Completed

Fix Virtual private server PCI compliance vulnerabilitys

This project was successfully completed by lxsol for $150 USD in 3 days.

Get free quotes for a project like this
Employer working
Completed by:
Skills Required
Project Budget
$30 - $250 USD
Completed In
3 days
Total Bids
2
Project Description

Hi,

We have had a Trustwave PCI scan completed on our Virtual private server and it has flagged up a few vunerability's, we require these fixing and to perform a scan that passes upon completion.

Here is our server specification;

CentOS 6.3 (Final), Parallels Plesk Panel [url removed, login to view]

Here is the list of issues we require fixing;

#1. Unencrypted Communication Channel Accessibility (Policy Violation) The service running on this port (most often Telnet, FTP, etc…) appears to make use of a plaintext (unencrypted) communication channel. Payment industry policies (PCI 1.1.5. b, 2.2.2.b, 2.3, & 8.4.a) forbid the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.
CVSSv2: AV:N/AC:L/Au:N/C:C/I:C/A:N([url removed, login to view])
Service: ftp

#2. MTA Open Mail Relaying Allowed The SMTP mail transport agent (MTA) allows unauthenticated users to relay messages. Spammers can use this vulnerability to waste bandwidth and hide the true source of unsolicited messages.
CVE: CVE-1999-0512 NVD: CVE-1999-0512 CVSSv2: AV:N/AC:L/Au:N/C:C/I:C/A:C([url removed, login to view])
Service: smtp

#3. Web Application Transmits Login Credentials Without Encryption There is a web application running on this host that transmits login credentials over HTTP, which is a cleartext protocol. As such, if an attacker was able to intercept traffic containing login credentials, it would be trivial to view user account and password information.
CVSSv2: AV:A/AC:H/Au:N/C:C/I:N/A:N([url removed, login to view])
Service: http

#4. SSLv2 Supported This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted during the SSL session. Secure web applications should only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996 with numerous security enhancements over SSLv2. TLSv1 was introduced in 1999 as an enhancement to the security features of SSLv3. All modern browsers have support for both SSLv3 and TLSv1, and often disable support for SSLv2 in the interests of security. The PCI ASV Operational Requirements requires that if SSLv2 is used in the transmission of cardholder data, this must result in a failure. This was clarified in the PCI "Assessor Update: November 2008" (see the reference link in this finding).
CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N([url removed, login to view])
Service: smtp

#5. Unix/Linux RPC Service Accessibility (Policy Violation) Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet. This generally reflects a lack of adequate firewall rules or other network-level access control which violates requirement 1 of the PCI DSS.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N([url removed, login to view])
Service: sunrpcportmap

#6. Unix/Linux RPC Service Accessibility (Policy Violation) Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet. This generally reflects a lack of adequate firewall rules or other network-level access control which violates requirement 1 of the PCI DSS.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N([url removed, login to view])
Service: sunrpcportmap

#7. DB Accessibility (Policy Violation) There is a port open on this server that is usually used for database connections. Payment industry policy forbids exposing databases containing cardholder data directly to the Internet.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N([url removed, login to view])
Service: mysql

Thanks,

Neal

Looking to make some money?

  • Set your budget and the timeframe
  • Outline your proposal
  • Get paid for your work

Hire Freelancers who also bid on this project

    • Forbes
    • The New York Times
    • Time
    • Wall Street Journal
    • Times Online