FollowThe major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card. All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards. ( Reference : http://www.practicalecommerce.com )
There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant
cPanel PCI Tips & Tricks
- Webserver Uses Plain-text form based Authentication
- Entropy Chat (Port 2084)
- Disable SSLv2 for cPanel
- Mailman Unencrypted Login Information Disclosure
- cPanel Frontpage
- SSL Certificate Subject Does Not Match Target
- cPanel OpenSSL
ASV stands for approved scanning vendor
====> Webserver Uses Plain-text form based Authentication
Generally when you see this ‘risk’, it is referring to ports 2082, 2086, or 2095. Those ports are the NON-SSL cPanel ports. All of those ports are cPanel related. 2082 is for cPanel, 2086 is used for WHM, 2095 is used for webmail. To resolve this issue, since cPanel does not really allow for an easy way to disable the services running on the plain-text authentication ports, you will need to just block those ports in the servers firewall and use the secure port versions of the services instead. Secure versions to use instead:
2083 – cPanel
2087 – WHM
2096 – Webmail
Blocking non-SSL/STUNNEL Ports
If you use the APF firewall, to block the plain authentication ports you can just remove the port numbers 2082, 2086, 2095 from the configuration file, located at:
You can block the ports ( 2082, 2086, or 2095 ) in CSF conf and restart CSF
====> TCP 2084 EntropyChatServer
The Entropy Chat Server is found to be running on your server. This poses a potential security risk.
Solution Fix:
Disable Entropy Chat. You can do this by either disabling the port 2084 in your firewall, or by turning off Entropy Chat via your WebHost Manager (WHM). You can do this via WHM by logging into WHM and going to:
“Main >> Service Configuration >> Service Manager”
There should be a checkbox next to Entropy Chat. Uncheck it and save changes.
====> SSLv2 cPanel ports
Non-SSL cPanel, WHM, webmail ports as a failing issue.
PLEASE NOTE, THIS IS GENERALLY NOT AN ISSUE ANYMORE WITH THE LATEST CPANEL VERSION AND IS LISTED FOR REFERENCE NOW ONLY.
Disable sslv2 in cpanel by using stunnel:
perl -i -p -e ‘s/nativessl=1/nativessl=0/g’ /var/cpanel/cpanel.config
edit the Files:
/usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf
/usr/local/cpanel/etc/stunnel/default/stunnel.conf
and Add:
options = NO_SSLv2
ciphers = AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5
(beneath the “Authentication stuff” section) Both files need to be chattr’d to prevent reset during a upcp:
chattr +i /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf
chattr +i /usr/local/cpanel/etc/stunnel/default/stunnel.conf
You can also refer Disable support for sslv2 low-encryption ciphers
====> cPanel Frontpage / mod_frontpage
The wording may vary but will generally be something along the lines of complaining about Apache mod_frontpage module being vulnerable to a buffer overflow error, that could initate privilege escalation such as root access. That is a false positive as it is based solely on a default apache installation, not the custom cPanel installation. You may see something along the following listed in your PDF:
TCP 443 https 7
The remote host is using the Apache mod_frontpage module.
mod_frontpage older than 1.6.1 is vulnerable to a buffer overflow
which may allow an attacker to gain root access.
Since we are not able to remotely determine the version of
mod_frontpage you are running, you are advised to manually
check which version you are running as this may be a false positive.
If you want the remote server to be remotely secure,
we advise you do not use this module at all.
Solution: Disable this module
Risk Factor: High
CVE : CVE-2002-0427
This is the easiest fix, since, there is no fix. Submit to your ASV scanning company that this issue is a false positive and offer the following URL from cPanel’s own documentation themselves as proof:
http://docs.cpanel.net/twiki/bin/view/AllDocumentation/PCIComplianceInfo/ScanningSoftware#mod_frontpage
Quoted from cPanel:
“When using a cPanel configured Apache, fpexe is configured differently than on a default installation as such: Apache 2
With Apache 2.x or 2.2.x compiled through EasyApache, fpexe is replaced by /scripts/fp-auth which is never setuid root. Apache 1
With Apache 1.3.x compiled through EasyApache, fpexe is custom built from the shar files in /scripts/fetchfpexec, /scripts/fpexec3 and /scripts/fp3. fpexec will only be setuid if Apache’s suexec functionality is disabled. Even with suexec disabled, fpexec is not directly executing the frontpage binaries. fpexe hands the work off to /scripts/fp-auth which does additional access checks.
As noted above, using either Apache 1 or 2 compiled through cPanel’s EasyApache system does not leave a system vulnerable to the exploit noted in the CVE report as /scripts/fp-auth prevents the privilege escalation scenario from occurring.
Note: We do recommend discontinuing the use of mod_frontpage based on compatibility and support. The module is no longer supported by any upstream development team and has reached end-of-life. While we will continue to support mod_frontpage as long as it is practical to do so, there are better publishing methods available. We recommend enabling WebDAV (cpdavd) for publishing as it provides enhanced security and stability and is an actively supported protocol.”
====> Mailman Unencrypted Login Information Disclosure
This basically means that the login administration page for mailman is available as an unencrypted URL, ie “http” and not “httpS”
The easy fix, auto-redirecting urls to encrypted https urls.
Create the file:
/usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess
Add the following contents to it:
RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} mailman
RewriteRule ^(.*)$ https://%{HTTP_HOST}/mailman/$1 [R=301,L]
If that does not work it is possible the domain you’re testing doesn’t have an SSL cert. Try putting the server’s hostname in the RewriteRule, ie:
RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} mailman
RewriteRule ^(.*)$ https://HOST.DOMAINNAME.COM/mailman/$1 [R=301,L]
Edit /usr/local/cpanel/3rdparty/mailman/Mailman/mm_cfg.py adding these 2 lines at the bottom:
DEFAULT_URL_PATTERN = ‘https://%s/mailman/’
PUBLIC_ARCHIVE_URL = ‘https://%(hostname)s/pipermail/%(listname)s’
Run the following command:
/usr/local/cpanel/3rdparty/mailman/bin/withlist -l -a -r fix_url
Test it. Go to any site that is hosted on the server and append the mailman URLs from the PCI vulnerability, ie:
http://DOMAIN.COM/mailman/admin/mailman
====> cPanel – SSL Certificate Subject Does Not Match Target – Port 2096
If your PCI report lists “SSL Certificate Subject Does Not Match Target”, and specifies that it is for port 2096 (cPanel Webmail), this is a false positive. However, instead of submitting it as a false positive, there is an easy fix.
The report may look similiar to:
When a server’s SSL certificate is invalid, clients cannot properly verify that the server is authentic, resulting in a lack of trust.
The certificate is invalid, due to at least one of the following three reasons:
Expired – The current date is past the expiration date of the certificate. Subject does not match target – The name on the certificate is not the same as the name of the site, so a client cannot verify that the certificate belongs to the server. Untrusted issuer (or self-signed) – The certificate was not issued by a trusted certificate authority. In the case of self-signed certificates, the server issued its own certificate, possibly by default.
Service: TCP 2096 Certificate Issued To: *.WEBSITENAMEHERE.com
Login to WHM and go to “Tweak Settings”:
“Main >> Server Configuration >> Tweak Settings
From there find the section called “Redirection”.
If you wish, select the option “Always redirect users to the ssl/tls ports when visiting /cpanel /webmail, etc.”
That should be set in my opinion, however the actual fix for this issue is to select the “Origin Domain Name” box, and also the “Original Domain Name” box under the item “When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to”
Reference : – http://www.getfreepci.com
Recent Comments