Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED PCI DSS scan fails OpenSSH

Discussion in 'Security' started by vpswing, May 20, 2019.

Tags:
  1. vpswing

    vpswing Member

    Joined:
    Jun 4, 2014
    Messages:
    14
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi,

    My server is running the WHM/cPanel v78.0.23 on latest version of CentOS 7.6

    The PCI-DSS scan fails for the SSH security with the following message/recommendation:

    Does cPanel have a fix for this? Or do I need to manually install/upgrade OpenSSH to version 8?
    I'd rather not do anything manual/outside of cPanel as that usually cause problems down the road.

    Thanks!
     
    #1 vpswing, May 20, 2019
    Last edited by a moderator: May 20, 2019
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,466
    Likes Received:
    180
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    I would suggest doing neither. cPanel does not actually provide the openssh packages they are coming from Redhat (via Centos) so cPanel is not able to update this themselves.

    You can use a comand like this

    rpm -q --changelog openssh | grep CVE 2007-2768

    To check to see if a particular CVE has been patched. On one of my servers running the same OS version I am not seeing where it is.

    However, my recommendation would be to close SSH in your firewall in any event on a system that needs PCI certification.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. vpswing

    vpswing Member

    Joined:
    Jun 4, 2014
    Messages:
    14
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    > However, my recommendation would be to close SSH in your firewall in any event on a system that needs PCI certification.

    This may be a silly question ... but if SSH is closed/blocked via Firewall, how does one connect to it then?

    Thanks!
     
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,466
    Likes Received:
    180
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    You would whitelist in the firewall any ips that actually should have ssh access.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,300
    Likes Received:
    2,155
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @vpswing,

    It appears your PCI compliance provider is only checking the OpenSSH package's version number and isn't checking to see if the specific vulnerabilities are applicable to the specific operating system and RPMs installed on your system.

    You should report a false positive to your PCI compliance provider and ask them if there's any specific information they need to prove the false positive.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. vpswing

    vpswing Member

    Joined:
    Jun 4, 2014
    Messages:
    14
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks @cPanelMichael , thanks @GOT

    Will try a dispute first and see what they say.

    cheers!
     
    cPanelMichael likes this.
  7. vpswing

    vpswing Member

    Joined:
    Jun 4, 2014
    Messages:
    14
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    @cPanelMichael - you're right. After giving them a screenshot of rpm -q --changelog openssh and rpm -qi openssh, the dispute was approved!
    We passed the scan test!

    Thank you!
     
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice