PCI (Payment Card Industry) Compliance/Standards were originally created to standardize on a set of rules and guidelines to help protect credit card holders from theft – specifically theft from a website being hacked and their information compromised. At what point PCI Compliance was bastardized I do not know – but today it’s really a joke.
In order to maintain a merchant account and process credit cards, most vendors will require a passing score on a compliance scan. There’s nothing quite like a little regulation to create a new industry – today a search on Google for “PCI Compliance Scan” returns almost 3/4 mil results. Don’t get me wrong, I am a firm believer in the standards put forth by PCI, but the requirement to pass an automated scan is nonsense. Almost all companies offering PCI compliance are using the Nessus security scanner which connects to your machine, runs through an automated scan and spits out a report with a score.
What kind of things should you expect to find on the results? Gems like:
Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution: filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk Factor: Low / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524
And:
Your computer appears to be running http software that allows others to view its web pages. If you don’t intend this computer to allow others to view its web pages then turn this service off. There are many potential security vulnerabilities in http software.
My general advice to computer security applies here. If you don’t need/use a service/application then turn it off, and keep your computer up to date with the latest security patches from the vendor. Fedora and CentOS users can just run “yum update”.
Anyways, back to the scan…
1. Run the initial scan against your site – you will probably fail. Open your web server logs and find the IP address of the machine that scanned you. Save this IP for later.
2. If you are running PHP you will have lot’s of security warnings, add this line to your /etc/php.ini (or wherever it may be):
expose_php = Off
3. Disable Trace, Track, Server Signatures and Server Tokens in Apache (/etc/httpd/conf/httpd.conf):
TraceEnable off
ServerSignature Off
ServerTokens ProductOnly
4. Now the fun part, using the IP address you found in step one block the entire Class C (/24) IP Netblock range from connecting to your server on ports other than 80 and 443 (http and https). In /etc/sysconfig/iptables immediately after this line:
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
Add these entries:
# Filters for PCI Scan
-A RH-Firewall-1-INPUT -s x.x.x.0/24 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.0/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -s x.x.x.0/24 -j REJECT --reject-with icmp-host-prohibited
What this does is allow the scanning system to connect to the web server via http and https only – everything else will be denied.
5. Reload IP Tables (service iptables restart) and Apache (service httpd restart) – and rescan your site.
