The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED PCI Scan Fails On Web Services Ports

Discussion in 'Security' started by SJR, Jan 2, 2017.

Tags:
  1. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Trustwave does the PCI scans for my server. The 3 ports, 2083, 2087, and 2096 continue to fail for these ciphers:
    TLSv1_1 : RC4-SHA
    TLSv1_1 : RC4-MD5
    TLSv1_2 : RC4-SHA
    TLSv1_2 : RC4-MD5
    TLSv1_1 : DES-CBC3-SHA
    TLSv1_2 : DES-CBC3-SHA

    Here are my current settings in WHM > Service Configuration > cPanel Web Services Configuration:

    TLS/SSL Cipher List:
    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA:!DSS

    TLS/SSL Protocols:
    SSLv23:!SSLv2:!SSLv3:!TLSv1

    You can see at the end of this cipher list where I have excluded the offending ciphers.
    I have tried many, many combinations of ciphers, not only in this Web Services Config, but also in Apache Global Config settings. Regardless of what I try I can't get rid of these pci failing ciphers.

    Here is my openssl version:
    root [/]# rpm -qa | grep openssl
    openssl-devel-1.0.1e-60.el7.x86_64
    openssl-libs-1.0.1e-60.el7.x86_64
    openssl-1.0.1e-60.el7.x86_64
    root [/]# _

    Could there be a cipher config file somewhere that is overriding my settings?
    Could this be a false positive?

    Not sure what to try next. Any suggestions?

    Thx,
    SJR
     
  2. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    As an additional note, I have ports 2082, 2083, 2086, 2087, 2095, and 2096 open in CSF.
    I understand these ports are used for:
    2082 cPanel
    2083 cPanel SSL
    2086 WHM
    2087 WHM SSL
    2095 Webmail
    2096 Webmail SSL

    So far I am not able to verify whether or not the non-secure ports (2082, 2086, 2095) can be closed in the firewall without causing any issues with cPanel. My thought is that maybe the PCI scanner is seeing something in the SSL ports that somehow has something to do with the non-secure ports. I will test and explore this further.
     
  3. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    After doing a little research, it appears that it is ok to close the non-secure ports in CSF, so I have closed ports 2082, 2086, and 2095. I also removed a couple other non-essential ports out of the firewall, making sure all open ports are minimal and required.
    I followed these guidelines:
    How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

    I ran another pci scan and it failed for exactly the same ciphers as prior.
    I'm also running the latest version of Centos 7.3 60.0.28.

    Not sure what to try next. :(
     
  4. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Next update...

    I changed my settings in WHM > Service Configuration > cPanel Web Services Configuration, to:

    TLS/SSL Cipher List:
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5

    (This is the same list as suggested in: Security/Server Side TLS - MozillaWiki
    for the 'Modern Compatibility', with the specific exclusions at the end.)

    TLS/SSL Protocols:
    SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1

    (I chose to exclude TLSv1_1 since I am the only one using the Web Services ports)

    The next PCI scan showed these failing ciphers on the same 3 ports (TLSv1_2 is only protocol not excluded from protocol list):
    TLSv1_2 : RC4-SHA
    TLSv1_2 : RC4-MD5
    TLSv1_2 : DES-CBC3-SHA

    For the PCI failing cipher DES-CBC3-SHA, one of Trustwave's directions for remediation is:
    "If disabling 64 bit block ciphers is not possible, please limit the number of requests client can make in a single TLS session and / or the keep-alive timeout value. As stated before, successful attack requires huge amounts of data gathered in a single TLS session (without rekeying)."

    WHM > Service Configuration > Apache Configuration > Keep Alive > Off. Turning this setting off complies with Trustwave's directions above. I then disputed the cipher DES-CBC3-SHA showing I had compensating controls in place and it was approved.

    So, now I am down to just 2 PCI fails on the 3 ports, 2083, 2087, and 2096:
    TLSv1_2 : RC4-SHA
    TLSv1_2 : RC4-MD5

    Note: In a different area of the scan report it shows "Enumerated TLS/SSL Cipher Suites", and then shows a list of ciphers in which the failing two above are included in the list.

