Friday 11 May 2012

Fun with servers

Every three months, I have to get my computers checked for the PCI DSS, that's the Payment Card Industry Data Security Standard. Which is meant to ensure that naughty people don't steal credit card data from my systems.

Of course, it doesn't work; huge thefts of card data still happen despite the PCI DSS, I read about them all the time. But SOMETHING MUST BE DONE, or at least something must appear to be done. Cynics call this "Security theater".

Still, who am I to say "nonsense"? Against the likes of Visa and Mastercard, I am floccipaucinihilipilification. So, every three months, I have to get my servers scanned. And that means now.

So I did. And it came back with problems; two new security issues have been discovered on my server called Vicky (actually, on pretty much every server in the world), and to get a pass mark, I have to do something to stop them affecting me. Specifically - have to upgrade my web server Apache to 2.2.22 or later, and also deal with a problem called "BEAST", which is a way that the encryption of credit card data between my server and your browser, can be broken. And if someone breaks that, they can steal credit card numbers en route. which would be bad.

So I started off by upgrading Apache. That's free software, and easy to get, so I got version 2.4.2. And, wouldn't you know it, but they've changed the way you compile and install it, to such an extent that I couldn't find a way to do it, and after a couple of hours, I said "Blow this" (or worse) and went for 2.2.22, which compiled and installed much more easily.

BEAST wasn't so easy to deal with, and I spent quite a long time trying to understand the problem and googling, before I finally came up with the answer. The answer, oddly enough, is that I have to use a weaker encryption system, but one which isn't affected by BEAST, which only breaks block ciphers.

So I did all that, and resubmitted Vicky for a scan, and the scanner came back with oodles of problems, all of which boiled down to, I needed to use a more recent version of OpenSSL (because in rebuilding Apache, I'd used an older version). So I got that, and tried to use it to make my Apache, but I just couldn't work out how to bring it in.

Time for Plan B. Plan B was to use Linux Fedora version 16 (I've been on version 9, four years old). So I installed a server to be called Vicky using that, and was pleased to see that it was using Apache 2.2.22 and a sufficiently recent version of OpenSSL. I then spent an hour configuring it to have the same stuff as the old Vicky. Configuring Apache to be like the old Vicky wasn't easy, because they changed the way configuration files work (again). Plus there were lots of other things to set up. Then I tested email.

I have a really complicated email system. I have three email servers, plus I use AOL (it's free, and really easy to create accounts, so you can make an AOL account that you're only going to use for a short time, and stop using it when the spam gets bad, although AOL have decent spam filters). I have a server (called Sadie) which goes to each of my mail servers (Mail1, Mail2 and Vicky), and to AOL, and a few other places where I have bits and bobs of email, and collects my mail from all of them, despams it, and sorts it, and I get it all in one place. Vicky is one of my mail servers, so I tested that it was working by sending an email from AOL to it (because to test email, you need to send an email from "outside"). The email didn't arrive. Aaarghhh. So I spent an hour fuffing about before I finally realised that actually it had arrived.

But my email collection wasn't working. For that to work, I run an IMAP server on Vicky (and my other servers), and Fetchmail on the server I read email from. For IMAP services, I run Dovecot. Dovecot has been fine for me for years, but now? I couldn't connect to it. I couldn't even connect to Dovecot from the server it was running on. So, back to Google. And this one took a *lot* of googling, but finally I found out that it was in the configuration of Dovecot, which they've changed (of course), and now the default is that Dovecot won't let you connect to it unless you're "localhost". It was very easy to change that once I knew what to change and that configuration file it was in, so I did that, and now Dovecot works. Hurrah!

But Fedora 16 numbers users from 1000 upwards, whereas Fedora 9 numbered users from 500 upwards, so I had two different user numbers on the old and new systems, so it thought I was two different people, and quite rightly wouldn't give either access to the other's files. So I sorted that out by renumbering user numbers and changing file ownerships.

So I now had a Vicky that would, I hoped, pass the PCI DSS scan. So I tried to scan it.

Thirteen hours later, the report from Comodo (the scanning service) was still "scanning". Time for some technical support. I tried their "livechat", but that only does SSL issues, so I emailed them. They emailed me back giving me a ticket number, when I tried to look at the ticket the login system wouldn't accept the username and pasword that was working for their PCI DSS system, so I emailed them again. That got me a password that did work, and I can look at my old tickets, but I can't see the current one. So I emailed them again, and at this moment, I have no reply.

So I phoned their UK number, and the folks there can't help with this, I have to wait until the Americans wake up and get to work.

And you know what? I bet 99% of people taking credit card data over the internet haven't dealt with *either* of these problems yet. Especially BEAST, which is a pig of a problem.

No comments:

Post a Comment