With the Payment Card Industry Security Standards Council releasing their new standards version, PCI DSS 2.0, it is important to take a look at the security of your Linux server. Since the cPanel brand control panel and Web Host Manager software is the most popular control panel for Linux servers, we will cover achieving PCI compliance on a cPanel server. In this article we will also be using a CentOS server, and the commands should be the same/similar on CentOS, RedHat Enterprise and Fedora. The information below will help you keep your cPanel server secure, and pass a PCI compliant scan.
cPanel PCI Compliance Step 1
First thing first, run a package update.
yum -y update
If it installed a new kernel, reboot the server so the new kernel takes affect. If its a live production server you may want to wait until an off-peak hour to do the reboot and continue with this article.
cPanel PCI Compliance Step 2
Now that you have the OS packages secure, its time to setup a firewall if you don't have one already.
A good free IPtables based firewall is the APF (Advanced Policy Firewall) firewall from RF-X Networks, you can download that here:
While your at it, get and install the BFD (Brute Force Detector) and LSM (Linux Socket Monitor) which are also available on the RF-X Networks site.
The main things you want to configure are the allowed ports in the APF config file, both ingress AND egress, and then you want to setup an ACL by using the allow and deny hosts files that come with APF. For the ACL's you want to block everything you don't want public access to, but still need certain IPs to access. For example SSH, cPanel, WHM, and maybe webmail. For example your allow line for cpanel will look like this:
Noticed, we used port 2083 and not the insecure cpanel port 2082, which we have blocked in the APF config file. And then so you have a deny from all that are not explicitly allows, add this to the deny hosts file:
The reasoning behind this is to not even give anyone a chance to get in, if #1, they have your password, #2, they are trying to brute force their way in, #3, there is an exploit in which they are able to bypass the authentication means.
cPanel PCI Compliance Step 3