PCI Compliance

I have read much about how to make website PCI Compliant, but I still have issues that I’m trying to resolve, first is MySql port being open, which is an automatic fail, but looking at iptables confused me, since I did not see mysql listed, is there something I have to do to close it, seems like its not open by the looks of IPTables, but I don’t want to hose the server and my iptables knowledge has locked me out of a server before, so I want to make sure I do it right.

CentOS 5.8
My guess would be to not allow access on all, then add the accept ones back in

Drop all, which always gets me in trouble

iptables -A INPUT -j DROP

Local host access to port

iptables -I INPUT 1 -i lo -p tcp --dport mysql -j ACCEPT
iptables -I INPUT 2 -i lo -p udp --dport mysql -j ACCEPT

This is what I have now:

iptable

-A INPUT -p udp -m udp --dport ftp-data -j ACCEPT
-A INPUT -p udp -m udp --dport ftp -j ACCEPT
-A INPUT -p udp -m udp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport https -j ACCEPT
-A INPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --dport imaps -j ACCEPT
-A INPUT -p tcp -m tcp --dport imap -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3s -j ACCEPT
-A INPUT -p tcp -m tcp --dport pop3 -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
-A INPUT -p tcp -m tcp --dport domain -j ACCEPT
-A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

Howdy,

MySQL doesn’t actually listen for remote connections by default… if you don’t need it listening for remote connections, I’d recommend just disabling that option.

What output do you get when running this command:

netstat -an | grep :3306

netstat -an | grep :3306

tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

I do not need remote connectins, how do I disable it?

If you look in /etc/mysql/my.cnf, do you see a “bind-address” parameter set? It may be set to listen to a public interface.

If it is set, you could simply set that to 127.0.0.1, and then restart MySQL.

-Eric

There was no bind-address parameter in /etc/my.cnf

if I add this to /etc/my.cnf, should that block it?

[mysqld] skip-networking

Also there is port 8443 they labeled pcsync-https, I do not see this in iptables either.

if I add this to /etc/my.cnf, should that block it?

That works, so long as none of the applications running on your server are attempting to access your server via it’s port on 3306.

But you can always give that a shot and see what happens!

Also there is port 8443 they labeled pcsync-https, I do not see this in iptables either.

Port 8443 isn’t something that runs on a typical system. What output do you get when running this command:

nestat -anlp | grep 8443

That should show the name of the program using that port.

-Eric

Port 8443 seems to be used by the Plesk control panel, are you using that by chance?

Edit: never mind, since you’re using Virtualmin that is doubtful. :slight_smile:

netstat -anlp | grep 8443 returned empty, just as I would think it should, I think this is the PCI scanner program that security metrics uses, my guess it is that they test for it, and they think they found it.

The Edit to my.cnf didn’t crash Drupal, Joomla, phpMyAdmin or Wordpress, and it didn’t show up on my last scan, so I’m good to go, you might want to add this to your PCI compliance document, my understanding of it is that it just keeps it from being able to connect remotely to the database, not from localhost, which is a must for PCI comliance, they do not allow remote connections to database.

As seen here, its still listening on 3306

netstat -an | grep :3306
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

Thanks for the help.

Funny, first thing I thought of was Plesk, it and cPanel use a lot of ports, where as VM only seems to need 10000 and 20000.

The Edit to my.cnf didn’t crash Drupal, Joomla, phpMyAdmin or Wordpress, and it didn’t show up on my last scan, so I’m good to go, you might want to add this to your PCI compliance document

MySQL only listens on localhost on a fresh installation. It doesn’t listen on 0.0.0.0 by default for security reasons.

As seen here, its still listening on 3306 netstat -an | grep :3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN

That does suggest MySQL is still listening on port 3306. Did you restart MySQL after making those changes? If so, can you post your my.cnf file?

-Eric

Note that all those websoftwares you listed WILL crash if they cannot access the MySQL database on your server via TCP. So putting “skip-networking” in the config is a bad idea, you should better restrict it to accept connections only from localhost, using the Webmin MySQL module, section “MySQL Server Configuration”, and set “listening address” to “127.0.0.1”

Yes I rebooted

[mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql

old_passwords=1
thread_concurrency = 8
query_cache_size = 32M
thread_cache_size = 8
myisam_sort_buffer_size = 64M
read_rnd_buffer_size = 8M
read_buffer_size = 2M
sort_buffer_size = 2M
table_cache = 512
max_allowed_packet = 5M
key_buffer = 384M

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
skip-networking

Still show SSLv2 as being enabled:
Steps to disable it verified:

