PCI Compliance

24 posts / 0 new
Last post
#1 Sat, 03/10/2012 - 17:46
jflesher

PCI Compliance

I have read much about how to make website PCI Compliant, but I still have issues that I'm trying to resolve, first is MySql port being open, which is an automatic fail, but looking at iptables confused me, since I did not see mysql listed, is there something I have to do to close it, seems like its not open by the looks of IPTables, but I don't want to hose the server and my iptables knowledge has locked me out of a server before, so I want to make sure I do it right.

CentOS 5.8
My guess would be to not allow access on all, then add the accept ones back in

# Drop all, which always gets me in trouble
iptables -A INPUT -j DROP

# Local host access to port
iptables -I INPUT 1 -i lo -p tcp --dport mysql -j ACCEPT
iptables -I INPUT 2 -i lo -p udp --dport mysql -j ACCEPT

This is what I have now:

iptable

-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT
-A INPUT -p udp -m udp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport https -j ACCEPT
-A INPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
-A INPUT -p tcp -m tcp --dport imap -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

Sat, 03/10/2012 - 19:29
andreychek

Howdy,

MySQL doesn't actually listen for remote connections by default... if you don't need it listening for remote connections, I'd recommend just disabling that option.

What output do you get when running this command:

netstat -an | grep :3306

Sat, 03/10/2012 - 20:24 (Reply to #2)
jflesher

netstat -an | grep :3306

tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

I do not need remote connectins, how do I disable it?

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sat, 03/10/2012 - 22:48
andreychek

If you look in /etc/mysql/my.cnf, do you see a "bind-address" parameter set? It may be set to listen to a public interface.

If it is set, you could simply set that to 127.0.0.1, and then restart MySQL.

-Eric

Sun, 03/11/2012 - 00:36 (Reply to #4)
jflesher

There was no bind-address parameter in /etc/my.cnf

if I add this to /etc/my.cnf, should that block it?


[mysqld]
skip-networking

Also there is port 8443 they labeled pcsync-https, I do not see this in iptables either.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sun, 03/11/2012 - 10:18
andreychek

if I add this to /etc/my.cnf, should that block it?

That works, so long as none of the applications running on your server are attempting to access your server via it's port on 3306.

But you can always give that a shot and see what happens!

Also there is port 8443 they labeled pcsync-https, I do not see this in iptables either.

Port 8443 isn't something that runs on a typical system. What output do you get when running this command:

nestat -anlp | grep 8443

That should show the name of the program using that port.

-Eric

Sun, 03/11/2012 - 15:08 (Reply to #6)
jflesher

netstat -anlp | grep 8443 returned empty, just as I would think it should, I think this is the PCI scanner program that security metrics uses, my guess it is that they test for it, and they think they found it.

The Edit to my.cnf didn't crash Drupal, Joomla, phpMyAdmin or Wordpress, and it didn't show up on my last scan, so I'm good to go, you might want to add this to your PCI compliance document, my understanding of it is that it just keeps it from being able to connect remotely to the database, not from localhost, which is a must for PCI comliance, they do not allow remote connections to database.

As seen here, its still listening on 3306

netstat -an | grep :3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

Thanks for the help.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sun, 03/11/2012 - 19:38 (Reply to #7)
Locutus

Note that all those websoftwares you listed WILL crash if they cannot access the MySQL database on your server via TCP. So putting "skip-networking" in the config is a bad idea, you should better restrict it to accept connections only from localhost, using the Webmin MySQL module, section "MySQL Server Configuration", and set "listening address" to "127.0.0.1"

Sun, 03/11/2012 - 13:01
Locutus

Port 8443 seems to be used by the Plesk control panel, are you using that by chance?

Edit: never mind, since you're using Virtualmin that is doubtful. :-)

Sun, 03/11/2012 - 15:12 (Reply to #9)
jflesher

Funny, first thing I thought of was Plesk, it and cPanel use a lot of ports, where as VM only seems to need 10000 and 20000.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Sun, 03/11/2012 - 17:25
andreychek

The Edit to my.cnf didn't crash Drupal, Joomla, phpMyAdmin or Wordpress, and it didn't show up on my last scan, so I'm good to go, you might want to add this to your PCI compliance document

MySQL only listens on localhost on a fresh installation. It doesn't listen on 0.0.0.0 by default for security reasons.

