PCI compliance is a constantly moving target because security threats are not static. Hackers are continually searching for new ways to exploit your servers and obtain access to your sensitive files and any financial data you may be storing on your ecommerce server. To remain compliant with your credit card processing company, you will need to become PCI compliant. Netsonic can help.

PCI compliance scans commonly fail due to weak SSL ciphers and older protocols. In order to become PCI compliant under CPanel, you will need to change the way CPanel handles its encryption over various protocols.

Apache

To become fully compliant, the SSLV2 and other weak ciphers will need to be disabled. First log into your CPanel WHM panel..

Edit the Apache configuration: Click from the left navigation menu Main >> Service Configuration >> Apache Configuration >> Global Configuration and enter the following into the SSLCipherSuite section

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP Search for the TraceEnable option and set it to Off. Do the same for the ServerSignature statement. Find the ServerTokens statement and set it to ProductOnly and the FileEtag statement should be set to None and click Save.

Then click the Rebuild Configuration and Restart Apache button.

Click back into the Apache Configuration link and into the Include Editor. Select All Versions from the Pre VirtualHost Include section and insert the following code into the textbox-

SSLProtocol all -SSLv2 ..and click the Update button and then the Restart Apache button.

CPanel

OpenSSL is used by CPanel to handle its SSL connections but unfortunately, there is no configuration option to adjust how it runs. Stunnel is an SSL service wrapper that handles SSL functions for the programs that use TCP connections inside CPanel. Stunnel is basically a relay for connections made to a port on your CPanel server. An incoming TCP connection is made to your server and Stunnel grabs and relays that connection to the destination port while inserting the proper SSL security. This allows non-SSL enabled ports to be easily SSL enabled.

SSH into your CPanel server and become the root user.

Edit the /var/cpanel/cpanel.config file. Find the statement nativessl=1 statement and change it to nativessl=0. Update the Stunnel configuration file /usr/local/cpanel/etc/stunnel/default/stunnel.conf and add this: options = NO_SSLv2 right below the Authentication statement. On the next line should be an Options statement where you will add: ciphers = !LOW:MEDIUM:HIGHThis will instruct Stunnel to not use low level encryption ciphers. Once you have made the above changes, restart CPanel via -
/etc/init.d/cpanel restart

Testing Your Work

To test whether Apache is now using more secure SSL ciphers that PCI compliance requires, run the following command curl -Iv --ciphers 'LOW' https://your_server_ip If you receive an error back when running the command, this means a connection could not be made using weak ciphers. This is a good thing!

You should now test a few of the websites your server is hosting to make sure they appear to be displaying correctly. If so, you are ready for a PCI compliance scan. Because server security is a moving target, there may be additional updates you will to do need to further secure the server after you receive your scan results.

Back to Part 1 of the Making CPanel PCI Compliant tutorial.

For World Class Web Hosting as well as CPanel and Plesk Servers, visit us at www.netsonic.net