These are the steps I went through to lock down a cPanel instance running on CentOS for PCI Compliance.
Lately I have been setting up a number of cPanel instances for a client and that is a pretty straightforward process. cPanel have decent installation instructions on how to do this and their script pretty much does most of the work.
One of the cPanel instances required to be PCI compliant and that wasn’t as clear compared to the installation instructions. The steps you will need to take to be PCI Compliant will depend on the company running the scan, the website you are scanning and what they identify as issues. In my instance it was SecurityMetrics who ran the scan and I ended up taking the following steps to become PCI Compliant;
CGI scipts, especially the guestbook.cgi script was a big no no. The quickest and most effective way to disable these scripts was to make use of an .htaccess file. This only works if you don’t want to make use of the guestbook.cgi script.
# /usr/local/cpanel/cgi-sys/.htaccess RewriteEngine On RewriteRule ^guestbook.cgi$ [G,L]
Packages with Security Issues. OpenSSL and BIND versions failed the CPI scan, but a quick check of the CVE values in the changelog of these packages indicated that the relevant issue had been resolved.
rpm -q --changelog openssl | grep <CVE-string> rpm -q --changelog bind | grep <CVE-string>
If the results show in the changelog that the CVE value has been fixed you can then inform the entity doing the PCI scan.
Apache Configuration. In the cPanel interface under Sevice Configuration > Apache Configuration > Global Configuration. There are PCI Recommendations for some of the settings. Follow these recommendations. Don’t forget to rebuild the apache configuration and restart it, otherwise the changes will not take effect.
Firewall. Finally install ConfigServer Security & Firewall (CSF). The installation is pretty straightforward and once that is done, you can config and run tests via the cPanel interface. This resolved most of the issues, once I had installed it and followed most of the suggestions provided when running it’s test.