Comments on: Moving Towards PCI Compliance with cPanel http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel pink is the new black Thu, 26 Jan 2012 17:17:54 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Benjie http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9809 Benjie Sun, 05 Apr 2009 15:52:59 +0000 http://www.v-nessa.net/?p=151#comment-9809 I have returned to this website again and again. I cannot thank you enough! Steve's post, from 11/3/08, asks if the most recent version of cpanel, using native SSL resolves the issue. Well, I'm using cPanel 11.24.4-R34548 - WHM 11.24.2 - X 3.9 and McAfee is unhappy. I'm working with the most excellent folks at HostMySite.com, who continually tolerate my noobness, and I'll post back if we find out anything. Again, thank you, thank you, thank you! I have returned to this website again and again. I cannot thank you enough! Steve’s post, from 11/3/08, asks if the most recent version of cpanel, using native SSL resolves the issue. Well, I’m using cPanel 11.24.4-R34548 – WHM 11.24.2 – X 3.9 and McAfee is unhappy.

I’m working with the most excellent folks at HostMySite.com, who continually tolerate my noobness, and I’ll post back if we find out anything.

Again, thank you, thank you, thank you!

]]> By: Steve http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9533 Steve Tue, 04 Nov 2008 00:47:51 +0000 http://www.v-nessa.net/?p=151#comment-9533 I have a system that keeps getting flagged by McAfee Secure's PCI scan and failing as a result of weak SSL ciphers for cPanel/WHM. Have you done an upgrade to cPanel/WHM 11.24, and if so, did it resolve the weak SSL cipher issue? I have a system that keeps getting flagged by McAfee Secure’s PCI scan and failing as a result of weak SSL ciphers for cPanel/WHM.

Have you done an upgrade to cPanel/WHM 11.24, and if so, did it resolve the weak SSL cipher issue?

]]> By: Nessa http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9529 Nessa Thu, 30 Oct 2008 02:28:24 +0000 http://www.v-nessa.net/?p=151#comment-9529 Actually, I heard from a post in the cPanel forums from one of the developers that cPanel 11.24 will include the disabling of weak ciphers for all services. Actually, I heard from a post in the cPanel forums from one of the developers that cPanel 11.24 will include the disabling of weak ciphers for all services.

]]> By: Kelly http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9526 Kelly Wed, 29 Oct 2008 21:37:41 +0000 http://www.v-nessa.net/?p=151#comment-9526 Actually, having cpanel set to running native ssl is still a problem. The weak ciphers and sslv2 are enabled on the cpanel ssl ports, and the hackeralert scans flag this. I am looking for a way to disable this without having to run stunnel. I cant seem to find any solution other than to install and run stunnel. There must be some way to fix this. Actually, having cpanel set to running native ssl is still a problem. The weak ciphers and sslv2 are enabled on the cpanel ssl ports, and the hackeralert scans flag this. I am looking for a way to disable this without having to run stunnel. I cant seem to find any solution other than to install and run stunnel. There must be some way to fix this.

]]> By: Nessa http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9499 Nessa Thu, 16 Oct 2008 13:32:09 +0000 http://www.v-nessa.net/?p=151#comment-9499 You should be able to do this in WHM > tweak settings by having cpanel use native ssl support instead of stunnel. You should be able to do this in WHM > tweak settings by having cpanel use native ssl support instead of stunnel.

]]> By: oly http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9492 oly Tue, 14 Oct 2008 14:25:32 +0000 http://www.v-nessa.net/?p=151#comment-9492 How do you keep secure cpanel ports from using weak ciphers? Here is a sample of tls1 supporting weak cipher: New, TLSv1/SSLv3, Cipher is EXP-RC2-CBC-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EXP-RC2-CBC-MD5 How do you keep secure cpanel ports from using weak ciphers? Here is a sample of tls1 supporting weak cipher:

New, TLSv1/SSLv3, Cipher is EXP-RC2-CBC-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EXP-RC2-CBC-MD5

]]> By: Primsi http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9329 Primsi Wed, 28 May 2008 11:52:15 +0000 http://www.v-nessa.net/?p=151#comment-9329 Did anybody try to include ServerSignature Off ServerTokens Prod FileETag None via the Include Editor in WHM > Apache Setup? There are tree possible places to include it Pre Main Include, Pre VirtualHost Include and Post VirtualHost Include.Is it 'Pre VirtualHost'? Did anybody try to include

ServerSignature Off
ServerTokens Prod
FileETag None

via the Include Editor in WHM > Apache Setup? There are tree possible places to include it Pre Main Include, Pre VirtualHost Include and Post VirtualHost Include.Is it ‘Pre VirtualHost’?

]]> By: www.tagsto.com/trackback/ http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9270 www.tagsto.com/trackback/ Fri, 09 May 2008 22:50:20 +0000 http://www.v-nessa.net/?p=151#comment-9270 <strong>Shops of Moving Towards PCI Compliance with cPanel...</strong> shops about to After dealing with 2-3 PCI scans a week for the last year, I’ve put together a common procedure for how to make your server compliant to current PCI standards. Note that each scan company is different and may report other issues, ...... Shops of Moving Towards PCI Compliance with cPanel…

shops about to After dealing with 2-3 PCI scans a week for the last year, I’ve put together a common procedure for how to make your server compliant to current PCI standards. Note that each scan company is different and may report other issues, ……

]]> By: Mike Brandonisio http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9266 Mike Brandonisio Thu, 08 May 2008 21:50:41 +0000 http://www.v-nessa.net/?p=151#comment-9266 Hi, Sorry, These files should be updated too: /var/cpanel/templates/apache2/ssl_vhost.default /var/cpanel/templates/apache2/ssl_vhost.local With: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Hi,

Sorry, These files should be updated too:

/var/cpanel/templates/apache2/ssl_vhost.default /var/cpanel/templates/apache2/ssl_vhost.local

With:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

]]> By: Mike Brandonisio http://www.v-nessa.net/2008/04/14/moving-towards-pci-compliance-with-cpanel/comment-page-1#comment-9265 Mike Brandonisio Thu, 08 May 2008 20:54:45 +0000 http://www.v-nessa.net/?p=151#comment-9265 Hi, When making the Weak cypher changes for apache SSL, consider making the similar updates to: /usr/local/apache/conf/httpd.conf.default for future sites on your cpanel server. Otherwise they will get the same weak cypher directive in the virtual host section. Thanks for the PCI compliance post. Mike Hi,

When making the Weak cypher changes for apache SSL, consider making the similar updates to:

/usr/local/apache/conf/httpd.conf.default

for future sites on your cpanel server. Otherwise they will get the same weak cypher directive in the virtual host section.

Thanks for the PCI compliance post.

Mike

]]>