As seen here, its still listening on 3306 netstat -an | grep :3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

That does suggest MySQL is still listening on port 3306. Did you restart MySQL after making those changes? If so, can you post your my.cnf file?

-Eric

Mon, 03/12/2012 - 18:30 (Reply to #11)
jflesher

Yes I rebooted


[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql

old_passwords=1
thread_concurrency = 8
query_cache_size = 32M
thread_cache_size = 8
myisam_sort_buffer_size = 64M
read_rnd_buffer_size = 8M
read_buffer_size = 2M
sort_buffer_size = 2M
table_cache = 512
max_allowed_packet = 5M
key_buffer = 384M

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
skip-networking

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Mon, 03/12/2012 - 18:50
jflesher

Still show SSLv2 as being enabled:
Steps to disable it verified:

1. Disable SSLv2 in Webmin - Webmin -> Webmin -> Webmin Configuration -> SSL Encryption :
"Only strong PCI-compliant ciphers"

2. Disable SSLv2 in Apache - /etc/httpd/conf/httpd.conf :

SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

3. Disable SSLv2 in Postfix - /etc/dovecot/dovecot.conf
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_mandatory_ciphers = high

4. Apache Settings - /etc/httpd/conf/httpd.conf :
ServerTokens Minimal
ServerSignature Off
TraceEnable Off

5. Disable Protocol 1 in SSH - /etc/ssh/sshd_config
Protocol 2

Method used:

openssl s_client -connect mydomain.com:20000 -ssl2


CONNECTED(00000003)
depth=0 /O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=*/emailAddress=root@vps-1234567-1234.manage.myhosting.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=*/emailAddress=root@vps-1234567-1234.manage.myhosting.com
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDCDCCArKgAwIBAgIJAKFsJx13fVr0MA0GCSqGSIb3DQEBBQUAMIGMMUMwQQYD
...
sEhuEhpdhybJgLUv
-----END CERTIFICATE-----
subject=/O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=*/emailAddress=root@vps-1234567-1234.manage.myhosting.com
issuer=/O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=*/emailAddress=root@vps-1234567-1234.manage.myhosting.com
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 913 bytes and written 172 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 512 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: A50327F094465A9C2F44DCCA0B70D875
Session-ID-ctx:
Master-Key: 92C5B7554786981B69611C383917977F03ADD33B57D1BB74
Key-Arg : E8CE55957B1D2915
Krb5 Principal: None
Start Time: 1331594477
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---

closed

Also this returns
openssl s_client -ssl2 -connect mydomain.com:8443


socket: Connection refused
connect:errno=29

Yet their scan said its returning a valid answer.

Update: I wonder if port 20000 is even pulling from my cert or using the self signed certificate, or if it matters.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Mon, 03/12/2012 - 18:56
andreychek

Howdy,

Port 20000 is Usermin... so although you set Webmin to only use strong ciphers, you'd also need to do the same for Usermin in Webmin -> Webmin -> Usermin Configuration -> SSL Encryption.

Also, it doesn't look like port 8443 is responding, so that's good! Are they still flagging that as a problem though?

-Eric

Mon, 03/12/2012 - 20:53 (Reply to #14)
jflesher

Another thing you should add to your PCI compliant list.

Yes, they are still flaggin 8443, although I can not duplicate it.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Mon, 03/12/2012 - 21:33
andreychek

Hmm, could your ISP be redirecting requests destined for port 8443 to something of their own?

Are you able to test connecting to port 8443 from an external site?

Also, for MySQL -- I might try putting this into the [mysqld] section:

bind-address = 127.0.0.1

-Eric

Tue, 03/13/2012 - 22:45 (Reply to #16)
jflesher

Made the change, still works, looks like its good to go.

This is the command that works from ssh, it will not run from my Ubuntu box, said -ssl2 is a bad argument, I'll have to look into that:

openssl s_client -ssl2 -connect lightwizzard.com:8443

Running test again, but it looks like this is still showing up.

Thanks.

