This section describes the steps that you should take if you want to
secure your server and achieve compliance with PCI DSS on a Linux
server.
Installing the latest version of software
Before you begin, it is recommended to update all the software on your
server to the latest versions, if it is possible.
Disabling weak SSL/TLS ciphers and protocols
Next, you need to run the PCI Compliance Resolver utility available from
the Plesk installation directory. This will disable weak SSL/TLS ciphers
and protocols for web and e-mail servers operated by Plesk, and will
also make other security changes.
To run the utility:
Log in to the server shell.
Issue the following command:
plesk sbin pci_compliance_resolver {--enable|--disable} [<service>]
The following values may be used for the <service> argument:
-
panel- Applying security changes for sw-cp-server (nginx for
Plesk). -
apache- Applying security changes for Apache server. -
courier- Applying security changes for Courier IMAP. -
dovecot- Applying security changes for Dovecot. -
qmail- Applying security changes for qmail. -
postfix- Applying security changes for Postfix MTA. -
proftpd- Applying security changes for ProFTPd. -
all- Applying security changes for all installed services
described above. This is a default value.
Running the utility with the --enable option applies the following
security changes to the specified services:
- Sets the following list of ciphers:
"EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES". - On the latest versions of…