The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Securitymetrics - PCI fails on port 21 and 465

Discussion in 'Security' started by parambhat, Dec 14, 2016.

Tags:
  1. parambhat

    parambhat Registered

    Joined:
    Dec 14, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    After scanning using securitymetrics following points are getting failed.

    TLS Version 1.0 Protocol Detection (PCI DSS) for port 21
    - settings for ftp server configuration are
    - TLS Encryption Support (required - command)
    - TLS Cipher Suite (HIGH:MEDIUM:!TLSv1:!SSLv2:!SSLv3)

    SMTP Service Cleartext Login Permitted
    - I tried different solution mentioned in this post.
    PCI fails on "SMTP Service Cleartext Login Permitted"
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    You will need to switch to ProFTPd via "WHM >> FTP Server Selection" to meet PCI Compliance at this time due to current restrictions with the Pure-FTPd configuration. Once it's enabled, you can then browse to "WHM Home » Service Configuration » FTP Server Configuration" and remove the TLSv1 entry from the "TLS Protocol" section.

    To confirm, did you browse to "WHM >> Exim Configuration Manager >> Advanced Editor" and remove port 465 from the tls_on_connect_ports option?

    Thank you.
     
  3. parambhat

    parambhat Registered

    Joined:
    Dec 14, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I tried to remove 465 from tls_on_connect_ports option but I was getting an error while saving. Empty value. At present securitymetrics mark false positive for port 465.

    I tried switching to proFTPD and modified cipher suite but same result, I can connect TLS1.0 using openssl from terminal.

    Thank You
     
    #3 parambhat, Dec 19, 2016
    Last edited by a moderator: Dec 20, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I'm unable to reproduce this issue. Have you made any other changes in the Advanced Editor that could trigger this warning? Also, you can try adding the following line under the CONFIG section in the /etc/exim.conf.local file:

    Code:
    tls_on_connect_ports
    Then, rebuild the Exim configuration file via the "/scripts/buildeximconf" command.

    There's a case that was fixed in cPanel version 60:

    Fixed case CPANEL-7402: Make FTP use standard TLS cipher suite defaults.

    Could you let us know which version of cPanel is installed on the system?

    Thank you.
     
  5. parambhat

    parambhat Registered

    Joined:
    Dec 14, 2016
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    India
    cPanel Access Level:
    Root Administrator
    WHM 58.0 (build 32)

    In WHM its showing Version “60.0.28” is available. Updating will fix this problem?

    Thank You
     
    #5 parambhat, Dec 22, 2016
    Last edited by a moderator: Dec 22, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,094
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Yes, cPanel version 60 includes the following resolution:

    Fixed case CPANEL-7402: Make FTP use standard TLS cipher suite defaults.

    This will ensure the protocol settings you modify for ProFtpd in "WHM Home » Service Configuration » FTP Server Configuration" are properly reflected.

    Thank you.
     
Loading...

Share This Page