Rootadminacc: /* Clickjacking vulnerability */

2013-03-06T12:49:13Z

Clickjacking vulnerability

← Older revision		Revision as of 13:49, 6 March 2013
Line 15:		Line 15:

	This can normally be resolved in the website files by presenting users/browsers with the X-FRAME-OPTIONS header.		This can normally be resolved in the website files by presenting users/browsers with the X-FRAME-OPTIONS header.

			== HTTP Slow post vulnerability ==

			Edit the Apache config file and add in this line:

			<pre>LoadModule reqtimeout_module modules/mod_reqtimeout.so</pre>

			Create the file /etc/httpd/conf.d/reqtimeout.conf with the following contents and save:

			<pre><IfModule reqtimeout_module>

			# Wait max 10 seconds for the first byte of the request line+headers
			# From then, require a minimum data rate of 500 bytes/s, but don't
			# wait longer than 20 seconds in total.
			RequestReadTimeout header=10-20,minrate=500

			# Wait max 10 seconds for the first byte of the request body (if any)
			# From then, require a minimum data rate of 500 byte/s.
			RequestReadTimeout body=10,minrate=500

			</IfModule></pre>

			<pre>service httpd restart</pre>

	== FTP Supports Clear Text Authentication ==		== FTP Supports Clear Text Authentication ==

Rootadminacc: /* SSL General */

2013-01-30T15:17:00Z

SSL General

← Older revision		Revision as of 16:17, 30 January 2013
Line 96:		Line 96:

	== SSL General ==		== SSL General ==

			DHE-RSA-RC4-SHA:RC4+SHA1+RSA<br>
			SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

	[http://serverkb.co.uk/wiki/Ubuntu#Install_SSL_on_Ubuntu_12.04_with_Apache_2 My guide] for vanilla Apache 2.2.22 + Ubuntu 12 SSL PCI compliance. Proof of concept can be seen [https://www.ssllabs.com/ssltest/analyze.html?d=bywatercraft.co.uk here]		[http://serverkb.co.uk/wiki/Ubuntu#Install_SSL_on_Ubuntu_12.04_with_Apache_2 My guide] for vanilla Apache 2.2.22 + Ubuntu 12 SSL PCI compliance. Proof of concept can be seen [https://www.ssllabs.com/ssltest/analyze.html?d=bywatercraft.co.uk here]

Rootadminacc at 15:15, 30 January 2013

2013-01-30T15:15:49Z

← Older revision		Revision as of 16:15, 30 January 2013
Line 5:		Line 5:
	http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide<br>		http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide<br>
	http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/65871.htm<br>		http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/65871.htm<br>
	http://blog.serverbuddies.com/disable-sslv2-on-cpanel-and-apache-ports		http://blog.serverbuddies.com/disable-sslv2-on-cpanel-and-apache-ports<br>
			/usr/local/psa/admin/bin/pci_compliance_resolver --enable all

	== 403 Forbidden ==		== 403 Forbidden ==

Rootadminacc: Created page with "End of life software is not PCI compliant http://blog.fido.net/how-tos/server-pci-compliant
http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-ple..."

2013-01-15T12:24:46Z

Created page with "End of life software is not PCI compliant http://blog.fido.net/how-tos/server-pci-compliant http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-ple..."

New page

End of life software is not PCI compliant

http://blog.fido.net/how-tos/server-pci-compliant 
http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-plesk-server-pci-compliance.html 
http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide 
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/65871.htm 
http://blog.serverbuddies.com/disable-sslv2-on-cpanel-and-apache-ports

== 403 Forbidden ==

Download directories or Forbidden areas may need proper access control via a .htaccess file or remove all together.

== Clickjacking vulnerability ==

This can normally be resolved in the website files by presenting users/browsers with the X-FRAME-OPTIONS header.

== FTP Supports Clear Text Authentication ==

Firewall off 21, use SFTP (Secure FTP) over 22 which uses SSH.

== rxmon (Dell OpenManage) ==

This operates over port 1311. The scan will complain about the self-signed certificate.

* firewall off the port to 127.0.0.1
* if it continues to flag this can be ignored as it is an internal connection from the software to the hardware that does not send anything other than hardware data, and uses a valid self-signed SSL within the server.
* If you really wish you can buy an SSL for your servers hostname on it's primary IP.

