• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Panel 10x still failed PCI scan

K

KalaniY

Guest
I though version 10x is full PCI compliance, and I bought one with redhat 5.5, upgraded PHP, Mysql, SSH, Apache Shiro, Java, to latest version. BUT sill failed PCI scan.

The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Re: all port blocked except 80, 25, 443,110.

Any Idea?
 
Addition info

In addition, I did perform a PCI scan with McAfee, Trustwave, and Securitymetrics.(Can't pass PCI compliance due to CVSS score 5.0) They all had the same results and pointed to Apache Shiro, need to upgrade to 1.1.0.

[root@host-kalani ~]# ls -l /root/.m2/repository/org/apache/shiro/shiro-all/1.1.0/
total 464
-rw-r--r-- 1 root root 466817 Nov 27 15:34 shiro-all-1.1.0.jar
-rw-r--r-- 1 root root 2401 Nov 27 15:34 shiro-all-1.1.0.pom
[root@host-kalani ~]#

Contact vendor and get back like this......
//////
The Apache Shiro-1.1.0 framework is properly installed in the server, I guess, you got such a result with PCI scan. But, note that there are high chances that these scan may provide such false positive alerts.

Hence, you won't need to worry. Apache Shiro-1.1.0 is installed and working fine in the server.

Please let us know if you need any further assistance.

Regards,
SoftLayer Support
//////


Another issue is the netQmail, asked the vendor to upgrading and get back from them......
//////
I could see that your server is currently having the qmail version of "1.03". In order to upgrade it to the version "1.06" we need to apply patches as per the following article:

==
http://kb.odin.com/en/1161
==

However I could see that there are reported issues in applying this method to Plesk-10.

===
http://forum.parallels.com/showthread.php?t=85949
===

Another method is to remove the current installation of qmail and install it using source.

===
http://kb.bobcares.com/?View=entry&EntryID=1025
===

However on installing from the source, it may have issues in integrating with Plesk.

If you want this to be tried from our end, please take the necessary backups and update us. However I would recommend you to wait until the patch of version-1.06 available for Plesk-10.

Thank you,
SoftLayer Support
//////


Another issue is the Apache ETag header discloses inode numbers Severity. It doesn't have the line FileETag INode MTime Size in /etc/httpd/conf/httpd.conf

Any idea?
 
KalaniY said:
I though version 10x is full PCI compliance, and I bought one with redhat 5.5, upgraded PHP, Mysql, SSH, Apache Shiro, Java, to latest version. BUT sill failed PCI scan.

The remote host supports the use of SSL ciphers that offer medium
strength encryption, which we currently regard as those with key
lengths at least 56 bits and less than 112 bits.

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Re: all port blocked except 80, 25, 443,110.

Any Idea?
Click to expand...

What port are you failing on?
I have got our Ubuntu 10.04/Plesk 10.0.1 server PCI Compliant through McAfee (they have been very helpful and it was free :D)
I had to use the false Positive/acceptable risk for medium ciphers on port 8443 and lock it down to being used from one ip address.

On a side note: I have been running PCI scans all year (Comodo & McAfee) and medium ciphers haven't been allowed for all that time so why oh why has Plesk left them on! And then they specifically state that their new panel is PCI Compliant when it clearly isn't!!
 
You must log in or register to reply here.

Similar threads

Edi Duluman
Resolved How to fix the TLS Poodle PCI Compliance issue
Replies
2
Views
2K
Edi Duluman
Edi Duluman
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
D
PCI compliance still fails due to SSL Renegotiation DoS vulnerability in Qmail/IMAP
Replies
2
Views
3K
DragonAss
D
D
Help with PCI compliance | SMTP SSL | Courier IMAP | Port 3306
Replies
2
Views
5K
Deoxymono
D
O
PCI compliance problem
Replies
0
Views
3K
Otakucouk
O
Back
Top