cPanel PCI Compliance

This week I randomly found myself dealing with two sites that 'do things with Alpacas', both were using cPanel, both were looking at PCI compliance with the same Approved Scanning Vendor (ASV). In this case Trustwave... or PayPal by any other name.

For any host that needs to be delivering sensitive information - the work starts with deciding how to best protect that. So let's assume that this has been done - OR - in my case - you are presented with two cPanel hosts, and asked to make good.

If you can - get the email handled elsewhere.

If you are behind someone else's firewalls - TLS may simply not be an option for you if they are expecting PASV to be used. If that is the case turn off FTP, make sure it cannot be connected to, lock it down to the IP's that require it - and so on.

So yes - WHM access required - and get going....


// Apache

Apache configuration > Global Configuration
SSL/TLS Protocols
all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSL Cipher Suite
Rebuild Configuration and Restart Apache

// Dovecot

Mailserver Configuration
SSL Protocols
!SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Cypher Protocols
(This will upset older OS that will fail to connect as cyphers post date them).
Save Changes

// cPanel's own services - WHM, cPanel, Webmail

cPanel Web Services Configuration

// Exim

Exim Configuration Manager
advanced editor
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

// WebDisk, DAVFS, WebDisk, CalDav, CardDav

cPanel Web Disk Configuration

// Checking Our Work

The following at the console will show whether you are allowing any filthy TLSv1 or similar to occur. Easily done in a copy paste error. ASV scans take forever - so check what you can first:

nmap --script ssl-enum-ciphers -p 443

nmap --script ssl-enum-ciphers -p 993

nmap --script ssl-enum-ciphers -p 995

nmap --script ssl-enum-ciphers -p 2087

nmap --script ssl-enum-ciphers -p 2078

nmap --script ssl-enum-ciphers -p 2083

nmap --script ssl-enum-ciphers -p 2096

nmap --script ssl-enum-ciphers -p 465


// Note Well

Keep in mind that this was good at the time of the issue.... until the next great SSL terror... and the hope that the TLSv2 and the fledgeling TLSv3 will not be a liability a year or so down the line.

This is intended as an aide-memoire (as with many of these articles) so I don't have to rediscover things time after time. If it helps - great. If it needs correction - let me know. Cheers.


// References


2 Responses to “cPanel PCI Compliance

  • Why is SSLv23 in your protocol list for CP ports?

    • anthony
      5 years ago

      Good afternoon Denver – because ‘taken from old notes’ I should imagine. Sorry about that. What would you like to see here now then? I will revisit at some point – but would appreciate your input.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: