HomeAboutMailing ListList Chatter /0/0 3.94.129.211

PCI Compliance Question for SSH

2019-11-23 by: David White
From: David White 
------------------------------------------------------
I do a lot of web hosting, but haven't really had to deal much with PCI
compliance.
I have a client who wants me to launch a VPS for them, and get them off of
a shared environment, so that we can better secure the system and address
some PCI compliance concerns.

It seems that one of the bigger complaints that their PCI compliance scans
come up with are related to OpenSSH and SCP.

I think I've decided to install OpenVPN as a server on a Jump Box, and
connect the new VPS to that OpenVPN server, and then configure OpenSSH,
etc... to only listen on the VPN interface.

Am I crazy and setting myself up for failure?
Or can any of you think of a better solution?

-- 
David White
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg
bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn
aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Dave Brockman ------------------------------------------------------ Do the Scans complain about ciphers or just the fact that SSH is present and accepting connections? Assuming you control 1.2.3.0/24 and 11.12.13.14: iptables -A INPUT -p tcp -s 1.2.3.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp -s 11.12.13.14 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT Then the usual, deny root login, force keys, no passwords, etc. If you're going to limit to the jump box anyway, there is no need for the VPN (and another point of failure), IMO. Cheers, -Dave X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: David White ------------------------------------------------------ Thanks, Dave. The scans are complaining that SSH is accepting connections at all. CentOS 8 comes with OpenSSH 7.8 by default, which addresses a majority of the issues, but not all of them. If I can find a software stream repo that will provide OpenSSH >=8, then I think we'd be fine. No way I'm going to start compiling my own packages of openssh. I do of course already have SSH configured to deny root and force keys. I've also tightened up the ciphers and such. I didn't think about using iptables rules to do this, but that makes a lot of sense. I was envisioning needing to setup a completely separate interface on a private IP address (hence, the VPN), but you're right -- I can do this in iptables, and block SSH connections from untrusted sources before they even hit the sshd daemon.

