Preface 3. Typographical Conventions... 3 Feedback... 4. Securing Servers in Compliance with PCI Data Security Standard 5

Similar documents
Parallels Panel. Achieving PCI Compliance for Servers Managed by Parallels Small Business Panel Revision 1.0

Securing Servers in Compliance with PCI Data Security Standard 4

Contents. Securing Servers in Compliance with PCI Data Security Standard 4

Parallels Plesk Panel

Parallels Plesk Control Panel

Parallels Plesk Panel

Parallels Plesk Panel

Legal and Copyright Notice

SWsoft, Inc. Plesk Firewall. Administrator's Guide

Legal and Copyright Notice

Legal and Copyright Notice

Plesk 8.3 for Linux/Unix Acronis True Image Server Module Administrator's Guide

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

Parallels Plesk Panel

Parallels Plesk Panel

Plesk 8.3 for Linux/Unix System Monitoring Module Administrator's Guide

Parallels Plesk Panel

Plesk 8.0 for Linux/UNIX Backup and Restore Utilities

Legal and Copyright Notice

Counter-Strike Game Server Management Module

Parallels Plesk Control Panel. Plesk 8.3 for Windows Advanced Administration Guide. Revision 1.0

Parallels Plesk Control Panel

Parallels Plesk Panel

SWsoft, Inc. Plesk VPN. Administrator's Guide. Plesk 7.5 Reloaded

How To Back Up Your Pplsk Data On A Pc Or Mac Or Mac With A Backup Utility (For A Premium) On A Computer Or Mac (For Free) On Your Pc Or Ipad Or Mac On A Mac Or Pc Or

SWsoft, Inc. Plesk File Server. Administrator's Guide. Plesk 7.5 Reloaded

Parallels Plesk Panel

SWsoft Plesk 8.3 for Linux/Unix Backup and Restore Utilities

Patented hosting technology protected by U.S.Patents 7,0909,948; 7,076,633. Patents pending in the U.S.

Parallels Business Automation 5.5

AuthorizeNet Plug-in Configuration Guide

Preface 8. Typographical Conventions... 8 Feedback Operating Inside Parallels Containers 10. What s New in Parallels Plesk Panel 12

Parallels Plesk Control Panel

OpenSRS SSL Certificate Plug-in

Plesk 8.1 for Windows Counter-Strike Game Server

Parallels Operations Automation 5.5

Legal and Copyright Notice

SWsoft Plesk 8.2 for Linux/Unix Backup and Restore Utilities. Administrator's Guide

Parallels Panel. Parallels Small Business Panel 10.2: Administrator's Guide. Revision 1.0

Parallels Plesk Panel

Plesk for Windows Copyright Notice

Provider's Guide to Integrating Parallels Presence Builder 12 with Parallels Automation

Parallels Containers for Windows 6.0

Parallels Plesk Panel

Plesk for Windows Copyright Notice

Parallels Plesk Panel

Key-Systems Registrar Plug-in PBA Configuration Guide Revision 1.1

Parallels Plesk Control Panel 8.4 for Linux/Unix Administrator's Guide

Parallels Plesk Panel

Parallels Plesk Panel

Parallels Plesk Panel

Preface 6. Typographical Conventions... 6 Feedback Operating Inside Parallels Containers 8. Becoming Familiar with Parallels Plesk Panel 10

Parallels Plesk Panel

Copyright Notice. Parallels IP Holdings GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: Fax:

Parallels Plesk Panel

Parallels Plesk Panel

Preface 5. Typographical Conventions... 5 Feedback Overview of the Main Changes in the Panel 7

Parallels Plesk Control Panel

Plesk 8.3 for Linux/Unix User's Guide

Setting Up and Managing Websites Using the Control Panel

Copyright Notice. ISBN: N/A Parallels 660 SW 39th Street Suite 205 Renton, Washington USA Phone: +1 (425) Fax: +1 (425)

Parallels Plesk Control Panel

Copyright Notice. Parallels IP Holdings GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: Fax:

Plesk 11 Manual. Fasthosts Customer Support

Parallels Plesk Panel

Parallels Plesk Control Panel

About This Document 3. About the Migration Process 4. Requirements and Prerequisites 5. Requirements... 5 Prerequisites... 5

Copyright Notice. Parallels IP Holdings GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: Fax:

Manage a Firewall Using your Plesk Control Panel Contents

Parallels Plesk Panel

SSL Installing your new Certificate

Parallels Plesk Control Panel

Plesk 8.3 for Linux/Unix Administrator's Guide

Parallels Plesk Control Panel

Parallels Pro Control Panel for Linux FTP Setup Guide

Important Notes for WinConnect Server VS Software Installation:

Backup/Restore Utilities Guide

Parallels Virtual Automation 6.1

Lab - Configure a Windows 7 Firewall

Preface 8. Typographical Conventions... 8 Feedback Operating Inside Parallels Containers 10. Becoming Familiar with Parallels Plesk Panel 12

Application Monitoring using SNMPc 7.0

Plesk 7.6 For Windows User Guide

Parallels Virtual Automation 6.0

Backup and Restore MySQL Databases

JAMF Software Server Installation Guide for Linux. Version 8.6

To install the SMTP service:

Fasthosts Internet Parallels Plesk 10 Manual

Parallels Pro Control Panel

Parallels Plesk Panel. Parallels Plesk Panel 9.5 Client's Guide. Revision 1.1

QuickDNS 4.6 Installation Instructions

Parallels Plesk Panel

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

Parallels Plesk Panel

Configuring Your Client: Outlook Express. Quick Reference

SWsoft, Inc. Battlefield 1942 Game Server User's Guide

Plesk 8.3 for Linux/Unix Domain Administrator's Guide

Plesk 8.0 for Linux/UNIX

Moving to Plesk Automation 11.5

Parallels Pro Control Panel

Parallels Operations Automation 5.0 Public API Reference

Transcription:

Parallels Panel

Contents Preface 3 Typographical Conventions... 3 Feedback... 4 Securing Servers in Compliance with PCI Data Security Standard 5 Securing Linux and FreeBSD-Based Servers... 6 Securing Microsoft Windows-Based Servers... 12

Preface 3 Preface In this section: Typographical Conventions... 3 Feedback... 4 Typographical Conventions Before you start using this guide, it is important to understand the documentation conventions used in it. The following kinds of formatting in the text identify special information. Formatting convention Type of Information Example Special Bold Italics Monospace Items you must select, such as menu options, command buttons, or items in a list. Titles of chapters, sections, and subsections. Used to emphasize the importance of a point, to introduce a term or to designate a command line placeholder, which is to be replaced with a real name or value. The names of commands, files, and directories. Go to the System tab. Read the Basic Administration chapter. The system supports the so called wildcard character search. The license file is located in the http://docs/common/licen ses directory.

4 Preface Formatting convention Type of Information Example Preformatted On-screen computer # ls al /files output in your commandline sessions; source code total 14470 in XML, C++, or other programming languages. Preformatted Bold CAPITALS KEY+KEY What you type, contrasted with on-screen computer output. Names of keys on the keyboard. Key combinations for which the user must press and hold down one key and then press another. # cd /root/rpms/php SHIFT, CTRL, ALT CTRL+P, ALT+F4 Feedback If you have found an error in this guide, or if you have suggestions or ideas on how to improve this guide, please send your feedback using the online form at http://www.parallels.com/en/support/usersdoc/. Please include in your report the guide s title, chapter and section titles, and the fragment of text in which you have found an error.

C H A P T E R 1 Securing Servers in Compliance with PCI Data Security Standard To reduce the risk of compromising sensitive data hosted on your server, you might want to implement special security measures that comply with the Payment Card Industry Data Security Standard (PCI DSS). The standard is intended to help organizations protect customer account data. For detailed information about the standard, refer to https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. The following sections describe the steps required to achieve PCI compliance for Linux, FreeBSD, and Microsoft Windows-based systems. In this chapter: Securing Linux and FreeBSD-Based Servers... 6 Securing Microsoft Windows-Based Servers... 12

6 Securing Servers in Compliance with PCI Data Security Standard Securing Linux and FreeBSD-Based Servers This section describes the steps that you should perform if you want to secure your server and achieve compliance with PCI DSS on a Linux or FreeBSD server. You first need to run the PCI Compliance Resolver utility available from the Parallels Plesk Panel installation directory. It will disable weak SSL ciphers and protocols for Web and e-mail servers operated by Parallels Plesk Panel. To run the utility: 1. Log in to the server shell. 2. Issue the following command: /usr/local/psa/admin/bin/pci_compliance_resolver enable all The following table describes all options supported by the utility. Option Description -- enable all --disable all The option enable all switches off weak SSL ciphers and protocols for Web and e-mail servers. The option disable all reverts all changes made by the utility and restores original configuration files, thereby allowing weak SSL ciphers and protocols for connections to Web and e-mail servers. -- enable courier --disable courier -- enable apache --disable apache Switches off or switches on weak SSL ciphers and protocols for connections to Courier IMAP mail server. Switches off or switches on weak SSL ciphers and protocols for connections to the Apache Web server that serves users sites. -- enable panel --disable panel Switches off or switches on weak SSL ciphers and protocols for connections to Parallels Plesk Panel. Some PCI compliance scanners may require that the medium strength SSL ciphers for access to the Panel be also switched off. For this reason, after you have run the utility, you need to modify a configuration file that was created by it. 1. Open for editing the file /usr/local/psa/admin/conf/cipher.lst. 2. Remove all lines from the file. 3. Insert the following line:

Securing Servers in Compliance with PCI Data Security Standard 7 ADH-AES256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA KRB5- DES-CBC3-MD5 KRB5-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3- SHA DES-CBC3-SHA ADH-DES-CBC3-SHA DES-CBC3-MD5 4. Save the file. 5. Restart the Web server: On Linux systems, issue the command /etc/init.d/sw-cp-server. On FreeBSD systems, issue the command /usr/local/etc/rc.d/sw-cpserver. Now you need to switch off weak SSL ciphers for connections to Qmail or Postfix e- mail server, if you use any of them. If you use Qmail mail server, issue the following commands at the prompt: On Linux systems: echo ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > /var/qmail/control/tlsserverciphers echo ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > /var/qmail/control/tlsclientciphers On FreeBSD systems: echo ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > /usr/local/psa/qmail/control/tlsserverciphers echo ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM > /usr/local/psa/qmail/control/tlsclientciphers If you use Postfix mail server, modify configuration files: 1. On Linux systems, open for editing the file /etc/postfix/main.cf. 2. On FreeBSD systems, open for editing the file /usr/local/etc/postfix/main.cf. 3. Add the following lines to the file: smtpd_tls_protocols = SSLv3, TLSv1 smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = anull smtpd_sasl_security_options = noplaintext 4. Save the file. 5. Restart the mail server: On Linux systems, issue the command /etc/init.d/postfix. On FreeBSD systems, issue the command /usr/local/etc/rc.d/postfix. You also need to prohibit access to MySQL database server from external addresses. To do this, in a firewall that protects your Panel-managed server, add or enable a rule that prohibits TCP and UDP connections to the port 3306 from all addresses except 127.0.0.1.

8 Securing Servers in Compliance with PCI Data Security Standard To use the firewall that comes with your Parallels Plesk Panel for Linux: 1. Log in to the Panel as administrator. 2. If you did not install the firewall component, install it: a. Go to Home > Updates (in the Help & Support group). b. Click the link corresponding to your version of the Panel. c. Locate Plesk Firewall module, select the corresponding check box, and click Install. 3. Configure the firewall rule that blocks external MySQL connections and switch the firewall on: a. Click the Settings link in the navigation pane. b. Click Manage Firewall Rules, and then Edit Firewall Configuration. c. Click the MySQL server link. d. Select the Deny option and click OK. e. Click Activate to apply the configuration, and then click Activate again to switch on the firewall. To conceal the version of DNS server from potential attackers, do the following: 1. Open for editing the DNS server s configuration file named.conf. On Linux systems, it is located in /etc/, and on FreeBSD systems, in /etc/namedb/. 2. Locate the options {} section, and add the version none line there. 3. Restart the named service: On Deb package-based systems, issue the command /etc/init.d/bind9 On RPM package-based systems, issue the command /etc/init.d/named On FreeBSD systems, issue the command /etc/rc.d/named To conceal the version of the Apache Web server from potential attackers, do the following: 1. Open for editing the Web server s configuration file. On Debian, Ubuntu, and SuSE Linux, it is located at /etc/apache2/apache2.conf. On other distributions of Linux, it is located at /etc/httpd/conf/httpd.conf.

Securing Servers in Compliance with PCI Data Security Standard 9 On FreeBSD, it is located at /usr/local/etc/apache2/httpd.conf. 2. Add the following lines: ServerTokens ProductOnly TraceEnable OFF 3. Save the file. 4. Restart the Web server. On Deb package-based systems, issue the command /etc/init.d/apache2 On RPM package-based systems, issue the command /etc/init.d/httpd On FreeBSD systems, issue the command /usr/local/etc/rc.d/apache2 If you have Single Sign-On v.2.2 components installed, then you need to disable SSL v.2 and weak SSL ciphers for the single sign-on service: 1. Open for editing the file /etc/sw-cpserver/applications.d/sso-cpserver.conf. 2. Locate the two lines ssl.engine = enable. 3. After each of these lines, add the following: ssl.cipher-list = ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256- SHA:AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128- SHA:AES128-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:ADH-DES-CBC3- SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3- MD5:DHE-DSS-RC4-SHA:KRB5-RC4-MD5:KRB5-RC4-SHA:ADH-RC4-MD5:RC4-SHA:RC4- MD5:RC2-CBC-MD5:RC4-MD5 ssl.use-sslv2 = disable 4. Save the file. 5. Restart the service: On Linux systems, issue the command /etc/init.d/sw-cp-server. On FreeBSD systems, issue the command /usr/local/etc/rc.d/sw-cpserver. To conceal the version of PHP installed on the server: 1. Create a file with name php.ini in the following directory On Linux systems, /etc/sw-cp-server/ On FreeBSD systems, /usr/local/etc/sw-cp-server/ 2. Add to this file the line expose_php = Off. 3. Save the file. 4. Open for editing the following file:

10 Securing Servers in Compliance with PCI Data Security Standard On Linux systems, /etc/sw-cp-server/applications.d/ssocpserver.conf. On FreeBSD systems, /usr/local/etc/sw-cpserver/applications.d/sso-cpserver.conf. 5. Locate the following line: On Linux systems, var.intertpreter = /usr/bin/sw-engine-cgi. On a FreeBSD system, var.intertpreter = /usr/local/bin/swengine-cgi. 6. Replace it with the following line: On Linux systems, var.intertpreter = /usr/bin/sw-engine-cgi -c /etc/sw-cp-server/php.ini. On a FreeBSD system, var.intertpreter = /usr/local/bin/swengine-cgi -c /usr/local/etc/sw-cp-server/php.ini. 7. Save the file. 8. Restart the Web server: On Linux systems, issue the command /etc/init.d/sw-cp-server. On FreeBSD systems, issue the command /usr/local/etc/rc.d/sw-cpserver. To alleviate security risks arising from disclosure of information about files and their properties by Apache Web server, configure the FileETag directive in the Web server configuration file. To do this: 1. Open for editing the Web server s configuration file. On Debian, Ubuntu, and SuSE Linux, it is located at /etc/apache2/apache2.conf. On other distributions of Linux, it is located at /etc/httpd/conf/httpd.conf. On FreeBSD, it is located at /usr/local/etc/apache2/httpd.conf. 2. Locate the line FileETag INode MTime Size and remove the INode keyword from this line. 3. Save the file. 4. Restart the Web server. On Deb package-based systems, issue the command /etc/init.d/apache2 On RPM package-based systems, issue the command /etc/init.d/httpd

Securing Servers in Compliance with PCI Data Security Standard 11 On FreeBSD systems, issue the command /usr/local/etc/rc.d/apache2

12 Securing Servers in Compliance with PCI Data Security Standard Securing Microsoft Windows-Based Servers This section describes the steps that you should perform if you want to secure your server and achieve compliance with PCI DSS on a Microsoft Windows-based server. To prohibit access to MySQL database server from external addresses, use the firewall that comes with your Parallels Plesk Panel for Windows: 1. Log in to the Panel as administrator. 2. Click the Settings link in the navigation pane. 3. Click Manage Firewall Rules. 4. Click Switch On. To switch off weak SSL ciphers for Web server in Parallels Panel for Microsoft Windows Server 2003 and 2008: 1. Copy the following text to the clipboard: REGEDIT4 \SCHANNEL\Protocols\PCT 1.0] \SCHANNEL\Protocols\PCT 1.0\Server] \SCHANNEL\Protocols\SSL 2.0] \SCHANNEL\Protocols\SSL 2.0\Server] \SCHANNEL\Ciphers] \SCHANNEL\Ciphers\DES 56/56] \SCHANNEL\Ciphers\NULL] \SCHANNEL\Ciphers\RC2 128/128] \SCHANNEL\Ciphers\RC2 40/128] \SCHANNEL\Ciphers\RC2 56/128] \SCHANNEL\Ciphers\RC4 128/128]

Securing Servers in Compliance with PCI Data Security Standard 13 \SCHANNEL\Ciphers\RC4 40/128] \SCHANNEL\Ciphers\RC4 56/128] \SCHANNEL\Hashes] \SCHANNEL\Hashes\MD5] 2. Log in to the server over a Remote Desktop connection. 3. When in the server s operating system, open Notepad or any other text editor, and create a file with the reg extension. 4. Paste the text from the clipboard into this file. 5. Save the file. 6. Double-click the file to open it. 7. When prompted, confirm addition of new keys to the registry. 8. Restart the operating system. Note: Some applications on the server that use weak SSL ciphers and protocols may stop working. To conceal the version of PHP installed on the server: 1. Open for editing the following files: c:\program Files\Parallels\Plesk\Additional\PleskPHP5\php.ini. c:\windows\php.ini. c:\inetpub\vhosts\webmail\horde\php.ini. 2. Locate the lines expose_php = On. 3. Change On to Off. 4. Save the files. 5. Restart the IIS Web server.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information