Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

PCI Fails SSH weak hashing and key exchange

Discussion in 'Security' started by ehask71, Aug 1, 2018.

Tags:
  1. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    58
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    So one of my customers PCI scans is failing from Trustwave for these 2:

    Weak SSH Hashing Algorithms
    Weak SSH Key Exchange

    None of my other Domains on that server are failing Controlscan PCI scans. The best part is the description "This vulnerability is not recognized by the national vulnerability database". I have tried disputing but they aren't budging.

    How do I update the Hashing and Exchange Algo's ..... I messed with it a bit before posting here and all I did was kill ssh lol
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello Eric,

    The following thread includes some examples of cipher and protocol settings utilized by another user for the purpose of passing Trustwave PCI compliance tests:

    I need to disable TLS v1.0

    Can you let me know if that helps? If not, could you ask Trustwave to provide more specific information about why the server is not passing?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    58
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    I launched a new scan for that customer

    Just got a fail from a different provider same server lol. Some of this stuff is just ridiculous now 2083,2087,2096 are considered LLL backdoors...... they really dont want us using CPANEL

    upload_2018-8-1_15-58-24.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,323
    Likes Received:
    1,851
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's a thread that may help to address that specific report:

    SOLVED - PCI Fails - Sweet32 on Ports 2083/2087

    If not, can you ask the PCI provider for more specific details about why those ports are failing? It's possible it's a false positive.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    58
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    Its not Sweet32 its that they detected SSL ports other than 443 ....... SWEET32 was corrected a long time ago on my servers
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    58
    Likes Received:
    5
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    Here is the fix for the original post add this to the
    /etc/ssh/sshd_config

    Code:
    
    KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
    
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    
    After this you may need to update putty or winscp
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 ehask71, Aug 2, 2018
    Last edited by a moderator: Aug 2, 2018
    cPanelMichael likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice