• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved PCI compliance for plesk 12.5

nisamudeen97

nisamudeen97

Regular Pleskian
Hi,

I have followed PCI doc http://docs.plesk.com/en-US/12.5/ad...ce/tune-plesk-to-meet-pci-dss-on-linux.65871/ for passing pci compliance. Meanwhile while doing online scan it is showing "FTP server allow plain text authentication". Please check the screen shot attached.

To allow only FTPS connections to your server: I have already done the below.
Go to Tools & Settings > Security Policy.
Select the option Allow only secure FTPS connections for FTP usage policy.

How can is disable plain text authentication for FTP ? Is that possible
 

Attachments

  • PCI scan.png
    PCI scan.png
    52 KB · Views: 19
Hi nisamudeen97
so you ran the PCI Compliance resolver, but your scan still shows plain text available on ProFTP?
Well, I see two possibilities...

1) The scan is showing a false positive.
2) For some reason TLSRequired is still set to off
check the files...

/etc/proftpd.conf
/etc/proftpd.d/ssl.conf

Code: 
TLSRequired off

and change it to on...

Code: 
TLSRequired on

Save the file and restart xinetd...

Code: 
# service xinetd restart

I hope that helps
Kind regards

Lloyd
 
Hi,

Thanks for the advise. I think it is false positive. I am only able to connect to the server via FTP on TLS method. No other methods works. So it is the most secured one. Planning to proceed with paid PCI scan.
 
Hi, I cannot get rid of the DES /3DES ciphers on Plesk Onix with RedHat 6.8 and postfix. I keep testing the server for PCI compliance and block 64 ciphers keep showing no matter what. I have ran the plesk sbin pci_compliance_resolver --enable, but is tries to update Qmail and I'm not using that. Can you please tell me where can I disable those ciphers server wide so they don't show on ports 21, 993, 995 and 8443.
In a different scan, "cleartext logins permitted" shows on ports 25, 110 and 465, and the ciphers show on ports 110, 143, 443, 465, 993, 995 and 8443.

Please help,

Jorge.
 
Hi Jorge Batres,

pls. consider to read and follow:


If the recommended ciphers - list from Plesk is not enough for your needs and goals, pls. consider to use your very own ciphers - list, when you use "plesk sbin sslmng ...".
( You might find it usefull to use a "generator", to create your unique ciphers - list, so I can recommend the Mozilla SSL Configuration Generator at: => https://mozilla.github.io/server-side-tls/ssl-config-generator/ )

Jorge Batres said:
In a different scan, "cleartext logins permitted" shows on ports 25, 110 and 465, and the ciphers show on ports 110, 143, 443, 465, 993, 995 and 8443.
Click to expand...
The commands and informations, how to disable PLAIN TEXT authentication is described in the above linked documents.
 
You must log in or register to reply here.

Similar threads

AboodHamwi
Resolved FTP Connection only accepts Plain FTP (Insecure)
Replies
3
Views
2K
scsa20
scsa20
X
Issue Disable pci-dss results in unhardened webserver
Replies
1
Views
1K
Solomaliar
Solomaliar
M
Issue FTP behind VPN - Connect it via Local IP
Replies
0
Views
2K
Mutate2546
M
L
Question TLS 1.3 on Litespeed webservers / Obsidian
Replies
0
Views
1K
lenala
L
O
Question Plesk Admin Panel - Internal IP address Revealed on port 8443 (PCI Compliance Issue)
Replies
0
Views
1K
OWEUX LLC
O
Back
Top