We have had a Trustwave PCI scan completed on our server and it has flagged up a few vunerability's, we require these fixing and to perform a scan that passes upon completion.
Here is our server specification;
[url removed, login to view] economic hosting linux
Here is the list of issues we require fixing;
#1. Unencrypted Communication Channel Accessibility
The service running on this port appears to make use of a plaintext (unencrypted) communication channel. The PCI DSS forbids the use of such insecure services/protocols. Unencrypted communication channels are vulnerable to the disclosure and/or modification of any data transiting through them (including usernames and passwords), and as such the confidentially and integrity of the data in transit cannot be ensured with any level of certainty.
Transition to using more secure alternatives such as SSH instead of Telnet and SFTP in favor of FTP, or consider wrapping less secure services within more secure technologies by utilizing the benefits offered by VPN, SSL/TLS, or IPSec for example. Also, limit access to management protocols/services to specific IP addresses (usually accomplished via a "whitelist") whenever possible.
#[url removed, login to view] Keyboard-Interactive Authentication Username Enumeration
The remote host is running the secure-shell (SSH) service, and allows for authentication via the "keyboard-interactive" method. This method passes authentication off to a third party, who will provide a prompt (often "Password:") that is sent back to the SSH client. The remote SSH service varies its response dependent on the username that is provided, making it possible to enumerate usernames on the remote host. This variance is often due to the use of one-time password (OTP) authentication mechanisms such as S/Key and OPIE, which require a random challenge to be presented to those authenticating. Often in these setups, only those users that are configured to use one-time passwords will be prompted with a random challenge. Thus, it is possible to positively identify those usernames that are configured to use one-time password authentication. A known vulnerability in pam_ssh (CVE-2009-1273) 1.92 and earlier may trigger this finding, as pam_ssh would report a different prompt depending on if the username was valid or not.
It is recommended that the challenge authentication mechanism be replaced with something that does not reveal the presence of user accounts. Two-factor authentication mechanisms using security tokens, for example, do not require a revealing challenge. Consult your documentation for the affected SSH service for more information on modifying its authentication mechanisms. If pam_ssh is the culprit, then check with your vendor for a patch for CVE-2009-1273.
#[url removed, login to view] web server running on this host allows attackers to probe for user names via requests for user home pages (e.g., http://host/~username). Many different types of web servers exhibit this behavior, but it is most commonly associated with Apache HTTP Server.
Configure the HTTP server to specify the same error documents for both 403 (Forbidden) and 404 (Page Not Found) responses. Additionally, if Apache is being used, the UserDir directive should be disabled in the Apache configuration file ([url removed, login to view]).