The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel and PCI Compliancy

Discussion in 'Security' started by dmcrae, Oct 21, 2009.

  1. dmcrae

    dmcrae Registered

    Joined:
    Oct 21, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I'm looking into some solutions to vulnerabilities found by a PCI scanning box and was looking for some possible solutions that could be implemented. The problems are as follows:

    Account Name Enumeration: Requests of the following format hostname/~accountname will yeild a 403 error if the account name is valid and a 404 error if it is not.

    Mail Server Accepts Plaintext Credentials: Is there a simple way of implementing SSL over POP3?

    Thank you
    - Duncan
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Regarding the "/~username/" (mod_userdir) access, this access method can be disabled to alleviate the problem by enabling "mod_userdir" protection and ensuring that no sites/users are excluded so that none can be easily guessed via dictionary attack:
    WHM: Main >> Security Center >> Apache mod_userdir Tweak

    Documentation for Security Center and mod_userdir protection:
    WHM Security Center
    Apache mod_userdir Tweak

    Regarding POP3 and IMAP over SSL, it is possible to adjust and tweak the POP3/IMAP mail server configuration via WHM, including toggling the protocol, plaintext authentication, and SSL cipher list:
    WHM: Main >> Service Configuration >> Mailserver Configuration

    Here is our documentation further detailing this functionality:
    Mailserver Configuration
     
    #2 cPanelDon, Oct 21, 2009
    Last edited: Jan 11, 2010
  3. dmcrae

    dmcrae Registered

    Joined:
    Oct 21, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    One more question.

    Hi again,

    Thanks for the reply. I just had one more question pertaining to a PCI scan.

    Ports 2095, 2086, 2082 and 80 are all reporting the following vulnerability:

    Web Server Uses Plain-Text Form Based Authentication

    I realize that the developers will have to host the login on 443 as opposed to 80. However, I was wondering if 2095, 2086, and 2082 are utilized for authentication. Or, if they are simply used to return the Cpanel login script as I had read elsewhere.

    Also, if they are used for authentication, is there a workaround to avoid this vulnerability?

    Regards,
    Duncan
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,469
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I think what you're looking for can be found in WHM > Tweak Settings Page > Redirection settings.

    Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.

    Also check out the Security section on Tweak Settings page for other misc tweaks to lock down your security.
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To avoid having login data sent over a non-SSL connection or port, there is a new security feature in version 11.25 to require SSL for remote logins to force using SSL for access to cPanel, WHM, and Webmail.

    WHM: Main >> Server Configuration >> Tweak Settings
    * Require SSL for all remote logins to cPanel, WHM and Webmail. This setting is recommended.

    This is outlined in the 11.25 release notes (PDF) available at the following URL(s):
    cPanel 11.25
    ReleaseNotes < AllDocumentation < TWiki
     
Loading...

Share This Page