Making cPanel PCI Compliant: Part 1

Netsonic Cloud, VPS, Dedicated and Shared Web Site Hosting

The Payment Card Industry Security Standards Council has released new PCI DSS 2.0 standards version, it is important to update your Linux server to become PCI compliant based on the new rules. This outline assumes you are using the CentOS operating system (the commands are similar on RedHat Enterprise [RHEL] and Fedora though). After going through the following your operating system will be updated to the most current version. Be sure you have a current and complete backup of your entire server before upgrading your OS.

Upgrade your OS

yum -y update ..this will upgrade your server without confirmation as it proceeds. You may need to reboot after this, and will need to do so if a new kernel was installed. It is best to reboot after this upgrade to make sure everything works before moving on.

Install a firewall (Optional)

cd /tmp
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvf apf-current.tar.gz | gunzip -cd
rm -f apf-current.tar.gz
cd apf-0*
./install.sh
Edit the config file /etc/apf/allow_hosts.rules and enter your PC's IP address at the bottom of the config file. This allows your particular PC unfiltered SSH access to the server you are securing. This can be especially important if you accidentally insert a rule that blocks too aggressively locking you out of your own server. Insert the following-
tcp:in:d=22:s=your.ip.address
Now edit the config file /etc/apf/conf.apf and search for the DEVEL_MODE section and set it to DEVEL_MODE="0". Then search for the ingress TCP ports section labeled IG_TCP_CPORTS and replace everything between the quotes with the following ports that CPanel needs open to operate -
21,25,26,53,80,110,143,443,465,953, 993,995,2082, 2083,2084,2086,2087,2089,2095,2096,2200,6666,7786, 3000_3500 ..now search for the egress UDP ports section labeled IG_UDP_CPORTS and replace everything between the quotes with the following -
53 ..search for the egress TCP ports section labeled EG_TCP_CPORTS and replace everything between the quotes with the following -
21,25,37,43,53,80,110,113,123,443,873,2089,3306 ..search for the egress UDP ports section labeled EG_UDP_CPORTS and replace everything between the quotes with the following -
53,465

Disable SSHv1 in SSHd

Edit your /etc/ssh/sshd_config file and disable SSH version 1.

Enable CPanel's built-in Security Features

Log into your CPanel WHM panel. From your left hand menu bar locate the following options:
Apache mod_userdir tweak and check the "Enable mod_userdir Protection" and click Save.
Compiler Access - Click "Disable Compilers".
Password Strength Configuration - Set this to the maximum value and click Save.
PHP open_basedir Tweak - Check "Enable php open_basedir Protection." click Save
Shell Fork Bomb Protection - Click "Enable Protection".
SMTP Tweak - Click "Disable".

Under the Service Manager section, disable any services you do not need running. Contact Netsonic support of you are unsure of these settings options.

For World Class Web Hosting as well as CPanel and Plesk Servers, visit us at www.netsonic.net

Continue on to Part 2 of this tutorial..