becoming more and more common as more credit card processors require
them. Most of the scans use a tool like
Nessus and the scan
results often contain many false positives. For example, the scans do
not take into account practices such as back porting security fixes.
Distributions such as Red Hat Enterprise Linux have very clear policies
The open source nature of Linux makes it relatively easy to
maintain PCI compliance. When commercial control panel software such as
is installed on a server, maintaining compliance can be more
challenging. Plesk takes control of the e-mail and web services. Changes
can be introduced to the configuration to make a Plesk server compliant
as long as they are done the "Plesk way." If they are not introduced
with a Plesk-compatible format, the next time a domain is added or
modified through the control panel the changes may be lost.
This document should not serve as a comprehensive source for PCI
compliance advice. The reader is expected to have some basic systems
administration experience. Do not copy and paste examples directly from
this document without first understanding their implications.
All examples provided within apply to Redhat Enterprise, CentOS, and
This guide applies to Plesk versions up to and including version 9.5.2.
Parallels has published their own guides for Plesk 9.x and 10.x:
Plesk 9 (Opens in a new
Plesk 10 (Opens in a new
The above documents are the recommended sources for Plesk PCI compliance
information. The author of this article no longer works with Plesk on a
daily basis; however, this document will remain online for legacy use.
Weak SSL Ciphers and SSLv2
The most common flaw uncovered by a PCI compliance scan is a service
allowing SSL connections using weak SSL ciphers. Disable SSLv2 in
Courier by adding the following to both
After restarting Courier, test with openssl to confirm SSLv2 has been
openssl s_client -connect localhost:995 -ssl2
Test that weak ciphers have been disabled with the following:
openssl s_client -connect localhost:995 -cipher EXP:LOW
Plain Text Authentication
Some PCI scans will also raise a red flag if plain text authentication
is enabled on non-encrypted connections. This should not be an issue on
Plesk versions later than 8.3.0. Look for the following line in
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=PLAIN IDLE"
/etc/courier-imap/pop3d look for this line:
POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
/etc/courier-imap/pop3d to disable these authentication methods.
Restart courier to apply the changes. Please note that disabling plain
text authentication may prevent some e-mail clients from authenticating.
Weak SSL ciphers can be disabled in qmail by adding the following to
Testing with openssl is highly recommended:
openssl s_client -connect localhost:25 -starttls smtp
SSL Certificate Signed using a Weak Hashing Algorithm
posted on the Nessus website. Please
for specific vendor responses. This vulnerability is not a
configuration error on the server and only affects older versions of
There are two paths to resolution:
1. Create a new self-signed certificate for use with qmail
2. Use an existing SSL certificate that has been signed with a more
A certificate can be tested for compliance as follows:
openssl s_client -in certificate.pem -text -noout
A certificate signed with a weak algorithm will have a string similar to
Signature Algorithm: md5WithRSAEncryption
If the certificate has been signed with a secure algorithm the signature
will appear as follows:
Signature Algorithm: sha1WithRSAEncryption
Plesk versions 9.0 and newer can now use Postfix as an alternative to
qmail. A few changes are necessary to make Postfix PCI compliant. Add
the following to
smtpd_tls_protocols = SSLv3, TLSv1 smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = aNULL smtpd_sasl_security_options = noplaintext
Upgrade Plesk to at least version 8.6.0, it's as simple as that. The
following directive can be added to
/etc/httpd/conf/httpd.conf for the
The above assumes Apache is at the most recent patch level available
Weak SSL Ciphers
Disabling weak SSL ciphers can be accomplished by introducting
/etc/httpd/conf.d. Place the following directives into this file:
SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL
Standard testing methodology applies.
UserDir and changing the Apache
lowers the profile of the web server software through obscurity. As a
result, the attacker will have a more difficult time targeting attacks
against. See below for an example of how these directives can present a
security risk to your server.
The attacker begins requesting URLs from the server in the following
An error code of
403 is presented to the attacker indicating the
directory exists but access is restricted. The error pages also
contains an interesting string of text:
It has now been determined by the attacker that a user named
present on the target. The target is a Linux server running Apache
2.0.53. Attempts can now be made to guess the password for the
user. The attack may escalate if the user account becomes compromised.
For example, if
joedoe has been granted shell access the attacker may
be able to obtain root access if a privilege escalation vulnerability
exists in the underlying operating system. With shell access to the
server an attacker can initiate denial of service attacks against other
hosts or begin spamming and phishing activity.
This can be prevented by some degree by modifying the
ServerTokens directives. These directives can be found in
/etc/httpd/conf/httpd.conf. Change them to the following:
UserDir disabled ServerTokens Prod
After restarting Apache the server will present generic software version
information to the public. Any request for
UserDir URLs will receive a
404 result code.
