Question
How to configure a Linux server with Plesk installed to meet PCI Compliance?
Answer
While the topic of achieving full PCI compliance for a server is a very broad one and is subject to change as the years go by, the PCI Compliance Resolver utility is available from the Plesk installation directory and can shorten the process of achieving PCI compliance on any server significantly.
It can disable weak SSL/TLS ciphers and protocols for web and e-mail servers operated by Plesk, and apply many other security changes, all of which are mentioned in more detail on the following page of the Plesk Obsidian documentation (along with other manual actions related to the process of achieving PCI compliance):
(Plesk for Linux) Tune Plesk to Meet PCI DSS
If you want to apply all of the mentioned security settings for all services listed on the page above, you should follow these steps:
-
Connect to the server via SSH
-
Execute the following command:
# plesk sbin pci_compliance_resolver --enable all
Note: The currently known limitations of the PCI Compliance Resolver utility are listed below:
- The protocols for qmail mail agent cannot be configured; therefore, qmail is not secure enough to satisfy PCI DSS. It is recommended to use Postfix instead.
- Ciphers for qmail cannot be changed via Plesk utilities (though it is possible to change them via the configuration file).
- TLSv1.1 and TLSv1.2 are not supported on CentOS 5, Red Hat Enterprise Linux 5, and CloudLinux 5.
The DH parameter’s size cannot be managed for Apache from OS vendor (CentOS 5, Red Hat Enterprise Linux 5, CloudLinux 5). - SSL/TLS compression is not disabled on Debian 7 for ProFTPd, Dovecot, and Postfix.