• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Panel 10x still failed PCI scan

K

KalaniY

Guest
I though version 10x is full PCI compliance, and I bought one with redhat 5.5, upgraded PHP, Mysql, SSH, Apache Shiro, Java, to latest version. BUT sill failed PCI scan.

The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Re: all port blocked except 80, 25, 443,110.

Any Idea?
 
Addition info

In addition, I did perform a PCI scan with McAfee, Trustwave, and Securitymetrics.(Can't pass PCI compliance due to CVSS score 5.0) They all had the same results and pointed to Apache Shiro, need to upgrade to 1.1.0.

[root@host-kalani ~]# ls -l /root/.m2/repository/org/apache/shiro/shiro-all/1.1.0/
total 464
-rw-r--r-- 1 root root 466817 Nov 27 15:34 shiro-all-1.1.0.jar
-rw-r--r-- 1 root root 2401 Nov 27 15:34 shiro-all-1.1.0.pom
[root@host-kalani ~]#

Contact vendor and get back like this......
//////
The Apache Shiro-1.1.0 framework is properly installed in the server, I guess, you got such a result with PCI scan. But, note that there are high chances that these scan may provide such false positive alerts.

Hence, you won't need to worry. Apache Shiro-1.1.0 is installed and working fine in the server.

Please let us know if you need any further assistance.

Regards,
SoftLayer Support
//////


Another issue is the netQmail, asked the vendor to upgrading and get back from them......
//////
I could see that your server is currently having the qmail version of "1.03". In order to upgrade it to the version "1.06" we need to apply patches as per the following article:

==
http://kb.odin.com/en/1161
==

However I could see that there are reported issues in applying this method to Plesk-10.

===
http://forum.parallels.com/showthread.php?t=85949
===

Another method is to remove the current installation of qmail and install it using source.

===
http://kb.bobcares.com/?View=entry&EntryID=1025
===

However on installing from the source, it may have issues in integrating with Plesk.

If you want this to be tried from our end, please take the necessary backups and update us. However I would recommend you to wait until the patch of version-1.06 available for Plesk-10.

Thank you,
SoftLayer Support
//////


Another issue is the Apache ETag header discloses inode numbers Severity. It doesn't have the line FileETag INode MTime Size in /etc/httpd/conf/httpd.conf

Any idea?
 
KalaniY said:
I though version 10x is full PCI compliance, and I bought one with redhat 5.5, upgraded PHP, Mysql, SSH, Apache Shiro, Java, to latest version. BUT sill failed PCI scan.

The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Re: all port blocked except 80, 25, 443,110.

Any Idea?
Click to expand...

What port are you failing on?
I have got our Ubuntu 10.04/Plesk 10.0.1 server PCI Compliant through McAfee (they have been very helpful and it was free :D)
I had to use the false Positive/acceptable risk for medium ciphers on port 8443 and lock it down to being used from one ip address.

On a side note: I have been running PCI scans all year (Comodo & McAfee) and medium ciphers haven't been allowed for all that time so why oh why has Plesk left them on! And then they specifically state that their new panel is PCI Compliant when it clearly isn't!!
 
You must log in or register to reply here.

Similar threads

Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
19K
RalphP
R
O
PCI compliance problem
Replies
0
Views
2K
Otakucouk
O
J
PCI Scan Failing / SSL Ciphers
Replies
0
Views
1K
John Callender
J
R
PCI DSS Compliance.
Replies
4
Views
3K
triemstr
T
Back
Top