PCI Compliance
End of life software is not PCI compliant
http://blog.fido.net/how-tos/server-pci-compliant
http://thegioinguonmo.com/hosting-controller/plesk-control-panel/to-make-a-plesk-server-pci-compliance.html
http://download1.parallels.com/Plesk/PPP9/Doc/en-US/plesk-9.5-pci-compliance-guide
http://download1.parallels.com/Plesk/PP11/11.0/Doc/en-US/online/plesk-pci-compliance-guide/65871.htm
http://blog.serverbuddies.com/disable-sslv2-on-cpanel-and-apache-ports
403 Forbidden
Download directories or Forbidden areas may need proper access control via a .htaccess file or remove all together.
Clickjacking vulnerability
This can normally be resolved in the website files by presenting users/browsers with the X-FRAME-OPTIONS header.
FTP Supports Clear Text Authentication
Firewall off 21, use SFTP (Secure FTP) over 22 which uses SSH.
rxmon (Dell OpenManage)
This operates over port 1311. The scan will complain about the self-signed certificate.
- firewall off the port to 127.0.0.1
- if it continues to flag this can be ignored as it is an internal connection from the software to the hardware that does not send anything other than hardware data, and uses a valid self-signed SSL within the server.
- If you really wish you can buy an SSL for your servers hostname on it's primary IP.
SMTP Service Cleartext Login
To check if the server is Qmail or Postfix do:
/usr/local/psa/admin/sbin/mailmng --features | grep SMTP_Server
To fix for Postfix, uncomment the last two lines in /etc/postfix/main.cf, check this guide and restart Postfix.
To fix for Qmail, run the following three commands:
echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsserverciphers echo 'ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM' > /var/qmail/control/tlsclientciphers /etc/init.d/qmail restart
This item can be fixed by disabling plain text authentication however this means all mail clients will have to be altered to only connect via secure SMTP. Please see below for new settings:
POP3:
- Incoming mail server: Remains the same
- Outgoing mail server: Remains the same
- Outgoing server (SMTP) requires authentication: Yes, use same setting as my incoming mail server
- Incoming server port: 995
- This server requires an encrypted connection (SSL): Yes
Outgoing server port: 465
- Use the following type of encrypted connection: SSL
IMAP:
- Incoming mail server: Remains the same
- Outgoing mail server: Remains the same
- Outgoing server (SMTP) requires authentication: Yes, use same setting as my incoming mail server
- Incoming server port: 995
- This server requires an encrypted connection (SSL): Yes
Outgoing server port: 465
- Use the following type of encrypted connection: SSL
As this will stop non secure connections, reconfigure the clients then enable the setting.
SSLv2 (Port 25)
Vulnerability: SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted during the SSL session. Secure web applications should only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996 with numerous security enhancements over SSLv2. TLSv1 was introduced in 1999 as an enhancement to the security features of SSLv3. All modern browsers have support for both SSLv3 and TLSv1, and often disable support for SSLv2 in the interests of security. The PCI ASV Operational Requirements requires that if SSLv2 is used in the transmission of cardholder data, this must result in a failure. This was clarified in the PCI "Assessor Update: November 2008" (see the reference link in this finding). CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N(5.00) Reference: http://support.microsoft.com/kb/187498, http://httpd.apache.org/docs/2.2/ssl/, http://www.schneier.com/paperssl.pdf
Service: smtp
Evidence:
Cipher: DES-CBC3-MD5
Cipher: DES-CBC-MD5
Cipher: EXP-RC2-CBC-MD5
Cipher: RC2-CBC-MD5
Cipher: EXP-RC4-MD5
Cipher: RC4-MD5
Remediation:
If this service is used for the transmission of cardholder data, then SSLv2 should be disabled, and SSLv3, TLSv1, and/or newer should be implemented. For Apache and mod_ssl, the "SSLProtocol" configuration option is commonly used to limit the protocol versions for web servers which use OpenSSL: SSLProtocol -ALL +SSLv3 +TLSv1. (See the reference link to apache.org for more information). For Microsoft IIS server, refer to the Microsoft Knowledge Base article kb187498 to remove SSLv2 support. (See the reference link to support.microsoft.com for more information). For information on disabling SSLv2 in other HTTP web servers or other services, contact the service vendor for support information. If any of the following circumstances take place, please state something to this effect in an appeal against the finding. - Credit card holder data is not sent or received using SSLv2 (even though SSLv2 is supported) - SSLv2 appears to be supported due to the use of Akamai but the system does in fact drop any SSLv2 connections - Initial SSLv2 connections are accepted but then dropped (and no further conversation can take place) - SSLv2 connections are accepted but users are forcibly redirected to an informational page (and no further
vim /etc/postfix/main.cf
smtpd_tls_protocols = SSLv3, TLSv1 smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = aNULL smtpd_sasl_security_options = noplaintext
/etc/init.d/postfix restart
SSL General
My guide for vanilla Apache 2.2.22 + Ubuntu 12 SSL PCI compliance. Proof of concept can be seen here
Webalizer
Port 80 and 443, version has XXS vulnerability