Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


DirectAdmin PCI DSS Validation
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

DirectAdmin PCI DSS Validation

Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

Hello,

After running a PCI Scan in DirectAdmin Panel, I found several problems, which I'm trying to fix. The issues reported by Qualys Lab are:

1. SSL Server Allows Anonymous Authentication Vulnerability (Port 21/TCP over SSL)
2. Web Server Uses Plain-Text Form Based Authentication (Port 80/TCP)
3. Mail Server Accepts Plaintext Credentials (Port 587/TCP)
4. POP3 Server Allows Plain Text Authentication Vulnerability (Port 110/TCP)
5. Mail Server Accepts Plaintext Credentials (Port 25/TCP)
6. SSL Certificate - Signature Verification Failed Vulnerability (Port 443/TCP over SSL)
7. Deprecated SSH Cryptographic Settings (Port 22/TCP)
8. HTTP Security Header Not Detected (Port 443/TCP)
9. HTTP Security Header Not Detected (Port 80/TCP)
10. ISC BIND Zone transfer controls Vulnerability (cve-2019-6465) (Port 53/TCP)
11. ISC BIND DDNS Privilege Escalation Vulnerability(cve-2018-5741) (Port 53/UDP)
12. ISC BIND Zone transfer controls Vulnerability(cve-2019-6465) (Port 53/UDP)
13. ISC BIND DDNS Privilege Escalation Vulnerability(cve-2018-5741) (Port 53/TCP)

For FTP Anonymous Login, I disabled it by adding options in /etc/init.d/pure-ftpd but I don't know why it didn't work. (1)

For Plain Text Issues, I followed: https://forum.directadmin.com/threads/how-to-require-secure-connections-for-e-mail.43500/ but It might be outdated. Didn't work out. (2-5)

No. 6, I couldn't understand the issue because SSL was correctly installed, why verification failed, no idea.

No. 7, I followed: https://www.linuxminion.com/deprecated-ssh-cryptographic-settings/ Seems to have solved, yet to receive updated result.

No. 8 & 9, I followed https://www.vpsbasics.com/cp/how-to-add-http-security-headers-with-openlitespeed-and-directadmin/ but it didn't work. Don't know what mistake I'm doing there.

No. 10-13, DirectAdmin uses Extended Support Version for BIND, which is very backdated for now. They should use updated stable release. I manually updated BIND, but it's messed up.

I have reported these to DirectAdmin team also, they are assisting flawlessly. But, it might require some time. In the meantime, if you have any idea & fix in mind, you can share. I'll try to implement & test that. I'm using OLS in DirectAdmin.

Regards.

Comments

  • hzrhzr Member

    you pretty much should not be using any commodity control panel for something in pci scope. you'll practically fail audit just off the potential for the panel to auto update.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @hzr said:
    you pretty much should not be using any commodity control panel for something in pci scope. you'll practically fail audit just off the potential for the panel to auto update.

    Not like that. I'm regulating normal scanning on the panels.

  • 1.) SSL Server Allows Anonymous Authentication Vulnerability (Port 21/TCP over SSL)
    Verify with systemctl status whether pureftpd is actually started with the -E command line option. I recommend switching to SFTP and removing FTP completely if you can.

    2.) Web Server Uses Plain-Text Form Based Authentication (Port 80/TCP)
    HTTP to HTTPS redirection is not compliant. You must explicitly disable unencrypted connections.
    I see the DirectAdmin Daemon server (which is installed on demo.directadmin.com:2222) accepts both HTTP and HTTPS connections on the same port and the login form uses a relative action path (form action="/CMD_LOGIN").

    4.) POP3 Server Allows Plain Text Authentication Vulnerability (Port 110/TCP)
    The POP3/IMAP the issue is similar to the HTTP issue. Dovecot mentions their IMAP workaround here: https://doc.dovecot.org/settings/core/#ssl
    You should only allow implicit TLS for both POP and IMAP on port 995 and 993. Nothing on port 110.
    Related read: RFC 8314.

    3.,5.) Mail Server Accepts Plaintext Credentials
    The forum post you linked doesn't include the TLS configuration for Exim4. Follow the Exim4 documentation at https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html

    7.) Deprecated SSH Cryptographic Settings (Port 22/TCP)
    Specify the values for KexAlgorithms, HostKeyAlgorithms, Ciphers and MACs according to the defaults at https://man.openbsd.org/sshd_config.
    For example you may fix the issue by adding these 4 lines to your sshd_config:

    KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
    HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    Ciphers aes256-ctr,[email protected],[email protected]
    MACs [email protected],[email protected],[email protected]
    

    Sadly many Linux distributions set deprecated defaults.

    8., 9.) Is the "secure" cookie header there? That was not mentioned in the guide you followed.

    Thanked by 1Mahfuz_SS_EHL
Sign In or Register to comment.