startup
I plan on adding more sections to this post when I get some time, check back soon! :)
Thanks to the following sources for helping me piece this together!