It is becoming increasingly common for PCI scans to fail a server if
expose_php is enabled. Like
ServerTokens above, this
falls into the category of security through obscurity. There are two
easy ways to disable
expose_php. It can be disabled in
It can also be disabled if PHP is being called through Apache
at the virtual host level:
php_admin_flag expose_php 0
Other information disclosure vulnerabilities are often flagged, most
Etags and directory indexes. Make sure the
directive does not expose the inode of modified files:
Directory indexes can be disabled by using
Options -Indexes. This
directive can be used in the Apache configuration or
Make sure to test any configuration changes before restarting Apache:
ProFTPd is frequently flagged for multiple vulnerabilities. If access to
ftp services can not be restricted then the control panel should be
updated to version 9.5.2 or higher. There is no fix available for older
versions of Plesk.
Plesk Control Panel
Additional configuration may be required if a firewall is not installed
to limit access to the Plesk service ports. Modifications to the
Parallels supplied Apache are added to
/usr/local/psa/admin/etc/httpsd.custom.include. Adding the following
directives to this file will disable weak SSL ciphers,
expose_php up to Plesk 8.6.0:
UserDir disabled ServerTokens Prod SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL php_admin_flag expose_php 0
Expect Header Cross Site Scripting Vulnerability
This affects older versions of Apache, specifically the 1.3.x version
shipped with Plesk versions 8.6.0 and older. Upgrading to Plesk 9 or
newer is the recommended way to resolve this issue.
Parallels suggests adding the following
ErrorDocument 417 "Expect not supported"
A standard service restart is required to apply the changes.
Some scan providers will not accept this workaround. In those cases a
Plesk upgrade is necessary.
Weak SSL Ciphers
As of Plesk 9.0 the control panel no longer uses Apache. It now uses
Lighttpd. Disabling weak SSL ciphers is just
as easy as disabling them for older Plesk versions. Add the following:
/usr/local/psa/admin/conf/cipher.lst, then restart the control
panel web server:
If single sign on is being utilized, the following should be added to
ssl.cipher-list = "HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL" ssl.use-sslv2 = "disable"
This needs to be placed directly below both
ssl.engine = "enable"
Create a file named
/etc/sw-cp-server containing the
Next, locate the following in
var.interpreter = "/usr/bin/sw-engine-cgi"
Change it to the following:
var.interpreter = "/usr/bin/sw-engine-cgi -f /etc/sw-cp-server/php.ini"
The control panel web server will need to be restarted to implement the
PCI compliance scans may highlight vulnerabilities in the operating
system's ip stack. Certain
icmp types may help an attacker determine
the version of the operating system installed through a technique known
as operating system fingerprinting. The following iptables rules can be
applied to mitigate this threat:
iptables -N OSFP iptables -A OSFP -i eth0 -p icmp --icmp-type redirect -j DROP iptables -A OSFP -i eth0 -p icmp --icmp-type timestamp-request -j DROP iptables -A OSFP -i eth0 -p icmp --icmp-type timestamp-reply -j DROP iptables -A OSFP -i eth0 -p icmp --icmp-type address-mask-request -j DROP iptables -A OSFP -i eth0 -p icmp --icmp-type address-mask-reply -j DROP iptables -A OSFP -j RETURN iptables -I INPUT 1 -j OSFP
This will create a new chain named
OSFP (Operating System
FingerPrinting) that filters the
icmp types that may allow an
attacker to determine the host operating system. This ruleset may to be
added to any existing
OS fingerprinting can be disabled using
sysctl as well:
echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf
sysctl -p after editing to apply the change.
Medium SSL ciphers
Some PCI scan providers want to see medium SSL ciphers disabled along
with the usual weak ciphers. Use the following to disable both weak and
medium SSL ciphers:
Plain Text Authentication With Postfix
Disabling plain text authentication without having alternative methods
enabled will cause Postfix to stop relaying mail. Please see this
post for an
additional caveat to disabling plain text authentication.
As with any web application, it is absolutely essential to keep Plesk
updated. Parallels frequently releases microupdates and while they are
getting better at announcing security updates, they still have some work
to do. Also note that Plesk updates only apply to the control panel.
Third party add ons and additional web applications that may be
installed receive updates independently. Remember, security is more of a
journey than a destination. If a server fails to achieve compliance
after following the above advice, a company that specializes in auditing
and hardening servers should be consulted.
This is a living document and as such, it will never truly be completed.
Please feel free to e-mail questions
regarding this document, especially if you are a commercial entity
referring clients here.