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Wed, 03/14/2012 - 02:00
Locutus

If I recall correctly, Virtuozzo uses port 8443 for its virtual machine control panel. I rented such a system a while back and I think I remember that port from there.

Is your system by chance located on such a virtual machine host?

Wed, 03/14/2012 - 16:21 (Reply to #18)
jflesher

They are using Linux Virtuozzo http://www.parallels.com/products/pvc/

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Wed, 03/14/2012 - 16:38
jflesher

Seems to me that back-porting should have taken care of these, but how do I prove that to them?

Description: vulnerable Apache version: 2.2.3 Severity: Area of Concern CVE: CVE-2006-4110 CVE-2006-5752 CVE-2007-1863 CVE-2007-3303 CVE-2007-3304 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6420 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 CVE-2008-0455 CVE-2008-0456 CVE-2009-1195 CVE-2009-1891 CVE-2009-2412 CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2011-0419 CVE-2011-1928 CVE-2011-3192 CVE-2011-3348 CVE-2011-3607 CVE-2011-4415 CVE-2012-0031 CVE-2012-0053 Impact: A remote attacker could crash the web server or execute arbitrary commands.

Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 2.0.x to a version higher than 2.0.64 when available, or a version higher than 2.2.21 when available. Patches for the mod_cache DoS can be applied for [http://people.apache.org/~mjc/cve-2007- 1863-2.0.patch] 2.0 or [http://people.apache.org/~mjc/cve-2007- 1863-2.2.patch] 2.2. Alternatively, apply a fix from your operating system vendor. Vulnerability Details: Service: https Received: Server: Apache/2.2.3

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Wed, 03/14/2012 - 17:57
andreychek

Howdy,

You're right, any security issue should be patched in the version of Apache shipped by RHEL/CentOS.

How can you prove it? Well, many scanning companies will settle for you telling them that they're seeing a false positive, since CentOS backports their security fixes, and that you're using the most recent version of Apache available to your distro.

If that's not good enough, you could show them links to the RHEL/CentOS pages that show they security updates they've put out.

Or, you can see a list of the security patches in Apache with this command:

rpm -q --changelog httpd | grep CVE

Thu, 03/15/2012 - 17:08 (Reply to #21)
jflesher

Yes thanks, did not know about that.

They say mod_setenvif and mod_proxy will need to be disabled, will this have any impact on how Virtualmin runs?

Whats the best way to disable them?

Jeffrey Scott Flesher
Medically Retired Gulf War Vet

Thu, 03/15/2012 - 19:17
andreychek

You would need to edit your httpd.conf file, and commend out the LoadModule lines that load those particular modules.

Disabling those won't impact Virtualmin itself, the only question is whether any of the sites you're running require them.

I doubt you're using the proxying, the only question is whether something on your system is using mod_setenvif. Try disabling it and see what happens :-)

-Eric

Thu, 03/15/2012 - 22:43 (Reply to #23)
jflesher

This should be documented:

To Disable mod_proxy:

nano /etc/httpd/conf/httpd.conf

Comment out:

# LoadModule proxy_module modules/mod_proxy.so
# LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
# LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
# LoadModule proxy_http_module modules/mod_proxy_http.so
# LoadModule proxy_connect_module modules/mod_proxy_connect.so

nano /etc/httpd/conf.d/proxy_ajp.conf
Comment out:


#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

********************************

To Disabe mod_setenvif:

nano /etc/httpd/conf/httpd.conf
Comment out:


# LoadModule setenvif_module modules/mod_setenvif.so


# BrowserMatch "Mozilla/2" nokeepalive
# BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
# BrowserMatch "RealPlayer 4\.0" force-response-1.0
# BrowserMatch "Java/1\.0" force-response-1.0
# BrowserMatch "JDK/1\.0" force-response-1.0
#...
# BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
# BrowserMatch "MS FrontPage" redirect-carefully
# BrowserMatch "^WebDrive" redirect-carefully
# BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# BrowserMatch "^gnome-vfs/1.0" redirect-carefully
# BrowserMatch "^XML Spy" redirect-carefully
# BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

nano /etc/httpd/conf.d/ssl.conf
Comment out:


#SetEnvIf User-Agent ".*MSIE.*" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0

Jeffrey Scott Flesher
Medically Retired Gulf War Vet