0
Welcome Guest! Login
0 items Join Now

How to Pass PCI Compliance + Apache + Server + WHM

Last Post
Search Topic
    • Aurora's Avatar
    • Aurora
    • Elite Rocketeer
    • Posts: 903
    • Thanks: 0

    How to Pass PCI Compliance + Apache + Server + WHM

    Posted 15 years 8 months ago
    • # General:
      # - Disable FrontPage in WHM/EasyApache.
      # WHM: Main >> Service Configuration >> Apache Configuration
      # (or /etc/httpd/conf/includes/pre_virtualhost_global.conf)

      # SSL Cipher Suite:
      -ALL:!aNULL:!eNULL:!NULL:!ADH:!EXP:!kEDH:RC4+RSA:+H IGH:+MEDIUM:-LOW:-SSLv2

      # TraceEnable Off
      # ServerSignature: Off
      # ServerTokens: ProductOnly
      # FileETag: None

      # WHM: Main >> Service Configuration >> Exim Configuration Editor
      tls_require_ciphers = SSLv3:TLS

      # /usr/lib/courier-imap/etc/pop3d-ssl
      TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DE S:!LOW:@STRENGTH"
      TLS_PROTOCOL="SSL3"

      # /usr/lib/courier-imap/etc/imapd-ssl
      TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DE S:!LOW:@STRENGTH"
      TLS_PROTOCOL="SSL3"

      # Test your apache configs:
      /usr/local/apache/bin/apachectl configtest
      # If it's fine, distill the config to make it permanent:
      /usr/local/cpanel/bin/apache_conf_distiller --update --main

      # /usr/local/cpanel/etc/stunnel/default/stunnel.conf
      # Add this below the Authentication block:
      options = NO_SSLv2

      # Reload configurations
      /usr/local/cpanel/startup

      # You may get false positives about OpenSSL being out of date, specifically on
      OS's that like to backport security fixes (Fedora/CentOS/RedHat); explaining
      that to the vendor should be sufficient.

      if the above apache compliance dont' work and you get an invalid cipher string try this

      ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1

      EDIT:and you can use my favorite tool here to check your server header
      www.seoconsultants.com/tools/headers.asp

      also if you don't want to show your php version in your server header. do this below

      Let’s see how we can disable it. In order to prevent PHP from exposing the fact that it is installed on the server, by adding its signature to the web server header we need to locate in php.ini the variable expose_php and turn it off.
      By default expose_php is set to On.
      In your php.ini (based on your Linux distribution this can be found in various places, like /etc/php.ini, /etc/php5/apache2/php.ini, etc.) locate the line containing “expose_php On” and set it to Off:

      expose_php = Off

      After making this change PHP will no longer add it’s signature to the web server header. Doing this, will not make your server more secure… it will just prevent remote hosts to easily see that you have PHP installed on the system and what version you are running.
    #372175

Time to create page: 0.070 seconds