1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:09 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Need to disable HTTP CONNECT for PCI DSS compliance

         

BillKat

9:49 am on Jun 26, 2012 (gmt 0)

10+ Year Member



Hello all. Our PCI DSS quarterly scanner says we need to stop HTTP CONNECT. Our Apache vhost file has sections for port 80 and for 8080.

I managed to stop it on the port 80 part, but the scanner is still saying CONNECT is there for port 8080. I'm lost.. any help would be much appreciated. I'm rather a beginner at Apache & Linux admin.

Here's a cut-down version of the vhost file, the lines with #'s are where I added "LimitExcept" in both Virtualhost chunks:

<VirtualHost *:80>

<Files /var/www/vhosts/error_logs/live-errors>
Order allow,deny
Deny from all
Satisfy All
</Files>

Alias /userfiles ZZZZZZ
<Directory ZZZZZZ>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

<Directory #*$!#*$!>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

##########################
<LimitExcept GET POST>
deny from all
</LimitExcept>
##########################

</Directory>
</VirtualHost>



<VirtualHost *:8080>

<Directory QQQQQQ>
Options -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

##########################
<LimitExcept GET POST>
deny from all
</LimitExcept>
##########################

</Directory>
</VirtualHost>


Cheers,
Bill

incrediBILL

1:58 am on Jul 9, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Does this server even run a website?

If so, and you shut down port 80 that's the default HTTP port.

If I'm not mistaken isn't 8080 the port listened by Tomcat? One thing I remember doing once was commenting out the reference port 8080 in the Tomcat server.xml file, been a long time, a bit fuzzy on why I had to do it there.

FWIW, I'd block the ports at the firewall, not in Apache because firewall blocking is way more secure. Blocking at the firewall stops it from getting any further into the system opposed to blocking ports in Apache which is yet another level deeper into the OS thus leaving more potential for vulnerabilities.

If you have a control panel on your server you can easily shut down these ports properly in their firewall module, or otherwise do it in iptables from the command line. 

iptables -A INPUT/ -p tcp --dport 8080 -j DROP


If you're hosting on a shared server, trying to get PCI compliance in this manner is a security illusion because anyone else on the box with those ports open, improperly maintained software, files set to 777 permissions, etc. all makes it vulnerable.

BillKat

9:03 am on Jul 9, 2012 (gmt 0)

10+ Year Member



Thanks. We need the port open, we have a punchout system which calls in on 8080.
CONNECT disabled fine on port 80, but the same LimitExcept didn't work on the 8080 section for some reason. But we're going with a different PCI scan provider now anyway who doesn't stipulate CONNECT protocol being closed, so problem solved, in a sideways kind of a way...
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:09 pm May 1, 2026