PCI compliant servers

Server changes

Intrusion prevention

Lynis and Linux autid daemon

Configured autid daemon to log administrator commands, password file changes, etc.
Lynis security audit software has been installed and configured in cron to send alerts about security warnings on the system. (All existing warnings have already been addressed).


ModSecurity for Nginx installed and configured. ModSecurity rulesets implemented: OWASP and Trustwave commercial ruleset. The former works with score-based detection, the former with signature-based detection.

  • Fail2ban jails configured specific for Magento
  • Fail2ban jail for ModSecurity is configured. Monitors ModSecurity audit log and bans for 1 day all IPs who caused 403 (Forbidden) >= twice within 20 minutes. Notifies in Slack “server” channel upon ban and unban actions
  • Fail2ban jail for repeat offenders. Monitors 1 year of Fail2ban’s own logs and blocks repeated offenders (banned 3+ times before) for 6 months on all ports. Notifies in Slack “server” channel upon ban and unban actions
  • Nginx access and error logs are stored for one year
  • Disabled Mage_Rss

Intrusion detection

Linux Malware Detect + ClamAV

LMD is setup to notify all website file writes for malware. It is coupled with ClamAV and uses it as scanning engine.
ClamAV in its turn has detection for CC structured data. Notifications for detected malware or structured data is sent to Slack #server.

ClamAV (with LMD signatures) is setup for daily scans of the whole system (without CC data) and website files (with CC data detection).

  • rkhunter installed. Daily scan emailed to administrator
  • Logwatch installed. Administrator gets daily digest of logs