PCI compliance vulnerabilitys - open to bidding


We have had a Trustwave PCI scan completed on our server and it has flagged up a few vunerability's, we require these fixing and to perform a scan that passes upon completion.

Here is our server specification;

[url removed, login to view] economic hosting linux

Here is the list of issues we require fixing;

#1. Unencrypted Communication Channel Accessibility

The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible.

#[url removed, login to view] Keyboard-Interactive Authentication Username Enumeration

The remote host is running the secure-shell (SSH) service, and allows for authentication via the "keyboard-interactive" method. This method passes authentication off to a third party, who will provide a prompt (often "Password:") that is sent back to the SSH client. The remote SSH service varies its response dependent on the username that is provided, making it possible to enumerate usernames on the remote host. This variance is often due to the use of one-time password (OTP) authentication mechanisms such as S/Key and OPIE, which require a random challenge to be presented to those authenticating. Often in these setups, only those users that are configured to use one-time passwords will be prompted with a random challenge. Thus, it is possible to positively identify those usernames that are configured to use one-time password authentication. A known vulnerability in pam_ssh (CVE-2009-1273) 1.92 and earlier may trigger this finding, as pam_ssh would report a different prompt depending on if the username was valid or not.

It is recommended that the challenge authentication mechanism be replaced with something that does not reveal the presence of user accounts. Two-factor authentication mechanisms using security tokens, for example, do not require a revealing challenge. Consult your documentation for the affected SSH service for more information on modifying its authentication mechanisms. If pam_ssh is the culprit, then check with your vendor for a patch for CVE-2009-1273.




#[url removed, login to view] web server running on this host allows attackers to probe for user names via requests for user home pages (e.g., http://host/~username). Many different types of web servers exhibit this behavior, but it is most commonly associated with Apache HTTP Server.

Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page Not Found) responses. Additionally, if Apache is being used, the UserDir directive should be disabled in the Apache configuration file ([url removed, login to view]).




Evner: Apache, Linux, Plesk

Se mere: vpn service for linux, vpn godaddy, trustwave, the open 2009, open 2009, list services linux, linux list services, finding and using a web service, challenge not provided by client, challenge 2007, apache web servers, 2009 open, list of web servers, apache web services, vulnerable, vpn ipsec, variance, ssl configure, security vulnerability, pci dss, Open VPN , ipsec, finding host, channel communication, challenge response authentication

Om arbejdsgiveren:
( 1 bedømmelse ) Santa Fe Springs, United States

Projekt ID: #6031937

10 freelancere byder i gennemsnit $153 på dette job


Hi Phillip, I'm a Network and System Administrator. If provided root ssh/WHM access to your server, I can make it PCI compliant, I did this so many times before, my latest work is on Please see my feed Flere

$147 USD in 0 dage
(82 bedømmelser)

Hi, I am dealing with Technical Support, Server Maintenance, Helpdesk Support and 24x7 webhosting support. We are handling total of 83 remote servers (65 Linux and 18 windows servers). We are handling more than 50 d Flere

$166 USD in 3 dage
(48 bedømmelser)

I can help you. Do you have root access to your server?. I'm looking forwards to your response. Thank you.

$150 USD in 3 dage
(82 bedømmelser)

Hi Boss, I have ample experience in linux server administration, website migration, installation and configuration of custom software with security. I can do this project for you. You may please have a look on my Flere

$105 USD på 1 dag
(52 bedømmelser)

Hi there, I'm an Linux expert with a very long professional web hosting experience, see my profile at [url removed, login to view] I have also very long experience in building for a companies scallable XEN/OpenVZ/KVM/AWS Flere

$221 USD på 1 dag
(6 bedømmelser)

Hi Few days ago I finished project PCI DSS Secure for WHM/cPanel and get good review. I can do same for your Plesk server. You got a 100% secured server with gurantee success scan PCI DSS. SSH root server & Flere

$66 USD på 1 dag
(13 bedømmelser)

Hi , I can see you have tested your server's security with a plugin . I am here to help. I am a experienced Linux Server administrator with Cpanel/WHM/Plesk security and optimization. I can fix your SSH related vul Flere

$277 USD in 3 dage
(3 bedømmelser)

I have been working with a different network topologies. Network engineer and system administrator with 5+ years of hands-on experience. I am skilled linxu system administrator, with lot of experience in Linux(Cent Flere

$155 USD på 1 dag
(0 bedømmelser)

Hello, I can help you with this vulnerability assessment and fix the problems according to industry standard best practices. I have a background in linux administration and programming with a focus on security, also I' Flere

$155 USD in 2 dage
(0 bedømmelser)

Dears, Kindly be informed that I'm VMware and Symantec specialist. I have a Master of Computer Science and Information Technology and Systems Engineering from WoodField University, USA. And a Bachelor of communicatio Flere

$90 USD in 3 dage
(0 bedømmelser)