The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance Request

Discussion in 'Security' started by ramorse, Mar 3, 2015.

  1. ramorse

    ramorse Well-Known Member

    Joined:
    Sep 6, 2003
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I have one client on a server that annually gets a PCI scan from a third party. And this third party scan says there are vulnerabilities on several ports. The tech person for the client is saying the scan indicates the following changes need to be made:

    21 – change FTP to SFTP or FTPS (secure)

    25 – convert port to 465 (SSL-secured)

    110 – convert POP port to SSL-secured 995

    143 – convert IMAP port to SSL-secured 993

    587 – SMTP alternate port closed or converted to 465

    I have never seen a PCI compliance request like this. It seems very disruptive to all the other clients who may be using these services. Has anyone else seen this and if so, how have you dealt with it?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    667
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you have them provide you with the full PCI compliance report as opposed to just the suggested resolutions? This should help pinpoint what changes can be made.

    Thank you.
     
  3. ryodo

    ryodo Member

    Joined:
    Oct 3, 2012
    Messages:
    10
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Website Owner
    Hi -
    We had to do this too. And once you've closed the non-SSL ports, the scan will probably indicate that SSLv3 is being accepted, so you'll have to disallow it and only allow TLS with high-grade ciphers. This prevents the POODLE attack. This will require all email clients to switch their SMTP and POP/IMAP ports. Unfortunately, some email clients, like folks with older Mac Mail, don't support TLS, so they'll be locked out.

    Another solution is to offload the mail server onto another machine, where it isn't subject to PCI requirements.
     
  4. ramorse

    ramorse Well-Known Member

    Joined:
    Sep 6, 2003
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    "Could you have them provide you with the full PCI compliance report as opposed to just the suggested resolutions? This should help pinpoint what changes can be made."

    I now have the complete PCI compliance report. But the mystery continues. I am told the client has had their PCI compliance approved for the year, in spite of the failures indicated in the scan. So, at least for now, the issue is moot. This happened last year as well when only OpenSSH was an issue and I provided information that OpenSSH was current and secure in spite of what the scan said.
     
Loading...

Share This Page