Hello,
I have a customer who recently purchased a CC machine to accept payments.
With the new machine also came the requirement of allowing a PCI scan from a range of IP addresses.
I have been going at this for about 2 weeks trying to get the network PCI compliant, but the clearOS 7 box is still failing on several ports.
These ports are all used by legitimate services like mail,webconfig,vpn etc.
Does anyone have any advice for me to get through this scan?
Here are the affected ports and their reason for failure
Port Our Reason Their Problem
25 Mail Server Supports SSL V3
993 Mail Server susceptible to SSL Poodle
995 Mail Server susceptible to SSL Poodle
465 Mail Server Supports TLS 1.0
443 Web Port Server Supports RC4 Ciphers
143 Mail Server Supports TLS 1.0
110 Mail Server supports short block sizes (Sweet32)
81 Webconfig Vulnerable Apache 2.4.6
82 Webconfig Vulnerable Apache 2.4.6
83 Webconfig Vulnerable Apache 2.4.6
1723 VPN Scan may have been blocked
3306 ClearOS DB Possible internet facing DB port.
Please help!
I have a customer who recently purchased a CC machine to accept payments.
With the new machine also came the requirement of allowing a PCI scan from a range of IP addresses.
I have been going at this for about 2 weeks trying to get the network PCI compliant, but the clearOS 7 box is still failing on several ports.
These ports are all used by legitimate services like mail,webconfig,vpn etc.
Does anyone have any advice for me to get through this scan?
Here are the affected ports and their reason for failure
Port Our Reason Their Problem
25 Mail Server Supports SSL V3
993 Mail Server susceptible to SSL Poodle
995 Mail Server susceptible to SSL Poodle
465 Mail Server Supports TLS 1.0
443 Web Port Server Supports RC4 Ciphers
143 Mail Server Supports TLS 1.0
110 Mail Server supports short block sizes (Sweet32)
81 Webconfig Vulnerable Apache 2.4.6
82 Webconfig Vulnerable Apache 2.4.6
83 Webconfig Vulnerable Apache 2.4.6
1723 VPN Scan may have been blocked
3306 ClearOS DB Possible internet facing DB port.
Please help!
In Firewall
Share this post:
Responses (3)
-
Accepted Answer
Nick is correct, you do stand the risk of not being able to interchange secure emails with hosts that can only do SSLv3. But SSLv3 is compromised so that means that your communications may not be as secure as you would like. From the standpoint of your pen testers, they will want you to turn it off.
The '81 Webconfig Vulnerable Apache 2.4.6' is an assessment based on versioning only. ClearOS uses backported fixes which address security issues without changing version numbers. If you know the precise CVE then you can pull the response when you justify your access. You can also turn off external access to port 81 or put in exceptions only for certain management IPs in the custom firewall rules. -
Accepted Answer
Looking at the mail list, all those items should be controlled by the "other" end. If you stop SSL V3 in postfix, you just risk losing inbound e-mails from other MTA's which can only do SSL V3. The other ports, 110, 143, 465, 993 and 995 (and 25) depend on the e-mail clients. You can always raise the security of the transactions as long as you know that all the e-mail clients using those services support the more secure protocols. Otherwise you will end up disabling some of your clients. -
Accepted Answer
The CVE numbers in your report are the most helpful things to look at. Many of these are likely already covered here:
https://www.clearos.com/resources/documentation/clearos/announcements:cvedatabase
If Security Metrics ran your report, check these out:
https://www.clearos.com/resources/documentation/clearos/knowledgebase:securitymetrics
Or if it was Rapid 7 you can look at these:
https://www.clearos.com/resources/documentation/clearos/knowledgebase:rapid7
If you have support with ClearCenter (included with Gold and Platinum or a per incident with Bronze and Silver), you can submit your report to ClearCARE and they can help you do all the things needed to get it to pass. In some cases, pen testing will check on versions alone and ClearOS backports in fixes. For some things, you will need to optimize the security by enabling newer TLS and disabling backwards compatibility versions.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »