DirectAdmin PCI DSS Validation
After running a PCI Scan in DirectAdmin Panel, I found several problems, which I'm trying to fix. The issues reported by Qualys Lab are:
1. SSL Server Allows Anonymous Authentication Vulnerability (Port 21/TCP over SSL) 2. Web Server Uses Plain-Text Form Based Authentication (Port 80/TCP) 3. Mail Server Accepts Plaintext Credentials (Port 587/TCP) 4. POP3 Server Allows Plain Text Authentication Vulnerability (Port 110/TCP) 5. Mail Server Accepts Plaintext Credentials (Port 25/TCP) 6. SSL Certificate - Signature Verification Failed Vulnerability (Port 443/TCP over SSL) 7. Deprecated SSH Cryptographic Settings (Port 22/TCP) 8. HTTP Security Header Not Detected (Port 443/TCP) 9. HTTP Security Header Not Detected (Port 80/TCP) 10. ISC BIND Zone transfer controls Vulnerability (cve-2019-6465) (Port 53/TCP) 11. ISC BIND DDNS Privilege Escalation Vulnerability(cve-2018-5741) (Port 53/UDP) 12. ISC BIND Zone transfer controls Vulnerability(cve-2019-6465) (Port 53/UDP) 13. ISC BIND DDNS Privilege Escalation Vulnerability(cve-2018-5741) (Port 53/TCP)
For FTP Anonymous Login, I disabled it by adding options in /etc/init.d/pure-ftpd but I don't know why it didn't work. (1)
For Plain Text Issues, I followed: https://forum.directadmin.com/threads/how-to-require-secure-connections-for-e-mail.43500/ but It might be outdated. Didn't work out. (2-5)
No. 6, I couldn't understand the issue because SSL was correctly installed, why verification failed, no idea.
No. 7, I followed: https://www.linuxminion.com/deprecated-ssh-cryptographic-settings/ Seems to have solved, yet to receive updated result.
No. 8 & 9, I followed https://www.vpsbasics.com/cp/how-to-add-http-security-headers-with-openlitespeed-and-directadmin/ but it didn't work. Don't know what mistake I'm doing there.
No. 10-13, DirectAdmin uses Extended Support Version for BIND, which is very backdated for now. They should use updated stable release. I manually updated BIND, but it's messed up.
I have reported these to DirectAdmin team also, they are assisting flawlessly. But, it might require some time. In the meantime, if you have any idea & fix in mind, you can share. I'll try to implement & test that. I'm using OLS in DirectAdmin.
AlphaSSL Revocation Issue is being investigated.