SOLVED Securitymetrics - PCI fails on port 21 and 465

parambhat

Registered
Dec 14, 2016
3
0
1
India
cPanel Access Level
Root Administrator
Hi,

After scanning using securitymetrics following points are getting failed.

TLS Version 1.0 Protocol Detection (PCI DSS) for port 21
- settings for ftp server configuration are
- TLS Encryption Support (required - command)
- TLS Cipher Suite (HIGH:MEDIUM:!TLSv1:!SSLv2:!SSLv3)

SMTP Service Cleartext Login Permitted
- I tried different solution mentioned in this post.
PCI fails on "SMTP Service Cleartext Login Permitted"
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello,

TLS Version 1.0 Protocol Detection (PCI DSS) for port 21
- settings for ftp server configuration are
- TLS Encryption Support (required - command)
- TLS Cipher Suite (HIGH:MEDIUM:!TLSv1:!SSLv2:!SSLv3)
You will need to switch to ProFTPd via "WHM >> FTP Server Selection" to meet PCI Compliance at this time due to current restrictions with the Pure-FTPd configuration. Once it's enabled, you can then browse to "WHM Home » Service Configuration » FTP Server Configuration" and remove the TLSv1 entry from the "TLS Protocol" section.

SMTP Service Cleartext Login Permitted
- I tried different solution mentioned in this post.
PCI fails on "SMTP Service Cleartext Login Permitted"
To confirm, did you browse to "WHM >> Exim Configuration Manager >> Advanced Editor" and remove port 465 from the tls_on_connect_ports option?

Thank you.
 

parambhat

Registered
Dec 14, 2016
3
0
1
India
cPanel Access Level
Root Administrator
Hello,

I tried to remove 465 from tls_on_connect_ports option but I was getting an error while saving. Empty value. At present securitymetrics mark false positive for port 465.

I tried switching to proFTPD and modified cipher suite but same result, I can connect TLS1.0 using openssl from terminal.

Thank You
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
I tried to remove 465 from tls_on_connect_ports option but I was getting an error while saving. Empty value.
I'm unable to reproduce this issue. Have you made any other changes in the Advanced Editor that could trigger this warning? Also, you can try adding the following line under the CONFIG section in the /etc/exim.conf.local file:

Code:
tls_on_connect_ports
Then, rebuild the Exim configuration file via the "/scripts/buildeximconf" command.

I tried switching to proFTPD and modified cipher suite but same result, I can connect TLS1.0 using openssl from terminal.
There's a case that was fixed in cPanel version 60:

Fixed case CPANEL-7402: Make FTP use standard TLS cipher suite defaults.

Could you let us know which version of cPanel is installed on the system?

Thank you.
 

parambhat

Registered
Dec 14, 2016
3
0
1
India
cPanel Access Level
Root Administrator
There's a case that was fixed in cPanel version 60:

Fixed case CPANEL-7402: Make FTP use standard TLS cipher suite defaults.

Could you let us know which version of cPanel is installed on the system?
WHM 58.0 (build 32)

In WHM its showing Version “60.0.28” is available. Updating will fix this problem?

Thank You
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
In WHM its showing Version “60.0.28” is available. Updating will fix this problem?
Yes, cPanel version 60 includes the following resolution:

Fixed case CPANEL-7402: Make FTP use standard TLS cipher suite defaults.

This will ensure the protocol settings you modify for ProFtpd in "WHM Home » Service Configuration » FTP Server Configuration" are properly reflected.

Thank you.