The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Issues on port 21

Discussion in 'Security' started by Serra, Jan 14, 2017.

Tags:
  1. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    I'm having an issue with Trustwave showing a PCI violation on port 21.

    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

    The evidence shows TLSv1_2 : DES-CBC3-SHA (for TLS 1 and 1.1 as well)

    I've set my TLS Cipher Suite to AES128+EECDH:AES128+EDH:!TLSv1:!TLSv1_1:!SSLv2:!SSLv3

    in FTP Server Configuration

    Clearly 3DES is not on that list. TLS 1 and TLS 1.1 are also blocked. If they are not allowed, how is FTP showing these on port 21?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look at your system and see what's happening? You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
  3. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    I am with Trustwave also and I pass on port 21 with:
    FTP Server Configuration:
    TLS Encryption Support > Required (Command/Data)
    TLS Cipher Suite > (I use 'Modern Compatibility' on Mozilla TLS)
    Security/Server Side TLS - MozillaWiki

    And, if cipher DES-CBC3-SHA still shows up on scan, you can 'dispute' this finding by setting WHM > Service Configuration > Apache Configuration > Global Configuration > Keep Alive > OFF.

    My statement for the dispute was:

    KeepAlive is turned off on domain server

    The Service Configuration > Apache Configuration > Global Configuration > Keep Alive > OFF
    This setting is set to OFF. This directive disables all persistent connections.
    This is additionally confirmed by the setting in the apache config file:
    KeepAlive Off

    Trustwave approval message is:
    We have accepted this dispute based on information provided by your organization which indicates that this issue has been mitigated by limiting the length of TLS sessions with a 64-bit cipher.

    This is a workaround. Not sure why the ftp cipher list is not obeyed and other ciphers are seen on pci scan.
    Hope this helps.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page