PCI compliance – a basic HOWTO


A lot of people are wanting to be PCI compliant these days, and this is generally a good thing. PCI compliance is not just a server spec, but a list of procedures, policies, controls over access to data. Therefore the server side is only one part of the process.
It can be expensive and time consuming to get there, so i thought I would go over a few of the basics on a very basic server setup.

First up: know what you need to do.  Read up on your obligations at https://www.pcisecuritystandards.org/

Things you will probably need to do…

Get an SSL certificate

Buy a SSL certificate, because a self-signed one will fail. These certificates are used on Apache, Webmin, Tomcat, IMAP, POP or anything that uses SSL. Ideally a wildcard for *.yourdomain.com is best as well as one for yourdomain.com. This should cover all instances you could ever need. We can provide you with an SSL certificate for $20, and install it for another $20 (total of $40), just fill in this form https://rimuhosting.com/ticket/enterticketdetails.jsp?t_type=TT_SSL_CERT

Apache
Add these lines to your /etc/httpd/conf/httpd.conf or if you use debian /etc/apache2/apache.conf

SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

You will also want to enforce HTTPS logins in all webpages, you can do this via code (lots of pre-made CMS do this already) or via the .htaccess/apache config like this

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Postfix (SMTP)

edit /etc/postfix/main.cf and add/adjust

smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = medium, high

Dovecot (IMAP/POP)
Add this line to your /etc/dovecot.conf or /etc/dovecot/dovecot.conf

ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

You need to set up dovecot to stop listening on the IMAPS and POPS ports. Edit the protocols line of that look like this

protocols = imap pop3

or you can add in the SSL certificate like this

ssl_cert_file = /etc/ssl/certs/domain.crt
ssl_key_file = /etc/ssl/keys/domain.key

This method uses the same certs as apache, you can combine the SSL certs into a single file like tomcat method , it pays also to make sure your certs are root:root 0400 (see http://wiki.dovecot.org/SSL/DovecotConfiguration for more)

SSH
Edit /etc/ssh/sshd_config , Make sure you have

Protocol 2

For basic security you should ideally change the port SSH runs on, and use SSH keys rather than passwords.

PROFTPD
edit /etc/proftpd.conf or /etc/proftpd/proftpd.conf and check

TlsCipherList HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

There is a good document about setting up your SSL certificate here http://www.proftpd.org/docs/howto/TLS.html

VSFTP
To enable SSL on your VSFTP edit the /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf and add in

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

Webmin
Go to Webmin → Webmin Configuration → SSL Encryption
Edit the setting for “Allowed SSL ciphers” and add:

HIGH:-SSLv2:-aNULL

MySQL
You should not run MySQL on an open port, it should be bound to local network only. open /etc/my.cnf or /etc/mysql/my.cnf and make sure

bind-address = 127.0.0.1

Once you have changed all these things, it pays to restart all services, this can be done with
service servicename restart

ie
service postfix restart
Alternatively, just reboot!

Now to test them, you can use something like this

openssl s_client -connect HOSTNAME:PORT -ssl2

If you receive the certificate and a ton of other lines, you still have SSLv2 enabled.

Many customers use a ‘PCI compliance testing’ service.  There are a number of these companies out there.  Just google for them.  Feel free to post your feedback on each as a comment here on this post.

We are happy to help you sort any PCI compliance problems out, and even talk direct with your PCI compliance tester to get things sorted.


4 responses to “PCI compliance – a basic HOWTO”

  1. “Now to test them, you can use something like this
    openssl s_client -connect HOSTNAME:PORT -ssl2”

    For “smtp”, “pop3”, “imap”, and “ftp” you might want to use the following; -starttls

    E.g. openssl s_client -starttls smtp -crlf -connect HOSTNAME:PORT

  2. Does anyone know why some merchants charge a PCI insurance fee? What does this insurance cover and is it necessary?

    Thank you

  3. @Ryan, not sure, your best bet would be to check with your merchant to find out the details of that, since the exact details may vary.

  4. Thanks for this, I found the guide generally helpful.

    One issue, though:

    smtpd_tls_mandatory_ciphers = medium, high

    is invalid and will cause postfix (at least 2.3 in RHEL5) to fall back to EXPORT. Set either:


    smtpd_tls_mandatory_ciphers = medium

    or


    smtpd_tls_mandatory_ciphers = high

    probably the latter for PCI compliance requirements.