=============================================================== From: William Roush ------------------------------------------------------ SeKAmXZlIGhhZCAzcmQgcGFydHkgc2Nhbm5lcnMgeWVsbCBhYm91dCBzdHVwaWQgc3R1ZmYgZm9y IG5vIGdvb2QgcmVhc29uLg0KDQpEb2VzIGl0IGFjdHVhbGx5IGNhbGwgb3V0IGEgdmlvbGF0aW9u IG9mIGEgc3BlY2lmaWMgcGFydCBvZiBQQ0ktRFNTPyBXaGljaCBTQVEgYXJlIHlvdSB0cnlpbmcg dG8gYWltIGZvciAoc2luY2UgeW914oCZcmUgbm90IHJlbHlpbmcgb24gYSBRU0EgSeKAmW0gYXNz dW1pbmcgaXTigJlzIGEgU0FRKT8NCg0KSXTigJlzIGJlZW4gYXdoaWxlIHNpbmNlIEkgZGlkIHRo ZSBmdWxsIFNBUSBEICsgTWVyY2hhbnQgUVNBIGNvbXBsaWFuY2UgYnV0IEkgZG9u4oCZdCByZW1l bWJlciBhbnl0aGluZyBzYXlpbmcgdGhhdCBTU0ggY291bGQgbm90IGJlIG9wZW4gdG8gdGhlIGlu dGVybmV0LiBBIGJ1bmNoIG9mIHJ1bGVzIGFib3V0IGhvdyBpdOKAmXMgZG9uZSAoc3Ryb25nIHBh c3N3b3Jkcywgc3Ryb25nIGNpcGhlcnMsIGV0Yy4pLCBidXQgbm90IHRoYXQgaXQgY2Fu4oCZdCBi ZSBkb25lLg0KDQpXaWxsaWFtIFJvdXNoIHwgaHR0cHM6Ly93d3cucm91c2h0ZWNoLm5ldC8NCk9m ZmljZTogNDIzLjkzMy4yMTE0IHwgQ2VsbDogNDIzLjQ2My4wNTkyIHwgRW1haWw6IHdpbGxpYW0u cm91c2hAcm91c2h0ZWNoLm5ldDxtYWlsdG86d2lsbGlhbS5yb3VzaEByb3VzaHRlY2gubmV0Pg0K DQoNCg0KRnJvbTogQ2h1Z2FsdWcgPGNodWdhbHVnLWJvdW5jZXNAY2h1Z2FsdWcub3JnPiBPbiBC ZWhhbGYgT2YgRGF2aWQgV2hpdGUNClNlbnQ6IFNhdHVyZGF5LCBOb3ZlbWJlciAyMywgMjAxOSAx OjAxIFBNDQpUbzogQ2hhLiBVbml4IEdudSBBbmRyb2lkIExpbnV4IFVzZXIgR3JvdXAgPGNodWdh bHVnQGNodWdhbHVnLm9yZz4NClN1YmplY3Q6IFJlOiBbQ2h1Z2FsdWddIFBDSSBDb21wbGlhbmNl IFF1ZXN0aW9uIGZvciBTU0gNCg0KVGhhbmtzLCBEYXZlLg0KVGhlIHNjYW5zIGFyZSBjb21wbGFp bmluZyB0aGF0IFNTSCBpcyBhY2NlcHRpbmcgY29ubmVjdGlvbnMgYXQgYWxsLg0KDQpDZW50T1Mg OCBjb21lcyB3aXRoIE9wZW5TU0ggNy44IGJ5IGRlZmF1bHQsIHdoaWNoIGFkZHJlc3NlcyBhIG1h am9yaXR5IG9mIHRoZSBpc3N1ZXMsIGJ1dCBub3QgYWxsIG9mIHRoZW0uDQpJZiBJIGNhbiBmaW5k IGEgc29mdHdhcmUgc3RyZWFtIHJlcG8gdGhhdCB3aWxsIHByb3ZpZGUgT3BlblNTSCA+PTgsIHRo ZW4gSSB0aGluayB3ZSdkIGJlIGZpbmUuDQpObyB3YXkgSSdtIGdvaW5nIHRvIHN0YXJ0IGNvbXBp bGluZyBteSBvd24gcGFja2FnZXMgb2Ygb3BlbnNzaC4NCg0KSSBkbyBvZiBjb3Vyc2UgYWxyZWFk eSBoYXZlIFNTSCBjb25maWd1cmVkIHRvIGRlbnkgcm9vdCBhbmQgZm9yY2Uga2V5cy4NCkkndmUg YWxzbyB0aWdodGVuZWQgdXAgdGhlIGNpcGhlcnMgYW5kIHN1Y2guDQoNCkkgZGlkbid0IHRoaW5r IGFib3V0IHVzaW5nIGlwdGFibGVzIHJ1bGVzIHRvIGRvIHRoaXMsIGJ1dCB0aGF0IG1ha2VzIGEg bG90IG9mIHNlbnNlLg0KSSB3YXMgZW52aXNpb25pbmcgbmVlZGluZyB0byBzZXR1cCBhIGNvbXBs ZXRlbHkgc2VwYXJhdGUgaW50ZXJmYWNlIG9uIGEgcHJpdmF0ZSBJUCBhZGRyZXNzIChoZW5jZSwg dGhlIFZQTiksIGJ1dCB5b3UncmUgcmlnaHQgLS0gSSBjYW4gZG8gdGhpcyBpbiBpcHRhYmxlcywg YW5kIGJsb2NrIFNTSCBjb25uZWN0aW9ucyBmcm9tIHVudHJ1c3RlZCBzb3VyY2VzIGJlZm9yZSB0 aGV5IGV2ZW4gaGl0IHRoZSBzc2hkIGRhZW1vbi4NCg0KT24gU2F0LCBOb3YgMjMsIDIwMTkgYXQg MTE6MDMgQU0gRGF2ZSBCcm9ja21hbiA8ZGF2ZUBicm9ja21hbnMuY29tPG1haWx0bzpkYXZlQGJy b2NrbWFucy5jb20+PiB3cm90ZToNCk9uIDExLzIzLzIwMTkgODo1MiBBTSwgRGF2aWQgV2hpdGUg d3JvdGU6DQo+IEkgZG8gYSBsb3Qgb2Ygd2ViIGhvc3RpbmcsIGJ1dCBoYXZlbid0IHJlYWxseSBo YWQgdG8gZGVhbCBtdWNoIHdpdGggUENJDQo+IGNvbXBsaWFuY2UuDQo+IEkgaGF2ZSBhIGNsaWVu dCB3aG8gd2FudHMgbWUgdG8gbGF1bmNoIGEgVlBTIGZvciB0aGVtLCBhbmQgZ2V0IHRoZW0gb2Zm