[BlueOnyx:04499] Re: PCI scans - with link to report

Doug Harvey dwh1958 at gmail.com
Sat May 15 15:35:56 -05 2010 

I forgot to mention this in my last email. One of the first things that I
had to do was to get rid of ALL the ports that I didn't absolutely have to
have.  It basically narrowed it down to 80 (a must have) and 443 or 445 (I
forgot which).  One of the other things that they beat me up on was port 25
and 110.  Port 22 is something that has to completely go away or they will
not get you a good report.  FrontPage extensions is another one.  3306,
another one they will not allow to be open.

Bottom line...I had to move my mail servicing to another server...The
database had to be on another server...Three servers total to run an
effective e-commerce site.

Doug





On Sat, May 15, 2010 at 1:48 PM, Jeff Folk <jefffolk at mac.com> wrote:

> On May 15, 2010, at 11:43 AM, webmaster wrote:
>
> > Jeff,
> >
> > Thanks for your input.
>
> What else do I have to do on a Saturday? Wait, I could mow the lawn,
> fix the A/C, ride the motorcycle... No problem.  ;-D
>
> > I have posted that report here:
> > www.oldcabin.net/Port-scan-resultst.doc &
>
> This was blank...
>
> > www.oldcabin.net/port-scan-results.txt
>
> Okay, something to look at.
> I'm not going to address every entry, these bonehead scans are
> triggered on simple port scans and basic version calls...
>
> #1 TCP port 10000 -- probably your Webmin install, get rid of it
>
> #2 TCP port 22 -- research the CVE entries, report your COMPLETE ssh
> release/patch level (mine is openssh-4.3p2-36.el5_4.4.i386), research
> the release/patch level on CentOS or RHEL security sites to make sure
> they address the CVE entries, DOCUMENT and assuage the auditors'
> "fears". For example...
>   Last CVE in ssh list - Google 'CVE-2008-5161 redhat' finds this
> page...
>   https://www.redhat.com/security/data/cve/CVE-2008-5161.html which
> states the issue is addressed here...
>   https://rhn.redhat.com/errata/RHSA-2009-1287.html with release
> openssh-4.3p2-36.el5
>
> #3 TCP port 80 (PHP) -- same as no 2, current installed rpm is
> php-5.1.6-24.el5_4.5
>
> #4 TCP port 123 -- you have the ntp server running (my BX install does
> not)?? Something else using port 123??
>
> In my current business, I deal with retail establishments (brick and
> mortar) and ALWAYS suggest they DO NOT store cc numbers. That way we
> only have to show a physically separate internal network and a
> COMPLETELY locked down public interface on the internet facing
> firewall/router. I ALWAYS suggest PCI Complaint/Certified software
> solutions. They are also instructed to have a written policy for
> temporarily hand written or imprinted cards' destruction when the
> network is down. I do have one non-profit that accepts credit card
> donations on their website, but that is passed directly to a
> Authorize.net page for entry and processing.
>
> But basically, you are going to want to stay in the PCI SAQ categories
> 1-3 (scanning not mandatory) to avoid this nonsense. The only way you
> can accomplish this is to move the page where the cc info is entered
> off of your server (outsource). Otherwise, use a dedicated server for
> the processing (consider putting that on PRIVATE address space using a
> second NIC), and shut down ALL unnecessary services.
>
> > My biggest concern is...... I though the BX systems were up to
> > date?  When yum runs it takes care of updates/patches and such?
>
> They are, but simple scans will not reveal the release/patch level of
> your software. You will have to do something similar to what I
> explained about your BIND software (rpm -q "package"). This has
> nothing to do with BlueOnyx, as it is all upstream with CentOS and
> ultimately RHEL (RedHat). Certified/Compliant systems are going to be
> complicated and EXPENSIVE. Open source plugins are going to go the way
> of the dodo (or should) unless they pass off to mainstream providers
> like PayPal and Authorize.net.
>
> > ..snip..
> > When you look at the report notice the first entry for bugzilla?
> > I don't think I even have that on my system but the report says it
> > needs to updated.
> > Huh?
> > Could their report be wrong?
>
> Notice the port? 10000. There are 14 other references to this TCP port
> in the scan results. Don't you have Webmin installed? That is what is
> on port 10000. YOU did that, nothing to do with BlueOnyx... Explain it
> to the auditors, or uninstall.
>
> HTH;
> Jeff
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at blueonyx.it
> http://www.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100515/e8ca4293/attachment.html>

More information about the Blueonyx mailing list