PCI Compliance FTP plain text authentication

[p123]

Dear cPanel community,

I just performed a PCI compliance test and it ended with the following result:

Port:21 FTP server allow plain text authentication

After a quick research I went into my WHM / FTP Configuration and changed the TLS Encryption Support value from currently OPTIONAL to REQUIRED / COMMAND.

My current TLS Cypher suite:

HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

The settings are saved and Pure Ftpd restarts automatically - all good there but once I try to login into to one of my accounts via FTP ((naturally I changed the encryption settings in Filezilla from Plain FTP to Require explicit FTP over TLS) I can not get through.

Here is the message log from Filezilla:

Response:	234 AUTH TLS OK.
Status:	Initializing TLS...
Status:	Verifying certificate...
Command:	USER xxxxx
Status:	TLS/SSL connection established.
Response:	331 User xxxxx OK. Password required
Command:	PASS ************
Response:	230 OK. Current restricted directory is /
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Extensions supported:
Response:	 EPRT
Response:	 IDLE
Response:	 MDTM
Response:	 SIZE
Response:	 MFMT
Response:	 REST STREAM
Response:	 MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:	 MLSD
Response:	 AUTH TLS
Response:	 PBSZ
Response:	 PROT
Response:	 ESTA
Response:	 PASV
Response:	 EPSV
Response:	 SPSV
Response:	 ESTP
Response:	211 End.
Status:	Server does not support non-ASCII characters.
Command:	PBSZ 0
Response:	200 PBSZ=0
Command:	PROT P
Response:	200 Data protection level set to "private"
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is your current location
Command:	TYPE I
Response:	200 TYPE is now 8-bit binary
Command:	PASV
Response:	227 Entering Passive Mode (xxx,xxx,xx,xx,xxx,xxx)

Basically I am stuck at the last line Response: 227 Entering Passive Mode

After making some reading I've seen to increase the timeout second value in Filezilla which brings me a step further and I end up with:

...
Command:	PASV
Response:	227 Entering Passive Mode (xxx,xxx,xx,xx,xxx,xxx)
Command:	MLSD
Error:	GnuTLS error -53: Error in the push function.

It would be greatly appreciated if someone can help shed some further light on the situation and how to get this to work.

Thank you very much,
p123

 

[Serra]

You need to set a port range in:

pico /etc/pure-ftpd.conf

#add this
PassivePortRange 30000 50000

Then add 30000:50000 to your firewall to all passive ports.

 

[quizknows]

Like the above poster said, ensure your passive port range is set in the FTP conf, and open in your firewall.

Also, FZ can be picky about encrypted FTP. Try the host path with ftps://host or ftpes://host , sometimes one works and one does not.

I don't even run an FTP server anymore on my own servers, I just use SFTP:// on the SSH port.

 

[Serra]

I don't even run an FTP server anymore on my own servers, I just use SFTP:// on the SSH port.

The only real problem with SFTP is that it is very poorly implemented of various software. The majority of my resellers were unable to use SFTP because their software didn't support it well enough. For example, CuteFTP supports it, but with only one keyfile, so keys have to be the same on every account they access. That is possible, but a pain. Dreamweaver CC still doesn't support it, the best it can do is AUTH TLS.

Personally, I've been using SFTP with CoreFTP for a few years to access my servers, it works great. Users who don't use Core... it is hit and miss.

 

[quizknows]

Yeah, that's a tough situation.

IMO, on a PCI compliant system, you should have to use encrypted FTP or SFTP. If you're still having issues with ftps or ftpes I'd recommend having your PCI compliant site(s) on systems with no "normal" ftp access, and then your non-PCI-compliant sites on another server with "normal" FTP access still allowed.