DQo+IG9mIGEgc2hhcmVkIGVudmlyb25tZW50LCBzbyB0aGF0IHdlIGNhbiBiZXR0ZXIgc2VjdXJl IHRoZSBzeXN0ZW0gYW5kDQo+IGFkZHJlc3Mgc29tZSBQQ0kgY29tcGxpYW5jZSBjb25jZXJucy4N Cj4NCj4gSXQgc2VlbXMgdGhhdCBvbmUgb2YgdGhlIGJpZ2dlciBjb21wbGFpbnRzIHRoYXQgdGhl aXIgUENJIGNvbXBsaWFuY2UNCj4gc2NhbnMgY29tZSB1cCB3aXRoIGFyZSByZWxhdGVkIHRvIE9w ZW5TU0ggYW5kIFNDUC4NCg0KRG8gdGhlIFNjYW5zIGNvbXBsYWluIGFib3V0IGNpcGhlcnMgb3Ig anVzdCB0aGUgZmFjdCB0aGF0IFNTSCBpcyBwcmVzZW50DQphbmQgYWNjZXB0aW5nIGNvbm5lY3Rp b25zPw0KDQoNCj4gSSB0aGluayBJJ3ZlIGRlY2lkZWQgdG8gaW5zdGFsbCBPcGVuVlBOIGFzIGEg c2VydmVyIG9uIGEgSnVtcCBCb3gsIGFuZA0KPiBjb25uZWN0IHRoZSBuZXcgVlBTIHRvIHRoYXQg T3BlblZQTiBzZXJ2ZXIsIGFuZCB0aGVuIGNvbmZpZ3VyZSBPcGVuU1NILA0KPiBldGMuLi4gdG8g b25seSBsaXN0ZW4gb24gdGhlIFZQTiBpbnRlcmZhY2UuDQo+DQo+IEFtIEkgY3JhenkgYW5kIHNl dHRpbmcgbXlzZWxmIHVwIGZvciBmYWlsdXJlPw0KPiBPciBjYW4gYW55IG9mIHlvdSB0aGluayBv ZiBhIGJldHRlciBzb2x1dGlvbj8NCg0KQXNzdW1pbmcgeW91IGNvbnRyb2wgMS4yLjMuMC8yNDxo dHRwOi8vMS4yLjMuMC8yND4gYW5kIDExLjEyLjEzLjE0PGh0dHA6Ly8xMS4xMi4xMy4xND46DQoN CmlwdGFibGVzIC1BIElOUFVUIC1wIHRjcCAtcyAxLjIuMy4wLzI0PGh0dHA6Ly8xLjIuMy4wLzI0 PiAtLWRwb3J0IDIyIC1tIGNvbm50cmFjayAtLWN0c3RhdGUNCk5FVyxFU1RBQkxJU0hFRCAtaiBB Q0NFUFQNCmlwdGFibGVzIC1BIElOUFVUIC1wIHRjcCAtcyAxMS4xMi4xMy4xNCAtLWRwb3J0IDIy IC1tIGNvbm50cmFjaw0KLS1jdHN0YXRlIE5FVyxFU1RBQkxJU0hFRCAtaiBBQ0NFUFQNCg0KVGhl biB0aGUgdXN1YWwsIGRlbnkgcm9vdCBsb2dpbiwgZm9yY2Uga2V5cywgbm8gcGFzc3dvcmRzLCBl dGMuICBJZg0KeW91J3JlIGdvaW5nIHRvIGxpbWl0IHRvIHRoZSBqdW1wIGJveCBhbnl3YXksIHRo ZXJlIGlzIG5vIG5lZWQgZm9yIHRoZQ0KVlBOIChhbmQgYW5vdGhlciBwb2ludCBvZiBmYWlsdXJl KSwgSU1PLg0KDQpDaGVlcnMsDQoNCi1EYXZlDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXw0KQ2h1Z2FsdWcgbWFpbGluZyBsaXN0DQpDaHVnYWx1 Z0BjaHVnYWx1Zy5vcmc8bWFpbHRvOkNodWdhbHVnQGNodWdhbHVnLm9yZz4NCmh0dHA6Ly9jaHVn YWx1Zy5vcmcvY2dpLWJpbi9tYWlsbWFuL2xpc3RpbmZvL2NodWdhbHVnDQoNCg0KLS0NCkRhdmlk IFdoaXRlDQo= X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Dave Brockman ------------------------------------------------------ liance en to the rds, Trustwave, in particular, likes to flag SSH open to public. There are two ways around this. 1) limit SSH availability so the scanning doesn't see it, or 2) (Say it with me) "We accept the risk of running SSH". Cheers, -Dave X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: William Roush ------------------------------------------------------ Yeah generic security scans can catch all different kinds of things that aren't actually hard PCI-DSS failures. William Roush | https://www.roushtech.net/ Office: 423.933.2114 | Cell: 423.463.0592 | Email: william.roush@roushtech.net -----Original Message----- From: Chugalug On Behalf Of Dave Brockman Sent: Monday, November 25, 2019 12:12 PM To: chugalug@chugalug.org Subject: Re: [Chugalug] PCI Compliance Question for SSH Trustwave, in particular, likes to flag SSH open to public. There are two ways around this. 1) limit SSH availability so the scanning doesn't see it, or 2) (Say it with me) "We accept the risk of running SSH". Cheers, -Dave

