The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI scan compliance - CentOS + cPanel

Discussion in 'Security' started by cyberiadmin, Dec 7, 2009.

  1. cyberiadmin

    cyberiadmin Registered

    Joined:
    Dec 7, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I have a cPanel box running centos. Everything latest and fully updated. (Just instilled)

    Then i run a PCI compliance scan across my server and it found many issues. Some issues found are the following:


    • Security hole found on port/service "general/tcp" - OpenSSL Version - CVE-2007-4995
    • Apache UserDir - know how to fix with cPanel
    • ISC BIND 9 DNSSEC Cache Poisoning - Upgrade to BIND 9.4.3-P4, 9.5.2-P1 or 9.6.1-P2 or later. - CVE-2009-4022
    • http TRACE XSS attack - CVE-2003-1567 CVE-2004-2320
    • Deprecated SSL Protocol Usage - Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.
    • Weak Supported SSL Ciphers Suites
    • Ruby on Rails Session Fixation Vulnerability - Upgrade to Ruby on Rails version 1.2.6 or later and make sure
      'config.action_controller.session_options[:cookie_only]' is set to 'true' in the 'config/environment.rb' file. CVE-2007-5380 CVE-2007-6077
    • SSL Medium Strength Cipher Suites Supported
    • OpenSSH < 4.4 Multiple GSSAPI Vulnerabilities
    • And more

    How would i go about fixing this?
    I have tried but failed with updating BIND.
    I have tried a yum update list and yum update. But no updates are found.
    I have tried googling for fixes, i have not found any thing that fixes BIND.

    I tired to update bind by using:
    Code:
    gzip -d -c openssl-0.9.8l.tar.gz | gtar xvf -
    cd openssl-0.9.8l
    ./config
    make
    make install
    alias cp=cp
    cp -f /usr/local/ssl/bin/openssl /usr/bin/openssl
    cd /usr/local/include
    mv openssl openssl.old
    ln -s /usr/local/ssl/include/openssl openssl
    Then cpanel says:
    Code:
    named (9.7.0b3)	failed
    Note i had to remove via RPM the base named 9.4.x, that was installed by cpanel. So that cPanel would see the new version. I have also tried updating to BIND 9.4.3-P4.

    This was found by http://www.hackerguardian.com/hackerguardian.

    I will also be trying to get https://www.mcafeesecure.com. Has any one got either PCI compliance on there server. If so how did you update your server?

    Any help on this issue, i would be very tankful for.

    Thanks
     
  2. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Check the changelog of the rpm. Many patches are backported and the dnssec cach poisoning is probably patched. It is also not an issue if you are not using dnssec on your server.
     
  3. txspaderz

    txspaderz Active Member
    PartnerNOC

    Joined:
    Jun 4, 2008
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    1) Upgrade OpenSSL
    2) Disable Userdir in VHOST (UserDir disabled)
    3) Make sure your BIND version is fully up to date via Yum. Check the changelog and make sure that the CVE is listed.
    4) Fixing this one is sometimes a mod_security issue, or an issue with your script actually being vulnerable.
    5) Get rid of SSL2 ciphers inside httpd.conf
    6) Same as #5
    7) Upgrade Ruby (/scripts/installruby)
    8) Same as #5 & #6
    9) Upgrade OpenSSH.
     
  4. cyberiadmin

    cyberiadmin Registered

    Joined:
    Dec 7, 2009
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    I have done a yum list updates and yum update. While it is still the same version. How do i check for CVE?

    Thanks
     
Loading...

Share This Page