    Unless I am mistaken, there must be some library or config file that has a list of ciphers available on these 3 ports, and 'excluding' the ciphers in the 'cPanel Web Services Configuration' list is 'not' removing them from being seen as available ciphers on these ports.

    Still hoping someone has a solution...
     
  5. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Note: On this "Enumerated TLS/SSL Cipher Suites" list mentioned above from the scan, there are 13 ciphers listed. None of the 13 ciphers in this list are ciphers that are included in my cPanel Web Services Configuration > TLS/SSL Cipher List.

    However, when I log into any of the 3 services on the 3 ports that are failing on the PCI scan (2083 cPanel, 2087 WHM, 2096 Webmail), the cipher that is used in the connection is the 2nd cipher in the list of ciphers that I have entered in the TLS/SSL Cipher List.

    So again, unless I am mistaken, the scan is seeing 13 ciphers, two of which are causing the pci scan to fail. And these 13 ciphers are not in my entered cipher list. And, these 13 ciphers are apparently not being used in the actual connection, but they are somehow showing up as available on the scan.

    Where could these be coming from, and how do I turn them off or disable them? Help!
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like you've opened a support ticket for additional assistance with this issue. I'll update this thread with the outcome of the support ticket once the ticket closes.

    Thanks!
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    To update, internal case CPANEL-10758 was opened to address an issue where the initial implementation of SNI in cpsrvd overlooked the cipher list setting in WHM, which server administrators utilize for PCI compliance. I'll update this thread again once the resolution is published.

    Thanks!
     
  8. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    Thank you.
     
  9. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    Update:

    I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line:
    "Fixed case CPANEL-10796: Make cpsrvd’s SNI obey the server’s Web Services cipher list setting."

    As of January 30th, cPanel version 62 went to the RELEASE tier.
    After I upgraded my server to version 62.0.7, I ran a PCI scan and it passed on all 3 ports. (2083 cPanel, 2087 WHM, 2096 Webmail)
    There are times that Trustwave's scan doesn't seem consistent, but I believe the problem is now fixed. I will confirm after a second scan runs.
     
  10. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    Good. I've yet to get it. Should be in a day or so.
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see the issue is now addressed.

    CPANEL-10796 is the case number for this resolution in cPanel version 62, whereas CPANEL-10758 is the case number for cPanel version 60 (not yet published). Both cases include the same resolution.

    Thank you.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The resolution for cPanel version 60 is now published as part of cPanel version 60.0.36:

    Fixed case CPANEL-10758: Make cpsrvd’s SNI obey the server’s Web Services cipher list setting.

    Thanks!
     
  13. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    Trustwave still fails on these two issues each month:

    1) Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

    2) SSL/TLS Weak Encryption Algorithms

    Both on port 21.

    I have done these things suggested in this post.

    cpanel version 64.0.24

    TLS/SSL Cipher is:
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5

    TLS/SSL Protocals are:
    SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
     
  14. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    Try TLS/SSL Cipher:
    AES128+EECDH:AES128+EDH:!SSLv2:!SSLv3:!3DES
     
  15. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    @Serra, I tried that and still failed. What else can I try?
     
  16. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    Can you give me the exact fail message they are giving you? I'm wondering if I'm on the wrong track.
     
  17. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    SSL/TLS Weak Encryption Algorithms
    The SSL-based service running on this host appears to support the use of "weak" ciphers such as:
    - Ciphers suites that have key-lengths of less than 128 bits.
    - Ciphers suites using anonymous Diffie-Hellman algorithms (no authentication).
    - Ciphers suites offering no encryption.
    - Ciphers suites using pre-shared keys.
    - Ciphers suites using RC4 or MD5.
    Please note that this vulnerability CANNOT be disputed using a Risk Mitigation and Migration plan. This is a separate finding and must be treated as such.


    Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
    This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

    NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.
     
  18. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    Does it say what ports?
     
  19. eglwolf

    eglwolf Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    166
    Yes sorry. TCP Port 21
     
  20. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    235
    Likes Received:
    9
    Trophy Points:
    168
    Location:
    Florida
    Just to be clear, you are putting that here: HomeHome »Service Configuration »FTP Server Configuration under the TLS Cipher Suite and you are using Pure-FTP?
     
Loading...

Share This Page