The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unencrypted Communication Channel Accessibility

Discussion in 'Security' started by kwright@fogo, Nov 4, 2014.

  1. kwright@fogo

    kwright@fogo Registered

    Joined:
    Nov 4, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am getting the PCI scan failure below on my web server. We have tried several solutions, but nothing seems to work. Our vendor needs to use FTP over SSL to connect to this server. They are using FTPS with TLS required to connect. Since the standard FTPS port is disallowed by PCI, we have been using port 2112. With our latest scan, apparently this port is no longer allowed due to this reported issue. We have plain text logins turned off and TLS is required on this port (although the scan does not see this as true).

    "Unencrypted authentication is allowed prior to TLS negotiation. The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

    Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible."

    Any suggestions are appreciated.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Do you get the same PCI failure if you use a different port? It could be a false positive, but you may want to provide that information to your PCI scanning company so they can provide you with additional details.

    Thank you.
     
  3. kwright@fogo

    kwright@fogo Registered

    Joined:
    Nov 4, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes, we originally had this same failure on the following ports. We have either blocked, turned off or changed our method for these and that seemed to work for all but 2112.

    Port: tcp/25, Service: smtp
    Port: tcp/110, Service: pop3
    Port: tcp/143, Service: imap
    Port: tcp/587, Service: smtp
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You will need to let them know that TLS Encryption Support is required for FTP and that their report is likely generating a false positive.

    Thank you.
     

Share This Page