• GoDaddy Community
  • VPS & Dedicated Servers
  • VPS & Dedicated Servers

    cancel
    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 
    Highlighted
    Super User III
    Super User III

    Settings for a Gen4 VPS (with cPanel) for PCI Compliance

    As more and more businesses are starting to go online, a big issue is PCI Compliance.

     
    If you are using a service like stripe.com or PayPal - they actually handle the PCI compliance - this is why you typically have to leave your site or the credit card fields are in a pop-up window.
     
    PCI Compliance comes into play when you have your own merchant account and a service like Authorize.net
     
    Without going into all the details, PCI Compliance deals with security policies / procedures / settings as it relates to how you handle credit card processing.
     
    There are a few different PCI Scanning Companies which the banks use to scan your server. Some may report various false positives which others do not. This article is not the end all be all of the answers to every last item that may get flagged but it will address many of them / advise to the best practices.
     
    ===============================================
    The very first thing is to make sure you have update the yum repositories so that you can have the latest versions of software available. You may have to add some additional repositories to get more recent versions than what is included with CentOS 7
     
    This is a great reference for using different yum commands
     
    The next step is to setup a firewall on the server - While there are command line firewall utilities I recommend the ConfigServer Security & Firewall - This has a nice User Interface within WHM and has some very good detailed explanations of what each setting is.
     
    One of the easiest things to do is disable ports - I recommend the following ports be enabled

     

    TCP_IN = 20,22,25,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096 
    TCP_OUT = 20,22,25,37,43,80,110,113,443,587,873,993,995,2086,2087,2089,2703
    UDP_OUT = 20,113,123,873,6277,24441

     

    This will only enable the basic ports for the server - You can actually remove some of them if you aren't running mail on your server.
     
    Additionally under WHM -> Service Configuration -> Apache Configuration ->Global Configuration
     
    For the SSL Cipher Suite 

     

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!DES:!RC4:!3DES:!MD5​

     

    and for the SSL/TLS Protocols 

     

    all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3

     

     
    Also under WHM -> Service Configuration -> Apache Configuration -> Include Editor
    Pre Main Include 

     

    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options nosniff

     

     
    This should get you most of the way to having a scan which passes. Some of the other things that you may have to do is to upgrade OpenSSH - this is command line based and should only be done by someone who knows how to compile sources on the server as this often has to be done manually.
     
    Even if you do not have a need for passing a PCI compliance scan - these are good security measures for hardening your server.
    I am a GoDaddy End User - Just Like You
    Check out my site! | I currently manage over 300 WordPress Websites
    * Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

    Once your issue is resolved,
    please be sure to come back and click accept for the solution

    Get Better Support on the Community Boards!
    Etiquette When Asking for Help from the Community