== SMTP Service Cleartext Login ==

To check if the server is Qmail or Postfix do:

<pre>/usr/local/psa/admin/sbin/mailmng --features | grep SMTP_Server</pre>

To fix for Postfix, uncomment the last two lines in /etc/postfix/main.cf, check [http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/index.htm?fileName=65871.htm this guide] and restart Postfix.

To fix for Qmail, run the following three commands:

<pre>echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsserverciphers
echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsclientciphers
/etc/init.d/qmail restart</pre>

This item can be fixed by disabling plain text authentication however this means all mail clients will have to be altered to only connect via secure SMTP. Please see below for new settings:

'''POP3:'''
* Incoming mail server: Remains the same
* Outgoing mail server: Remains the same
* Outgoing server (SMTP) requires authentication: Yes, use same setting as my incoming mail server
* Incoming server port: 995
* This server requires an encrypted connection (SSL): Yes

'''Outgoing server port: 465'''
* Use the following type of encrypted connection: SSL

'''IMAP:'''
* Incoming mail server: Remains the same
* Outgoing mail server: Remains the same
* Outgoing server (SMTP) requires authentication: Yes, use same setting as my incoming mail server
* Incoming server port: 995
* This server requires an encrypted connection (SSL): Yes

'''Outgoing server port: 465'''
* Use the following type of encrypted connection: SSL

As this will stop non secure connections, reconfigure the clients then enable the setting.

== SSLv2 (Port 25) ==

Vulnerability: SSLv2 Supported

This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted during the SSL session. Secure web applications should only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996 with numerous security enhancements over SSLv2. TLSv1 was introduced in 1999 as an enhancement to the security features of SSLv3. All modern browsers have support for both SSLv3 and TLSv1, and often disable support for SSLv2 in the interests of security. The PCI ASV Operational Requirements requires that if SSLv2 is used in the transmission of cardholder data, this must result in a failure. This was clarified in the PCI "Assessor Update: November 2008" (see the reference link in this finding). CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N(5.00) Reference: http://support.microsoft.com/kb/187498,
http://httpd.apache.org/docs/2.2/ssl/, http://www.schneier.com/paperssl.pdf

Service: smtp 
Evidence: 
Cipher: DES-CBC3-MD5 
Cipher: DES-CBC-MD5 
Cipher: EXP-RC2-CBC-MD5
Cipher: RC2-CBC-MD5 
Cipher: EXP-RC4-MD5 
Cipher: RC4-MD5 

Remediation:

If this service is used for the transmission of cardholder data, then SSLv2 should be disabled, and SSLv3, TLSv1, and/or newer should be implemented. For Apache and mod_ssl, the "SSLProtocol" configuration option is commonly used to limit the protocol versions for web servers which use OpenSSL: SSLProtocol -ALL +SSLv3 +TLSv1. (See the reference link to apache.org for more information). For Microsoft IIS server, refer to the Microsoft Knowledge Base article kb187498 to remove SSLv2 support. (See the reference link to support.microsoft.com for more information). For information on disabling SSLv2 in other HTTP web servers or other services, contact the service vendor for support information. If any of the following circumstances take place, please state something to this effect in an appeal against the finding. - Credit card holder data is not sent or received using SSLv2 (even though SSLv2 is supported) - SSLv2 appears to be supported due to the use of Akamai but the system does in fact drop any SSLv2 connections - Initial SSLv2 connections are accepted but then dropped (and no further conversation can take place) - SSLv2 connections are accepted but users are forcibly redirected to an informational page (and no further

vim /etc/postfix/main.cf

<pre>smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL
smtpd_sasl_security_options = noplaintext</pre>

/etc/init.d/postfix restart

== SSL General ==

[http://serverkb.co.uk/wiki/Ubuntu#Install_SSL_on_Ubuntu_12.04_with_Apache_2 My guide] for vanilla Apache 2.2.22 + Ubuntu 12 SSL PCI compliance. Proof of concept can be seen [https://www.ssllabs.com/ssltest/analyze.html?d=bywatercraft.co.uk here]

== Webalizer ==

Port 80 and 443, version has XXS vulnerability

PCI Compliance - Revision history

Rootadminacc: /* Clickjacking vulnerability */

Rootadminacc: /* SSL General */

Rootadminacc at 15:15, 30 January 2013

Rootadminacc: Created page with "End of life software is not PCI compliant http://blog.fido.net/how-tos/server-pci-compliant http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-ple..."

Rootadminacc: Created page with "End of life software is not PCI compliant http://blog.fido.net/how-tos/server-pci-compliant
http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-ple..."