Help with the compliance with Trustwave

[Andres1]

Hi guys im new here!

I only have a problem with the compliance and is with the FTP

This is the problem:

Unencrypted
Communication Channel
Accessibility

6.20

Medium

Fail

Policy Violation

Port: tcp/21
The service running on this port appears to make use of a
plaintext (unencrypted) communication channel. The PCI DSS
forbids the use of such insecure services/protocols. Unencrypted
communication channels are vulnerable to the disclosure and/or
modification of any data transiting through them (including
usernames and passwords), and as such the confidentially and
integrity of the data in transit cannot be ensured with any level of
certainty.

CVSSv2: AV:A/AC:H/Au:N/C:C/I:C/A:N
Service: ftp

Evidence:
Details: Unencrypted authentication is allowed prior to TLS
negotiation
AUTH TLS Supported: true
AUTH TLS Required: false
Command Sent: USER trustkeeper
Response Received: 331 Password required for trustkeeper

Remediation:
Transition to using more secure alternatives such as SSH instead
of Telnet and SFTP in favor of FTP, or consider wrapping less
secure services within more secure technologies by utilizing the
benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit
access to management protocols/services to specific IP addresses
(usually accomplished via a "whitelist") whenever possible.

Im use ProFTPD it was installed with plesk 12!

I only need fix this problem, this is the seventh time that i install plesk!


Thanks a lot!

 

[IgorG]

Read more about Securing FTP access here - http://download1.parallels.com/Plesk/PP12/12.0/Doc/en-US/online/plesk-pci-compliance-guide/65871.htm

 

[Andres1]

Hello IgorG!

I use that guide but I don't understand well the part to ProFTPD!

When I make the steps, I can't connect to server anymore in with ftp!

 

[IgorG]

Make sure that port 21 is open and not firewalled at least.

 

[Andres1]

Ok i will try it thanks Igor!

 

[Andres1]

Make sure that port 21 is open and not firewalled at least.

Hahahaha now i have problem with SMTP, IMAP and FTP i dont have any idea what happened!!

 

[IgorG]

Hahahaha now i have problem with SMTP, IMAP and FTP i dont have any idea what happened!!

Contact Support Team in this case. I think that without investigating this issue directly on your server nobody on this forum can help you.

 

[SteveL132]

I recently went through the exercise of PCI compliance with Trustwave. First of all, you simply can't have the FTP port open or else you will fail the compliance check. SSH will also trigger complaints, which leaves out SFTP! So my solution was to disable FTP entirely and then to add a firewall rule restricting SSH to the IPs I use. Trustwave can't see SSH and therefore I pass. (Another advantage of this is that it shuts out the thousands of SSH hack attempts you'll get if you leave the port open.)

For mail, I had to make sure that IMAP required SSL. SMTP required SSL for authenticated users and relaying was disabled. It took me several iterations with courier and postfix (I ended up switching to dovecot for IMAP and am much happier with that.)