Trust Guard, Apache & Rails
Posted under: Behind the Scenes
We recently added the Trust Guard service to VendorRisk.com. As part of the package we purchased, Trust Guard scans our server each day looking for vulnerabilities. On the first scan, it found 4 “medium risk” issues that had to be resolved in order to pass PCI compliance. Here are the issues and what we did to resolve them.
- mDNS/Bonjour por
Port 5353 is for the Bonjour/mDNS protocol, which according to Trust Guard “allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.” To resolve this issue, you’ll want to close port 5353 by turning off the avahi-daemon:sudo /sbin/chkconfig avahi-daemon off sudo /etc/rc.d/init.d/avahi-daemon stop
- Weak SSL ciphers
The old Apache configuration file was too broad in what SSL connections it accepted. The new configuration now looks like this:SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
- memcached
The version of memcached running on the server was outdated and needed to be upgraded to version 1.2.8. Luckily, VendorRisk does not utilize memcached, so the best solution was to stop the service. - HTTP request methods
In addition to the well-known HTTP Request Methods (POST, GET, etc.), Apache supports a number of others. Unfortunately, Rails only recognizes six of them (GET, HEAD, PUT, POST, DELETE and OPTIONS), so each day that Trust Guard ran the scan, we’d get bombarded with UnknownHttpMethod errors generated from the site. One way to fix the issue is to trap the errors within the site code, but a quicker, more efficient approach is to block those methods in Apache, so that it never makes its way to Rails.The relevant lines in Apache now look like this:RewriteEngine On # Only allow methods that Rails supports RewriteCond %{REQUEST_METHOD} !(GET|HEAD|PUT|POST|DELETE|OPTIONS) RewriteRule .* - [F]
Hopefully this saves you some time if you’re also thinking about using Trust Guard with an Apache-based Rails app.
