Tune Plesk to Meet PCI DSS on Linux

This section describes the steps that you should perform if you want to secure your server and achieve compliance with PCI DSS on a Linux server.

Installing the latest version of Software

Before you begin, it is recommended to update all the software on you server to the latest versions, if it is possible.

Disabling weak SSL ciphers and protocols

Then you need to run the PCI Compliance Resolver utility available from the Plesk installation directory. It will disable weak SSL/TLS ciphers and protocols for web and e-mail servers operated by Plesk, along with other security changes.

To run the utility:

Log in to the server shell.

Issue the following command:

plesk sbin pci_compliance_resolver {--enable|--disable} 

Running the utility with the --enable option applies the following security changes to Plesk services:

• Sets the following list of ciphers: “EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES”.
• On the latest versions of operating systems, sets the following protocols: "TLSv1.1 TLSv1.2". On the older versions (including Centos 5, Red Hat Enterprise Linux 5, Debian 6, CloudLinux 5), sets the following protocols: "TLSv1 TLSv1.1 TLSv1.2" (actually, only TLSv1 will work on those operating systems).
• Sets DH parameter's size to 2048.
• Disables SSL/TLS compression.
• Sets disable_plaintext_auth = yes for Dovecot.
• Disallows plaintext authentication for non-encrypted connections for Courier.

Running the utility with the --disable option partly reverts the changes made by the utility with the --enable option. In particular, the DH parameter size and SSL/TLS compression settings remain as is, the list of cyphers and protocols are reverted to the default set (this set contains the "TLSv1 TLSv1.1 TLSv1.2" protocols and the "HIGH:!aNULL:!MD5" cyphers).

If you need to change protocols and/or cyphers for all services, you can call the server_pref utility (the details of using this utility can be found here).

If you need to set specific parameters for some services, call manually the sslmng utility:

plesk sbin sslmng --ciphers="EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES" --protocols="TLSv1.1 TLSv1.2" --strong-dh --disable-tls-compression

Add the option "--service <some_service>" to the command above and change SSL/TLS settings of a particular service if you need.

Note: The changes made by the sslmng utility can be overwritten by the subsequent call of the server_pref utility or by Plesk update.

Limitations

There are the following limitations:

1. The protocols for qmail mail agent cannot be configured, therefore qmail is not secure enough to satisfy PCI DSS. It is recommended to use Postfix instead.
2. Ciphers for qmail cannot be changed via Plesk utilities (though it is possible to change them via the configuration file).
3. TLSv1.1, TLSv1.2 are not supported on CentOS 5, Red Hat Enterprise Linux 5, CloudLinux 5, Debian 6.
4. DH parameter's size cannot be managed for Apache from OS vendor (CentOS 5, Red Hat Enterprise Linux 5, CloudLinux 5).
5. SSL/TLS compression is not disabled on Debian 6, Debian 7 for ProFTPd, Dovecot, and Postfix.

Prohibiting external access to the MySQL database server

You also need to prohibit access to MySQL database server from external addresses. To do this, run the following command:

plesk sbin mysqlmng --bind-address local

Protecting information about files

To alleviate security risks arising from disclosure of information about files and their properties by Apache Web server, configure the FileETag directive in the Web server configuration file.

To do this:

1. Open for editing the Web server's configuration file.
   • On Debian and Ubuntu, it is located at /etc/apache2/apache2.conf.
   • On other distributions of Linux, it is located at /etc/httpd/conf/httpd.conf.
   • Locate the line FileETag INode MTime Size and remove the INode keyword from this line.
2. Save the file.
3. Restart the Web server.

On Debian package-based systems, issue the command /etc/init.d/apache2 restart.

On RPM package-based systems, issue the command /etc/init.d/httpd restart.

Securing FTP access

To prevent ProFTPd from showing information about its version on FTP connections:

1. Open for editing the ProFTPd configuration file /etc/proftpd.conf.
2. Insert the following line into the file: ServerIdent off.
3. Save the file.

If you allow FTP connections to your server, you must prohibit all FTP connections except secure FTPS connections.

To allow only FTPS connections to your server:

Go to Tools & Settings > Security Policy.

Select the option Allow only secure FTPS connections for FTP usage policy.