The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance for Passive FTP Ports

Discussion in 'Security' started by Serra, Jun 30, 2016.

Tags:
  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I'm having an issue with Controlscan showing I'm not compliant for ports open in the firewall for passive FTP.


    Information From Target:
    Service: 37557:TCP
    Server accepted SSL 3.0 RC4 cipher: SSL3_CK_RSA_RC4_128_MD5

    Information From Target:
    Service: 51838:TCP
    Supported ciphers: DES-CBC-SHA:TLSv1/SSLv3:56-bit RC4-MD5:TLSv1/SSLv3:128-bit RC4-SHA:TLSv1/SSLv3:128-bit

    These ports are open in for my passive FTP range, which is 36000:55000.
    However, my ftp is set to HIGH:!TLSv1:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL

    So, what is responding in this range that isn't Passive FTP, but uses TLSv1 and SSLv3?
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Passive ports should only come into play after an FTP connection is attempted/established over port 21... You can check the output of "netstat -lpn" to see any services that are bound to a listening port. You'd be looking under "Active Internet connections" in the "local address" column.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    651
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Were you able to review the output of the netstat command referenced in the previous response to see what's running on those ports? You may also want to consult with Controlscan directly to see if it's a common false positive.

    Thank you.
     
Loading...

Share This Page