Table of Contents
PCI Compliance
Firewall
Drop ICMP timestamp requests
# add to rc.firewall iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP # save iptables ruleset # gentoo /etc/init.d/iptables save
Postfix
Disable SSLv2, SSLv3 and VRFY protocols. Edit /etc/postfix/main.cf
:
disable_vrfy_command = yes smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = medium, high
and reload:
postfix reload
Apache
SSL
The SSL configuration will need to be changed from it's default to support this configuration.
Change the protocols to use only SSLv3 and TLSv1. This disables SSLv2 support, which is deprecated.
Change the CipherSuite to use RC4+RSA, HIGH, then MEDIUM ciphers, and enforce the order by server, not client.
SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Etag
Disable Etag support completely:
FileEtag None
HTTP Authorization
Disable auth_basic
and use auth_digest
instead.
Ubuntu:
a2dismod auth_basic a2enmod auth_digest