  1. Disable SSLv2 in Webmin - Webmin -> Webmin -> Webmin Configuration -> SSL Encryption :
    “Only strong PCI-compliant ciphers”

  2. Disable SSLv2 in Apache - /etc/httpd/conf/httpd.conf :

    SSLProtocol ALL -SSLv2
    SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

  3. Disable SSLv2 in Postfix - /etc/dovecot/dovecot.conf
    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_mandatory_ciphers = high

  4. Apache Settings - /etc/httpd/conf/httpd.conf :
    ServerTokens Minimal
    ServerSignature Off
    TraceEnable Off

  5. Disable Protocol 1 in SSH - /etc/ssh/sshd_config
    Protocol 2

Method used:

openssl s_client -connect mydomain.com:20000 -ssl2


CONNECTED(00000003)
depth=0 /O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=/emailAddress=root@vps-1234567-1234.manage.myhosting.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=
/emailAddress=root@vps-1234567-1234.manage.myhosting.com
verify return:1

Server certificate
-----BEGIN CERTIFICATE-----
MIIDCDCCArKgAwIBAgIJAKFsJx13fVr0MA0GCSqGSIb3DQEBBQUAMIGMMUMwQQYD

sEhuEhpdhybJgLUv
-----END CERTIFICATE-----
subject=/O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=/emailAddress=root@vps-1234567-1234.manage.myhosting.com
issuer=/O=Usermin Webserver on vps-1234567-1234.manage.myhosting.com/CN=
/emailAddress=root@vps-1234567-1234.manage.myhosting.com

No client certificate CA names sent

Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5

SSL handshake has read 913 bytes and written 172 bytes

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 512 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: A50327F094465A9C2F44DCCA0B70D875
Session-ID-ctx:
Master-Key: 92C5B7554786981B69611C383917977F03ADD33B57D1BB74
Key-Arg : E8CE55957B1D2915
Krb5 Principal: None
Start Time: 1331594477
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

closed

Also this returns
openssl s_client -ssl2 -connect mydomain.com:8443

socket: Connection refused connect:errno=29

Yet their scan said its returning a valid answer.

Update: I wonder if port 20000 is even pulling from my cert or using the self signed certificate, or if it matters.

Howdy,

Port 20000 is Usermin… so although you set Webmin to only use strong ciphers, you’d also need to do the same for Usermin in Webmin -> Webmin -> Usermin Configuration -> SSL Encryption.

Also, it doesn’t look like port 8443 is responding, so that’s good! Are they still flagging that as a problem though?

-Eric

Another thing you should add to your PCI compliant list.

Yes, they are still flaggin 8443, although I can not duplicate it.

Hmm, could your ISP be redirecting requests destined for port 8443 to something of their own?

Are you able to test connecting to port 8443 from an external site?

Also, for MySQL – I might try putting this into the [mysqld] section:

bind-address = 127.0.0.1

-Eric

Made the change, still works, looks like its good to go.

This is the command that works from ssh, it will not run from my Ubuntu box, said -ssl2 is a bad argument, I’ll have to look into that:

openssl s_client -ssl2 -connect lightwizzard.com:8443

Running test again, but it looks like this is still showing up.

Thanks.

If I recall correctly, Virtuozzo uses port 8443 for its virtual machine control panel. I rented such a system a while back and I think I remember that port from there.

Is your system by chance located on such a virtual machine host?

They are using Linux Virtuozzo http://www.parallels.com/products/pvc/

Seems to me that back-porting should have taken care of these, but how do I prove that to them?

Description: vulnerable Apache version: 2.2.3 Severity: Area of Concern CVE: CVE-2006-4110 CVE-2006-5752 CVE-2007-1863 CVE-2007-3303 CVE-2007-3304 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6420 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 CVE-2008-0455 CVE-2008-0456 CVE-2009-1195 CVE-2009-1891 CVE-2009-2412 CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2011-0419 CVE-2011-1928 CVE-2011-3192 CVE-2011-3348 CVE-2011-3607 CVE-2011-4415 CVE-2012-0031 CVE-2012-0053
Impact: A remote attacker could crash the web server or execute arbitrary commands.

Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 2.0.x to a version higher than 2.0.64 when available, or a version higher than 2.2.21 when available.
Patches for the mod_cache DoS can be applied for [http://people.apache.org/~mjc/cve-2007- 1863-2.0.patch] 2.0 or [http://people.apache.org/~mjc/cve-2007- 1863-2.2.patch] 2.2.
Alternatively, apply a fix from your operating system vendor. Vulnerability Details: Service: https Received: Server: Apache/2.2.3