• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue PCI Failure OpenSSH < 7.6

M

Mark Patterson

New Pleskian
We are failing our PCI testing due to OpenSSH 7.4p1, which is the latest in yum.
PCI compliance requires a minimum of 7.6.
Please help.
 
Well, first does it apply?

This only affects processors that support the BMI1, BMI2 and ADX extensions like
Intel Broadwell (5th generation) and later or AMD Ryzen.
Click to expand...

If not, you can try explaining this to your PCI vendor.

Failing that, who utilizes ssh in your server? You may need to change SSH to a different port or implement port knocking till an update comes available. Alternatively, you could add a firewall rule to only allow certain IPs access to SSH.
 
Thanks, but no, that does not apply. My issues is described in CVE-2017-15906. IP blocking will not work for me because we have drivers on the road accessing over public networks.
 
I might add that the failure is not a result of penetration testing. The failure is generated by a simple check of the OpenSSH version number. Otherwise, the server passes all other PCI checks.
 
Alright I was looking at a different CVE. I say port knocking may be your only option.
 
Why on earth would I ever want to implement port knocking to simply to pass a PCI test designed for my protection when all I have to do is implement a security update which is unavailable to plesk because the maintainers only support an outdated library?
 
@Mark Patterson We had this previously, but we have RedHat backported fixes and do also use IP Blocking for SSH.
We did find this related post elsewhere, which works. It is edited and our own current output is shown FYI:

"...Every PCI scanning company has different methods, but typically you can contest the result as a False Positive.
Provide them with your current OS version, SSH version and when it was installed. You can use:
Code: 
rpm -qa --last|grep "name"
Where name is the name of the rpms for the service in which you are interested. In this case "openssh".
Send them this data. This is usually sufficient in most cases..."
Code: 
# rpm -qa --last|grep "openssh"
openssh-clients-7.4p1-13.el7_4.x86_64         Sat 21 Oct 2017 04:29:59 BST
openssh-server-7.4p1-13.el7_4.x86_64          Sat 21 Oct 2017 04:29:47 BST
openssh-7.4p1-13.el7_4.x86_64                 Sat 21 Oct 2017 04:29:36 BST
October 2017 was the last, important RedHat backported bug fix, but there is a new advisory one, which is THIS one.
We assume this will be coming in a distro - yum update soon. Official PCI compliance verification is often inconsistent ;)
 
Last edited:
Certainly Brujo.

In sshd_config, I removed the line: Subsystem sftp /usr/libexec/openssh/sftp-server
and replaced it with: Subsystem sftp internal-sftp

Then I added the following rules to sshd_config, one for each user:
Match User username
ChrootDirectory /var/www/vhosts
AllowTCPForwarding no

I tried to be more specific with the ChrootDirectory, the server supports several domains, however that configuration did not work. So unfortunately, this method allows users to see all the directories in /vhosts. But, the user can only access that directory in which that user has permissions. So, internal security is maintained.

This solution is not ideal, but trustwave did approve my dispute allowing us to pass the PCI tests based on the actions listed above.
 
You must log in or register to reply here.

Similar threads

M
Question Nginx Bind () issue
Replies
2
Views
195
maximus99
M
F
Question Mail delivery status notifications not forwarded
Replies
2
Views
365
fcnjd
F
L
Question System Emails Marked as Spam
Replies
2
Views
270
Leighton Thompson
L
R
Resolved Failed to start Raise network interfaces
Replies
1
Views
181
Retr0
R
L
Resolved Plesk Migration failed encountered RSA key, expected OPENSSH key
Replies
2
Views
4K
Xaser83
X
Back
Top