pci compliance help

E

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Hi Guys.

For PCI compliance I need to disable TRACK and TRACE.
I used to be able to to do this by adding the following to httpd.conf
Code: 
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
Anyone have been able to get these disabled lately?

Thanks in advance for any help.
 
rpmws

rpmws

Well-Known Member
Aug 14, 2001
1,787
10
318
back woods of NC, USA
EWD said:
Hi Guys.

For PCI compliance I need to disable TRACK and TRACE.
I used to be able to to do this by adding the following to httpd.conf
Code: 
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F] 
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
Since EA3 this no longer works. I have tried it in the main httpd.conf as well as the includes and no luck.
Anyone have been able to get these disabled lately?

Thanks in advance for any help.
Click to expand...
how about in a .htaccess file in the root of one of the sites? just for the hell of it??
 
E

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Hi,

Yes, that would help for one site. We need it to be server-wide.

I have found that the code above does not work for trace anymore for whatever reason.
Instead you need to add TraceEnable Off to httpd.conf

So what I did was edit /usr/local/apache/conf/includes/pre_main_global.conf and added:
Code: 
<Directory "/">
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACK
RewriteRule .* - [F]
</Directory>
Also added TraceEnable Off to httpd.conf and that seems to have done the trick.

Thanks for the help and I hope this info helps someone else looking for the same. ;)
 
R

robb3369

Well-Known Member
Mar 1, 2008
122
1
68
cPanel Access Level
Root Administrator
mod_security

This can also be addressed via mod_security (installed via Easy Apache) with the default configuration:

Code: 
# allowed request methods
SecRule REQUEST_METHOD "!^(?:GET|POST|OPTIONS|HEAD)$" \
    "phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
psytanium PayPal PCI Compliance security issues Security 4
I Weak Ciphers - Failing Scan PCI Compliance Security 1
R Trustwave failing PCI compliance : TLSv1.0 Supported: Port: tcp/2224 Security 1
BubbaTrading Disable Weak RC4 Ciphers PCI Compliance Q2 of 2019 Security 3
M PCI Compliance and "help.php" Security 2
Similar threads
PayPal PCI Compliance security issues
Weak Ciphers - Failing Scan PCI Compliance
Trustwave failing PCI compliance : TLSv1.0 Supported: Port: tcp/2224
Disable Weak RC4 Ciphers PCI Compliance Q2 of 2019
PCI Compliance and "help.php"
Top Bottom