[BlueOnyx:04496] Re: PCI scans - with link to report

[Jeff Folk]

On May 15, 2010, at 11:43 AM, webmaster wrote:

> Jeff,
>
> Thanks for your input.

What else do I have to do on a Saturday? Wait, I could mow the lawn,  
fix the A/C, ride the motorcycle... No problem.  ;-D

> I have posted that report here:
> www.oldcabin.net/Port-scan-resultst.doc &

This was blank...

> www.oldcabin.net/port-scan-results.txt

Okay, something to look at.
I'm not going to address every entry, these bonehead scans are  
triggered on simple port scans and basic version calls...

#1 TCP port 10000 -- probably your Webmin install, get rid of it

#2 TCP port 22 -- research the CVE entries, report your COMPLETE ssh  
release/patch level (mine is openssh-4.3p2-36.el5_4.4.i386), research  
the release/patch level on CentOS or RHEL security sites to make sure  
they address the CVE entries, DOCUMENT and assuage the auditors'  
"fears". For example...
   Last CVE in ssh list - Google 'CVE-2008-5161 redhat' finds this  
page...
   https://www.redhat.com/security/data/cve/CVE-2008-5161.html which  
states the issue is addressed here...
   https://rhn.redhat.com/errata/RHSA-2009-1287.html with release  
openssh-4.3p2-36.el5

#3 TCP port 80 (PHP) -- same as no 2, current installed rpm is  
php-5.1.6-24.el5_4.5

#4 TCP port 123 -- you have the ntp server running (my BX install does  
not)?? Something else using port 123??

In my current business, I deal with retail establishments (brick and  
mortar) and ALWAYS suggest they DO NOT store cc numbers. That way we  
only have to show a physically separate internal network and a  
COMPLETELY locked down public interface on the internet facing  
firewall/router. I ALWAYS suggest PCI Complaint/Certified software  
solutions. They are also instructed to have a written policy for  
temporarily hand written or imprinted cards' destruction when the  
network is down. I do have one non-profit that accepts credit card  
donations on their website, but that is passed directly to a  
Authorize.net page for entry and processing.

But basically, you are going to want to stay in the PCI SAQ categories  
1-3 (scanning not mandatory) to avoid this nonsense. The only way you  
can accomplish this is to move the page where the cc info is entered  
off of your server (outsource). Otherwise, use a dedicated server for  
the processing (consider putting that on PRIVATE address space using a  
second NIC), and shut down ALL unnecessary services.

> My biggest concern is...... I though the BX systems were up to
> date?  When yum runs it takes care of updates/patches and such?

They are, but simple scans will not reveal the release/patch level of  
your software. You will have to do something similar to what I  
explained about your BIND software (rpm -q "package"). This has  
nothing to do with BlueOnyx, as it is all upstream with CentOS and  
ultimately RHEL (RedHat). Certified/Compliant systems are going to be  
complicated and EXPENSIVE. Open source plugins are going to go the way  
of the dodo (or should) unless they pass off to mainstream providers  
like PayPal and Authorize.net.

> ..snip..
> When you look at the report notice the first entry for bugzilla?
> I don't think I even have that on my system but the report says it
> needs to updated.
> Huh?
> Could their report be wrong?

Notice the port? 10000. There are 14 other references to this TCP port  
in the scan results. Don't you have Webmin installed? That is what is  
on port 10000. YOU did that, nothing to do with BlueOnyx... Explain it  
to the auditors, or uninstall.

HTH;
Jeff