====== PCI Compliance ======

  * [[Apache]]
  * [[OpenSSL]]
  * [[Postfix]]

==== Firewall ====

=== Drop ICMP timestamp requests ===

<code>
# add to rc.firewall
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP
# save iptables ruleset
# gentoo
/etc/init.d/iptables save
</code>

==== Postfix ====

Disable SSLv2, SSLv3 and VRFY protocols.  Edit ''/etc/postfix/main.cf'':

<code>
disable_vrfy_command = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers = medium, high
</code>

and reload:

<code>
postfix reload
</code>

==== Apache ====

=== SSL ===

The SSL configuration will need to be changed from it's default to support this configuration.

Change the protocols to use only SSLv3 and TLSv1.  This disables SSLv2 support, which is deprecated.

Change the CipherSuite to use RC4+RSA, HIGH, then MEDIUM ciphers, and enforce the order by server, not client.

<code>
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

</code>

=== Etag ===

Disable Etag support completely:

<code>
FileEtag None
</code>

=== HTTP Authorization ===

Disable ''auth_basic'' and use ''auth_digest'' instead.

**Ubuntu**:

<code>
a2dismod auth_basic
a2enmod auth_digest
</code>