[BlueOnyx:20935] Re: OpenSSH and PCI on 5208R

[Jim Matysek]

Thanks, Michael. That's what we'll do. I haven't run APF for a while, as 
I wasn't sure it could work with dfix2 installed (just checked the doc 
and see that it's explicit that it works WELL with this). We've 
currently requested another scan with SSH turned off as Chris suggested, 
but we'll also go ahead and configure APF after the current scan comes 
back.

I completely agree with you on the logic behind CVE-2016-10012, but 
TrustWave is not likely to agree. Some of the requirements for this are 
really odd. Credit card info never touches our server as it is sent 
directly to the gateway processor, but since we put the form up, they 
insist on our passing a scan. Makes no sense to me - we absolutely never 
see or touch credit card info, not even in any kind of pass-through. It 
goes directly from the form in the client's browser to authorize.net.

-jim


As for CVE-2016-10012: It's indeed such a non-issue that I can 
understand
that RedHat puts a fix for it on the back burner.
CVE-2016-10012 is only exploitable if the box is already hacked beyond
rescue and then why would someone bother with hacking OpenSSH from the
inside if he's already in?

Therefore the best advice would indeed be: Lock SSH down so that it's
unreachable for IP's other than the ones you're using to connect to the 
box.
Or turn it off and enable it via the GUI whenever you need it.

If you have APF installed you can easily do it this way:

In the list of open ports remove the SSH port from the list. It's 
usually
  port 22 unless you changed it. Then via the GUI add this line to the 
Allow
Hosts rules:

tcp:in:d=22:s=<your-office-ip>

That will then allow TCP access to port 22 from <your-office-ip> and for
anyone else SSH will appear to be closed.