Making a Linux Plesk 8.6 Server PCI Compliant

Posted on Mar 19, 2010

To make a server that is running Plesk PCI compliant follow these steps:

  1. Turn off medium and weak ciphers on the Plesk port (8443). This is done by editing the /usr/local/psa/admin/conf/httpsd.custom.include file.

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite HIGH:!MEDIUM:!LOW:!SSLv2:!EXP:!NULL:@STRENGTH
    ErrorDocument 417 "Expect not supported"
    ErrorDocument 413 "Request Entity Too Large."
    ServerTokens Prod
    UserDir Disabled
    

    The ErrorDocument prevents a XSS exploit using the expect headers. This must be done in the httpsd.custom.include file or else you Plesk will over write the changes. For the changes to take affect:

    
    
        /sbin/service psa stop
        /sbin/service psa start
        
    

    To test and make sure SSLv2 is disabled:
    
    
        openssl s_client -connect localhost:8443 -ssl2
        
    
    You should not see any SSL information. To test the Expect headers:
    
    
        openssl s_client -host localhost:8443
        
    

    Once you see a ‘—’ enter the following to test:
    R

    ....snip...
    Get / HTTP/1.1
    Host: localhost
    Expect: */<script>fooz</script>/*
    

    If everything worked, you will see:

    HTTP/1.1 417 Expectation Failed
    Date: Wed, 24 Mar 2010 21:08:32 GMT
    Server: Apache
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
    15
    Expect not supported
    0
    
  2. Do the same thing as you did above for Apache. Create the file /etc/httpd/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf and add:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH
    

    Apache has to be restarted for the changes to take affect:

    
    
        /sbin/service httpd restart
        
    

    To test and make sure SSLv2 is disabled:
    
    
        openssl s_client -connect localhost:443 -ssl2
        
    
    You should not see any SSL information.

  3. Moving on to IMAP and POP3, the /etc/courier-imap/imapd-ssl and  /etc/courier-imap/pop3d-ssl files need to be modified by adding the following line:

    TLS_CIPHER_LIST="HIGH:!ADH:RC4+RSA:!SSLv2:!LOW:!MEDIUM:@STRENGTH"
    

    If there is another line with that variable setting, make sure you either remove it or comment it out. Restart the service:

    
    
        /sbin/service courier-imap restart
        
    
    Test to make sure that SSLv2 has been properly disabled:
    
    
        openssl s_client -connect localhost:993 -ssl2
        openssl s_client -connect localhost:995 -ssl2
        
    
    You should not see any SSL information.

  4. Turn off SSLv2 for port 465, add the following line to /var/qmail/control/tlsserverciphers and /var/qmail/control/tlsclientciphers

    !ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:!MEDIUM
    

    Restart qmail:

    
    
        /sbin/service qmail restart
        
    
    Test the new settings:
    
    
        openssl s_client -connect  localhost:465 -ssl2
        
    
    You should not see any SSL information.

  5. Configure named that it does not support recursion. This is done by editing the /etc/named.conf and adding the following below the options section

    recursion no;
    
  6. PCI audits will fail if the certificate has expired for courier-imap. This is easily fixed. Navigate to the /usr/share/courier-imap directory and run the following commands:

    
    
        ./mkimapdcert
        ./mkpop3dcert
        
    
    This will create a new certificate for both services resolving the issue of expired certificates. These certificates will expire in 1 year.

  7. Add the following to your /etc/php.ini and your /usr/local/psa/admin/conf/php.ini, this requires httpd and Plesk to be restarted:

    expose_php = Off
    
    
    
        /sbin/service httpd restart
        /sbin/service psa restart
        
    
  8. PCI scans are starting to fail when connecting to a site via port 25 (SMTP) and 587 (submission). There is another certificate that needs to be updated. I used a self signed certificate, but you can replace the certificate with one from a respected CA:

    
    
        cd /var/qmail/control
        openssl genrsa 2048 > host.key
        openssl req -new -x509 -nodes -sha1 -days 730 -key host.key > host.cert
        cat host.cert host.key > host.pem
        cp servercert.pem > servercert.pem.bk
        mv host.pem servercert.pem
        /sbin/service qmail restart
        
    
    To test:
    
    
        openssl s_client -connect host.com:25 -starttls smtp
        openssl s_client -connect host.com:587 -starttls smtp
        
    

This has been written and tested on Plesk 8.6 Some of the items may be applied to later versions of Plesk