no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


pci_compliance [2015/06/01 23:11] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== PCI Compliance ======
 +
 +  * [[Apache]]
 +  * [[OpenSSL]]
 +  * [[Postfix]]
 +
 +==== Firewall ====
 +
 +=== Drop ICMP timestamp requests ===
 +
 +<code>
 +# add to rc.firewall
 +iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
 +iptables -A INPUT -p icmp --icmp-type timestamp-reply -j DROP
 +# save iptables ruleset
 +# gentoo
 +/etc/init.d/iptables save
 +</code>
 +
 +==== Postfix ====
 +
 +Disable SSLv2, SSLv3 and VRFY protocols.  Edit ''/etc/postfix/main.cf'':
 +
 +<code>
 +disable_vrfy_command = yes
 +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 +smtpd_tls_mandatory_ciphers = medium, high
 +</code>
 +
 +and reload:
 +
 +<code>
 +postfix reload
 +</code>
 +
 +==== Apache ====
 +
 +=== SSL ===
 +
 +The SSL configuration will need to be changed from it's default to support this configuration.
 +
 +Change the protocols to use only SSLv3 and TLSv1.  This disables SSLv2 support, which is deprecated.
 +
 +Change the CipherSuite to use RC4+RSA, HIGH, then MEDIUM ciphers, and enforce the order by server, not client.
 +
 +<code>
 +SSLProtocol all -SSLv2 -SSLv3
 +SSLHonorCipherOrder on
 +SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
 +
 +</code>
 +
 +=== Etag ===
 +
 +Disable Etag support completely:
 +
 +<code>
 +FileEtag None
 +</code>
 +
 +=== HTTP Authorization ===
 +
 +Disable ''auth_basic'' and use ''auth_digest'' instead.
 +
 +**Ubuntu**:
 +
 +<code>
 +a2dismod auth_basic
 +a2enmod auth_digest
 +</code>
  

Navigation
QR Code
QR Code pci_compliance (generated for current page)