• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Resolved PCI compliance for plesk 12.5

nisamudeen97

nisamudeen97

Regular Pleskian
Hi,

I have followed PCI doc http://docs.plesk.com/en-US/12.5/ad...ce/tune-plesk-to-meet-pci-dss-on-linux.65871/ for passing pci compliance. Meanwhile while doing online scan it is showing "FTP server allow plain text authentication". Please check the screen shot attached.

To allow only FTPS connections to your server: I have already done the below.
Go to Tools & Settings > Security Policy.
Select the option Allow only secure FTPS connections for FTP usage policy.

How can is disable plain text authentication for FTP ? Is that possible
 

Attachments

  • PCI scan.png
    PCI scan.png
    52 KB · Views: 19
Hi nisamudeen97
so you ran the PCI Compliance resolver, but your scan still shows plain text available on ProFTP?
Well, I see two possibilities...

1) The scan is showing a false positive.
2) For some reason TLSRequired is still set to off
check the files...

/etc/proftpd.conf
/etc/proftpd.d/ssl.conf

Code: 
TLSRequired off

and change it to on...

Code: 
TLSRequired on

Save the file and restart xinetd...

Code: 
# service xinetd restart

I hope that helps
Kind regards

Lloyd
 
Hi,

Thanks for the advise. I think it is false positive. I am only able to connect to the server via FTP on TLS method. No other methods works. So it is the most secured one. Planning to proceed with paid PCI scan.
 
Hi, I cannot get rid of the DES /3DES ciphers on Plesk Onix with RedHat 6.8 and postfix. I keep testing the server for PCI compliance and block 64 ciphers keep showing no matter what. I have ran the plesk sbin pci_compliance_resolver --enable, but is tries to update Qmail and I'm not using that. Can you please tell me where can I disable those ciphers server wide so they don't show on ports 21, 993, 995 and 8443.
In a different scan, "cleartext logins permitted" shows on ports 25, 110 and 465, and the ciphers show on ports 110, 143, 443, 465, 993, 995 and 8443.

Please help,

Jorge.
 
Hi Jorge Batres,

pls. consider to read and follow:


If the recommended ciphers - list from Plesk is not enough for your needs and goals, pls. consider to use your very own ciphers - list, when you use "plesk sbin sslmng ...".
( You might find it usefull to use a "generator", to create your unique ciphers - list, so I can recommend the Mozilla SSL Configuration Generator at: => https://mozilla.github.io/server-side-tls/ssl-config-generator/ )

Jorge Batres said:
In a different scan, "cleartext logins permitted" shows on ports 25, 110 and 465, and the ciphers show on ports 110, 143, 443, 465, 993, 995 and 8443.
Click to expand...
The commands and informations, how to disable PLAIN TEXT authentication is described in the above linked documents.
 
You must log in or register to reply here.

Similar threads

AboodHamwi
Resolved FTP Connection only accepts Plain FTP (Insecure)
Replies
3
Views
2K
scsa20
scsa20
X
Issue Disable pci-dss results in unhardened webserver
Replies
1
Views
1K
Solomaliar
Solomaliar
M
Issue FTP behind VPN - Connect it via Local IP
Replies
0
Views
3K
Mutate2546
M
L
Question TLS 1.3 on Litespeed webservers / Obsidian
Replies
0
Views
1K
lenala
L
O
Question Plesk Admin Panel - Internal IP address Revealed on port 8443 (PCI Compliance Issue)
Replies
0
Views
2K
OWEUX LLC
O
Back
Top