PCI Compliance Revisited

[nealdxmhost]

For the old hands here much of this is probably old hat, but for those of us (including myself) with considerably less experience allow me to share my latest dealings with PCI compliance issues.

The other night I get an email from one of my clients telling me he gets a report from SecurityMetrics telling him that the site is out of PCI compliance. When things like this happen, right away the problem gets dropped into my lap.

Anyhow after reading through the report I find that for starters SSH is not configured properly. I take it off the default port (22) and disable root login via ssh.

Next is the issue with POP3/IMAP in that anonymous encryption was allowed, that was resolved by editing /etc/dovecot.conf and changing the following;

Changed 
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

to

ssl_cipher_list = ALL:-ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

and last but not least certain directories where passwords get entered (roundcube, squirrelmail, phpmyadmin etc...) I create an .htaccess file and add the following to it (or in the case of roundcube which already had .htaccess);

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

Almost forgot one more thing that I did, I edited /etc/sysctl.conf and added the following line to disable TCP timestamps;

net.ipv4.tcp_timestamps = 0

 

[flamewalker]

PCI Compliance is a beast... and a royal pain in the butt!

 

[nealdxmhost]

PCI Compliance is a beast... and a royal pain in the butt!

That is putting it VERY MILDLY!!!!!