PCI Updates that ‘might’ help your system pass TrustWave scans

PCI Updates that ‘might’ help your system pass TrustWave scans

I have written another article of apache commands that might make website more PCI compliant.

This is another task based on that article,  but this goes a little further to address some additional securiity scans that TrustWave does.

In addition to these configuration in apache,  you should also put some items into your .htaccess file.

If your site allows both port 80 and 443,  make sure your forward all port 80 requests to 443 so scanners dont bark about you allowing non secure access to the site.

RewriteEngine On
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]

 

If you have an FTP server that is open to all FTP addresses,  consider locking it down to IP Addresses for specific developers (If you dont have a static IP Address,   get one!)

<Limit LOGIN>
 Order allow, deny
 Allow from w.x.y.z/32
 Allow from w.x.y.0/24
 DenyAll
</Limit>

You will want to make sure you have already installed firewall rules which limit services to only your IP addresses like in this post

Make sure you install / upgrade to the latest apache2  executable (as of 10/15 the minimum needed to pass tests is 2.2.31)

apt-get update
apt-get install apache2

Update the /etc/apache2/apache2.conf file to not expose the apache version

ServerTokens ProductOnly
ServerSignature Off

Update your SSL Cipher settings in Apache2.conf to exclude some additional ciphers that are considered insecure

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !ECDHE-RSA-AES256-SHA !ECDHE-RSA-AES256-SHA !ECDHE-RSA-AES256-SHA !ECDHE-RSA-AES256-SHA !DHE-RSA-AES128-SHA !DHE-RSA-SEED-SHA !DHE-RSA-CAMELLIA128-SHA !ECDHE-RSA-RC4-SHA !DHE-RSA-AES256-SHA !DHE-RSA-CAMELLIA256-SHA !ECDHE-RSA-AES128-SHA !RC4-SHA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Note,  the SSL Cipher list above was generated from a list that was created for a previous article for updates to apache.  At the that article helped pass a different PCI scan.  Since this PCI scan is newer and obviously more in depth,  the list of excluded ciphers has increased.

I came up with the list above by reading the ‘Evidence’ column of the TrustWave report and then specifically excluding the listed Ciphers by putting  an ! in front of it.   As new reports come out and additional ciphers are marked insecure,  we will add additional ciphers to the apache files in the same way:

trustwavereoport

apache commands that ‘might’ make your server more PCI compliant

apache commands that ‘might’ make your server more PCI compliant

Add the following commands to you Apache configuration file to help make it more PCI compliant.

 
RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Update: I have made some new notes in another blog post for requirements that helped a client pass an additional test with TrustWave

ip tables commands which ‘might’ make your firewall PCI compliant

ip tables commands which ‘might’ make your firewall PCI compliant

This is a list of the iptables commands that will setup a minimal firewall which ‘might’ be PCI compliant

This is primarily here to remind me, so I have a reference in the future.

I also have ports for FTP and SSH for a single developer IP as well as monitoring for a single monitoring server.   The format is simple and can easily be changed for other services.

Be sure to replace ‘my.ip’ with your development ip,  and ‘monitoring.ip’ with

This is on a Linux Ubuntu machine (of course)

apt-get install iptables iptables-persistent
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s my.ip/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -s my.ip/32 -j ACCEPT
iptables -A INPUT -p tcp --dport 5666 -s monitoring.ip/32-j ACCEPT 
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-unreachable


iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables-save > /etc/iptables/rules.v4


PCI SAQ Security Links

PCI SAQ Security Links

It seems there are a couple Google searchs that can be done to help find the forms you need to fill out the SAQ as a Self Reporting Web Hosting Company of links out there. But it took me a little bit to put them all together.

I am not a PCI Security Consultant so dont take this as any kind of gospel, but here are the forms I found that I needed.

To fill out the Attestation of Compliance SAQ D 3.0 for Service Providers, get the form here:
https://www.pcisecuritystandards.org/documents/SAQ_D_v3_ServiceProvider.pdf

If you are not a service provider, perhaps you need a different form

For a quick reference, see their file here
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

The PCI DSS Glossary has details of many of the items mentioned in the form

https://www.pcisecuritystandards.org/security_standards/glossary.php

 

Call Now Button(208) 344-1115

SIGN UP TO
GET OUR 
FREE
 APP BLUEPRINT

Join our email list

and get your free whitepaper