• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved PCI compliance for plesk 12.5

nisamudeen97

Regular Pleskian
Hi,

I have followed PCI doc http://docs.plesk.com/en-US/12.5/ad...ce/tune-plesk-to-meet-pci-dss-on-linux.65871/ for passing pci compliance. Meanwhile while doing online scan it is showing "FTP server allow plain text authentication". Please check the screen shot attached.

To allow only FTPS connections to your server: I have already done the below.
Go to Tools & Settings > Security Policy.
Select the option Allow only secure FTPS connections for FTP usage policy.

How can is disable plain text authentication for FTP ? Is that possible
 

Attachments

  • PCI scan.png
    PCI scan.png
    52 KB · Views: 19
Hi nisamudeen97
so you ran the PCI Compliance resolver, but your scan still shows plain text available on ProFTP?
Well, I see two possibilities...

1) The scan is showing a false positive.
2) For some reason TLSRequired is still set to off
check the files...

/etc/proftpd.conf
/etc/proftpd.d/ssl.conf

Code:
TLSRequired off

and change it to on...

Code:
TLSRequired on

Save the file and restart xinetd...

Code:
# service xinetd restart

I hope that helps
Kind regards

Lloyd
 
Hi,

Thanks for the advise. I think it is false positive. I am only able to connect to the server via FTP on TLS method. No other methods works. So it is the most secured one. Planning to proceed with paid PCI scan.
 
Hi, I cannot get rid of the DES /3DES ciphers on Plesk Onix with RedHat 6.8 and postfix. I keep testing the server for PCI compliance and block 64 ciphers keep showing no matter what. I have ran the plesk sbin pci_compliance_resolver --enable, but is tries to update Qmail and I'm not using that. Can you please tell me where can I disable those ciphers server wide so they don't show on ports 21, 993, 995 and 8443.
In a different scan, "cleartext logins permitted" shows on ports 25, 110 and 465, and the ciphers show on ports 110, 143, 443, 465, 993, 995 and 8443.

Please help,

Jorge.
 
Hi Jorge Batres,

pls. consider to read and follow:


If the recommended ciphers - list from Plesk is not enough for your needs and goals, pls. consider to use your very own ciphers - list, when you use "plesk sbin sslmng ...".
( You might find it usefull to use a "generator", to create your unique ciphers - list, so I can recommend the Mozilla SSL Configuration Generator at: => https://mozilla.github.io/server-side-tls/ssl-config-generator/ )

In a different scan, "cleartext logins permitted" shows on ports 25, 110 and 465, and the ciphers show on ports 110, 143, 443, 465, 993, 995 and 8443.
The commands and informations, how to disable PLAIN TEXT authentication is described in the above linked documents.
 
Back
Top