The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance FTP plain text authentication

Discussion in 'Security' started by p123, Mar 16, 2013.

  1. p123

    p123 Member

    Joined:
    Aug 20, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bangkok
    Dear cPanel community,

    I just performed a PCI compliance test and it ended with the following result:

    Code:
    Port:21 FTP server allow plain text authentication
    After a quick research I went into my WHM / FTP Configuration and changed the TLS Encryption Support value from currently OPTIONAL to REQUIRED / COMMAND.

    My current TLS Cypher suite:

    Code:
    HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    The settings are saved and Pure Ftpd restarts automatically - all good there but once I try to login into to one of my accounts via FTP ((naturally I changed the encryption settings in Filezilla from Plain FTP to Require explicit FTP over TLS) I can not get through.

    Here is the message log from Filezilla:

    Code:
    Response:	234 AUTH TLS OK.
    Status:	Initializing TLS...
    Status:	Verifying certificate...
    Command:	USER xxxxx
    Status:	TLS/SSL connection established.
    Response:	331 User xxxxx OK. Password required
    Command:	PASS ************
    Response:	230 OK. Current restricted directory is /
    Command:	SYST
    Response:	215 UNIX Type: L8
    Command:	FEAT
    Response:	211-Extensions supported:
    Response:	 EPRT
    Response:	 IDLE
    Response:	 MDTM
    Response:	 SIZE
    Response:	 MFMT
    Response:	 REST STREAM
    Response:	 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
    Response:	 MLSD
    Response:	 AUTH TLS
    Response:	 PBSZ
    Response:	 PROT
    Response:	 ESTA
    Response:	 PASV
    Response:	 EPSV
    Response:	 SPSV
    Response:	 ESTP
    Response:	211 End.
    Status:	Server does not support non-ASCII characters.
    Command:	PBSZ 0
    Response:	200 PBSZ=0
    Command:	PROT P
    Response:	200 Data protection level set to "private"
    Status:	Connected
    Status:	Retrieving directory listing...
    Command:	PWD
    Response:	257 "/" is your current location
    Command:	TYPE I
    Response:	200 TYPE is now 8-bit binary
    Command:	PASV
    Response:	227 Entering Passive Mode (xxx,xxx,xx,xx,xxx,xxx)
    Basically I am stuck at the last line Response: 227 Entering Passive Mode

    After making some reading I've seen to increase the timeout second value in Filezilla which brings me a step further and I end up with:

    Code:
    ...
    Command:	PASV
    Response:	227 Entering Passive Mode (xxx,xxx,xx,xx,xxx,xxx)
    Command:	MLSD
    Error:	GnuTLS error -53: Error in the push function.
    It would be greatly appreciated if someone can help shed some further light on the situation and how to get this to work.

    Thank you very much,
    p123
     
    #1 p123, Mar 16, 2013
    Last edited: Mar 16, 2013
  2. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    You need to set a port range in:

    pico /etc/pure-ftpd.conf

    #add this
    PassivePortRange 30000 50000

    Then add 30000:50000 to your firewall to all passive ports.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Like the above poster said, ensure your passive port range is set in the FTP conf, and open in your firewall.

    Also, FZ can be picky about encrypted FTP. Try the host path with ftps://host or ftpes://host , sometimes one works and one does not.

    I don't even run an FTP server anymore on my own servers, I just use SFTP:// on the SSH port.
     
  4. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    The only real problem with SFTP is that it is very poorly implemented of various software. The majority of my resellers were unable to use SFTP because their software didn't support it well enough. For example, CuteFTP supports it, but with only one keyfile, so keys have to be the same on every account they access. That is possible, but a pain. Dreamweaver CC still doesn't support it, the best it can do is AUTH TLS.

    Personally, I've been using SFTP with CoreFTP for a few years to access my servers, it works great. Users who don't use Core... it is hit and miss.
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Yeah, that's a tough situation.

    IMO, on a PCI compliant system, you should have to use encrypted FTP or SFTP. If you're still having issues with ftps or ftpes I'd recommend having your PCI compliant site(s) on systems with no "normal" ftp access, and then your non-PCI-compliant sites on another server with "normal" FTP access still allowed.
     
Loading...

Share This Page