In order to gain PCI compliance (at least level 4 which is what most small to medium eCommerce sites need to pass these days) you need to make certain changes to your Plesk configs.
I have tried to list them all here to make the job as simple and as painless as possible!
First of all, you need to disable SSLv2 everywhere … this includes Apache, Courier IMAP and Postfix and even WordPress if you’re using it on your site!
Postfix
Update main.cf and add the following
smtpd_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
smtp_tls_cipherlist = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Courier IMAP
edit /etc/courier-imap/imapd-ssl and change TLS_CIPHER_LIST to the following
TLS_CIPHER_LIST=”ALL:!ADH:RC4+RSA:!SSLv2:@STRENGTH”
and do the same for /etc/courier-imap/pop3d-ssl
TLS_CIPHER_LIST=”ALL:!ADH:RC4+RSA:!SSLv2:@STRENGTH”
Next, Apache
create a file in /etc/httpd/conf.d – we use one called fido.conf
In it make sure you have the following
<IfModule mod_ssl.c>
# Disable acceptance of weak SSL ciphers
SSLCipherSuite HIGH:MEDIUM:!ADH# Disable any connection attempts using SSLv2
SSLProtocol all -SSLv2
</IfModule># This directive controls whether the server response header field, which is
# sent back to clients, includes a description of the generic OS-type of
# the server as well as information about compiled-in modules.
# See http://httpd.apache.org/docs/current/mod/core.html#servertokens
ServerTokens Prod# Disables the footer on server-generated documents, hiding the version of
# Apache being used.
# See http://httpd.apache.org/docs/current/mod/core.html#serversignature
ServerSignature Off# Disable the trace method so attackers cannot intercept the session ID
TraceEnable off
In addition to security the Apache configs you also need to secure the Apache directories and make sure that indexes are turned off, or a blank index.html exists in directories so that an attacker can’t navigate around behind the scenes. You also need to ensure that any source control directories are blocked (such as .svn, .cvs, etc). The following .htaccess file snippet covers this and more ….
WordPress
WordPress has a number of forms which accept passwords in plain text. The mere presence of these on your server can cause you to fail the PCI scan. The following added to your .htaccess file however should stop the scanner complaining
.htaccess file
# PCI Compliance
<IfModule mod_rewrite.c>#Block access to hidden files and directories (including .svn, .cvs, etc)
RewriteRule /\..*(/.*|$) – [R=404,L]
</IfModule>
<Files wp-login.php>
Order Deny,Allow
Deny from All#IPv4 Addresses you trust
Allow from your.ip.address
Allow from x.x.x.x#IPv6 Addresses which you trust
Allow from xx:xx:xx:xx::/64
Allow from yyyy:yyyy:yy::/48
</Files>
Once done re-run your PCI scan and see what else (if anything) they complain about. If you are running the latest Plesk (v 11) and also have your OS fully up to date, then you should be pretty close to being clean and passing that all important PCI scan.