Getting Your cPanel Linux Server PCI Compliant

cPanel PCI Compliance Step 1 First thing first, run a package update.

yum -y update

If it installed a new kernel, reboot the server so the new kernel takes affect. If its a live production server you may want to wait until an off-peak hour to do the reboot and continue with this article.

cPanel PCI Compliance Step 2 Now that you have the OS packages secure, its time to setup a firewall if you don't have one already.

A good free IPtables based firewall is the APF (Advanced Policy Firewall) firewall from RF-X Networks, you can download that here:

wget http://www.rfxn.com/downloads/apf-current.tar.gz

While your at it, get and install the BFD (Brute Force Detector) and LSM (Linux Socket Monitor) which are also available on the RF-X Networks site.

The main things you want to configure are the allowed ports in the APF config file, both ingress AND egress, and then you want to setup an ACL by using the allow and deny hosts files that come with APF. For the ACL's you want to block everything you don't want public access to, but still need certain IPs to access. For example SSH, cPanel, WHM, and maybe webmail. For example your allow line for cpanel will look like this:

tcp:in:d=2083:s=123.123.123.123

Noticed, we used port 2083 and not the insecure cpanel port 2082, which we have blocked in the APF config file. And then so you have a deny from all that are not explicitly allows, add this to the deny hosts file:

tcp:in:d=2083:s=0/0

The reasoning behind this is to not even give anyone a chance to get in, if #1, they have your password, #2, they are trying to brute force their way in, #3, there is an exploit in which they are able to bypass the authentication means. cPanel PCI Compliance Step 3

Full Story