1

We have had PCI compliance for about 4 months straight then all of a sudden this comes up:

Fail
Serious
Port: 21 
Protocol: tcp
Summary : attempts some buffer overflows
CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C) 
CVSS Temporal Score : 8.3 (CVSS2#E:F/RL:OF/RC:C) 
Public Exploit Available : true
CVE : CVE-1999-0219, CVE-2000-0870, CVE-2000-0943, CVE-2000-1035, CVE-2000-1194, 
CVE-2002-0126, CVE-2003-0271, CVE-2005-0634, CVE-2005-1415 
BID : 269, 1227, 1675, 1690, 1858, 3884, 7251, 7278, 7307, 12704, 13454

The server has cPHulk Brute Force Protection on and FTP users are required to use SFTP. I do not understand how I can secure this anymore than I have... I do not want to change my Brute Force Protection settings because it currently just drops the user and doesn't give them any message, and I am afraid that is what is happening. The audit company is Trust Guard; does anyone have any suggestions or has anyone had a similar experience?

CodesInChaos
  • 143
  • 7
Darren
  • 997
  • 2
  • 8
  • 15

1 Answers1

2

Umm... maybe I'm out of the loop here, but why is port 21 listening if you're using SFTP? Shouldn't it be port 22?

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
  • 1
    also, remember, PCI is about compliance, not security. They once argued us that our encryption on one of our netware SFTP servers wasn't high enough, but if we turned encryption off altogether, that's alright. It sounds like you just left the standard port open as well as SFTP and need to close it on the firewall. – SpacemanSpiff Nov 30 '10 at 04:11
  • S-FTP is a TLS extension of FTP only ever really seen on IIS FTP-servers, where SFTP is ftp over SSH. Easy to get confused. – sysadmin1138 Nov 30 '10 at 04:32
  • @sysadmin1138: I agree that its easy to get confused - your own comment is exhibit A :). FTP over TLS is **FTPS**, **SFTP** is NOT FTP over SSH, its a completely *separate* protocol, an extension of SSH itself. FTP over SSH is commonly known as **SecureFTP**. Check out this [question on ITSecurity.SE](http://security.stackexchange.com/q/858/33) – AviD Nov 30 '10 at 10:16
  • You guys are a wealth of knowledge :) So in this case the original poster still probably needs to just close the port, and if it were me, remove the listener? – SpacemanSpiff Nov 30 '10 at 14:25
  • @AviD See? I'm helpful even when I'm not! – sysadmin1138 Nov 30 '10 at 15:31
  • Hey guys thanks, turns out it was an iptables rule that wasn't supposed to be there. – Darren Dec 03 '10 at 23:00