Annulleret

PCI compliance vulnerabilitys - open to bidding

Hi,

We have had a Trustwave PCI scan completed on our server and it has flagged up a few vunerability's, we require these fixing and to perform a scan that passes upon completion.

Here is our server specification;

[url removed, login to view] economic hosting linux

Here is the list of issues we require fixing;

#1. Unencrypted Communication Channel Accessibility

The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.

Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible.

#[url removed, login to view] Keyboard-Interactive Authentication Username Enumeration

The remote host is running the secure-shell (SSH) service, and allows for authentication via the "keyboard-interactive" method. This method passes authentication off to a third party, who will provide a prompt (often "Password:") that is sent back to the SSH client. The remote SSH service varies its response dependent on the username that is provided, making it possible to enumerate usernames on the remote host. This variance is often due to the use of one-time password (OTP) authentication mechanisms such as S/Key and OPIE, which require a random challenge to be presented to those authenticating. Often in these setups, only those users that are configured to use one-time passwords will be prompted with a random challenge. Thus, it is possible to positively identify those usernames that are configured to use one-time password authentication. A known vulnerability in pam_ssh (CVE-2009-1273) [url removed, login to view] and earlier may trigger this finding, as pam_ssh would report a different prompt depending on if the username was valid or not.

It is recommended that the challenge authentication mechanism be replaced with something that does not reveal the presence of user accounts. Two-factor authentication mechanisms using security tokens, for example, do not require a revealing challenge. Consult your documentation for the affected SSH service for more information on modifying its authentication mechanisms. If pam_ssh is the culprit, then check with your vendor for a patch for CVE-2009-1273.

CVE-2007-2243

CVE-207-2768

CVE-2009-1273

#[url removed, login to view] web server running on this host allows attackers to probe for user names via requests for user home pages (e.g., http://host/~username). Many different types of web servers exhibit this behavior, but it is most commonly associated with Apache HTTP Server.

Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page Not Found) responses. Additionally, if Apache is being used, the UserDir directive should be disabled in the Apache configuration file ([url removed, login to view]).

CVE-2001-1013

Thanks,

Phillip

Færdigheder: Apache, Linux, Plesk

Se mere: vpn service linux, vpn godaddy, trustwave, open 2009, list services linux, linux list services, finding using web service, challenge provided client, challenge 2007, apache web servers, 2009 open, list web servers, apache web services, vulnerable, vpn ipsec, variance, ssl configure, security vulnerability, pci dss, open vpn, ipsec, finding host, channel communication, challenge response authentication, check vulnerability

Om arbejdsgiveren:
( 1 bedømmelse ) Santa Fe Springs, United States

Projekt-ID: #6031937

10 freelancere byder i gennemsnit $153 for dette job

aroel

Hi Phillip, I'm a Network and System Administrator. If provided root ssh/WHM access to your server, I can make it PCI compliant, I did this so many times before, my latest work is on subimods.com. Please see my feed Mere

$147 USD in 0 dage
(82 bedømmelser)
6.0
linuxwarm

Hi, I am dealing with Technical Support, Server Maintenance, Helpdesk Support and 24x7 webhosting support. We are handling total of 83 remote servers (65 Linux and 18 windows servers). We are handling more than 50 d Mere

$166 USD in 3 dage
(48 bedømmelser)
5.9
codetrance

I can help you. Do you have root access to your server?. I'm looking forwards to your response. Thank you.

$150 USD in 3 dage
(82 bedømmelser)
5.7
minuthomas

Hi Boss, I have ample experience in linux server administration, website migration, installation and configuration of custom software with security. I can do this project for you. You may please have a look on my Mere

$105 USD på 1 dag
(52 bedømmelser)
5.6
plamenhostdy

Hi there, I'm an Linux expert with a very long professional web hosting experience, see my profile at http://lnkd.in/b5W3zSM. I have also very long experience in building for a companies scallable XEN/OpenVZ/KVM/AWS Mere

$221 USD på 1 dag
(6 bedømmelser)
4.4
odessky

Hi Few days ago I finished project PCI DSS Secure for WHM/cPanel and get good review. I can do same for your Plesk server. You got a 100% secured server with gurantee success scan PCI DSS. SSH root server & Mere

$66 USD på 1 dag
(13 bedømmelser)
4.1
sojib445566

Hi , I can see you have tested your server's security with a plugin . I am here to help. I am a experienced Linux Server administrator with Cpanel/WHM/Plesk security and optimization. I can fix your SSH related vul Mere

$277 USD in 3 dage
(3 bedømmelser)
2.6
anton0306

I have been working with a different network topologies. Network engineer and system administrator with 5+ years of hands-on experience. I am skilled linxu system administrator, with lot of experience in Linux(Cent Mere

$155 USD på 1 dag
(0 bedømmelser)
0.0
dylix

Hello, I can help you with this vulnerability assessment and fix the problems according to industry standard best practices. I have a background in linux administration and programming with a focus on security, also I' Mere

$155 USD in 2 dage
(0 bedømmelser)
0.0
feko

Dears, Kindly be informed that I'm VMware and Symantec specialist. I have a Master of Computer Science and Information Technology and Systems Engineering from WoodField University, USA. And a Bachelor of communicatio Mere

$90 USD in 3 dage
(0 bedømmelser)
0.0