This is an old revision of the document!


PCI Compliance

Firewall

Drop ICMP timestamp requests

# add to rc.firewall
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP
# save iptables ruleset
# gentoo
/etc/init.d/iptables save

Postfix

Disable SSLv2, SSLv3 and VRFY protocols. Edit /etc/postfix/main.cf:

disable_vrfy_command = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = medium, high

and reload:

postfix reload

Apache

SSL

The SSL configuration will need to be changed from it's default to support this configuration.

Change the protocols to use only SSLv3 and TLSv1. This disables SSLv2 support, which is deprecated.

Change the CipherSuite to use RC4+RSA, HIGH, then MEDIUM ciphers, and enforce the order by server, not client.

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

Etag

Disable Etag support completely:

FileEtag None

HTTP Authorization

Disable auth_basic and use auth_digest instead.

Ubuntu:

a2dismod auth_basic
a2enmod auth_digest