=============================================================== From: David White ------------------------------------------------------ **see They are indeed the ones doing the compliance scan. Try explaining the concept of "accepting the risk" and "mitigating controls" to a small nonprofit organization that doesn't understand concepts like that -- when they have a big fat "compliance report" in front of them showing that OpenSSH (and SCP) has about 10 different vulnerabilities. I discussed at length with this particular client, and gave them the option to go with a managed VPS, and that's what they decided to do. I encouraged them several times to investigate whether or not they were actually required to meet the compliance standards, and told them several times that our shared hosting infrastructure was "secure". While they believed me and trust me, they preferred to go with the VPS so in the end, that's what we went with. On Mon, Nov 25, 2019 at 6:55 PM William Roush wrote: liance en to . o

=============================================================== From: William Roush ------------------------------------------------------ ICAqICAgd2hlbiB0aGV5IGhhdmUgYSBiaWcgZmF0ICJjb21wbGlhbmNlIHJlcG9ydCIgaW4gZnJv bnQgb2YgdGhlbSBzaG93aW5nIHRoYXQgT3BlblNTSCAoYW5kIFNDUCkgaGFzIGFib3V0IDEwIGRp ZmZlcmVudCB2dWxuZXJhYmlsaXRpZXMuDQoNCg0KT2ggb24gdGhhdCBub3RlLCBJ4oCZdmUgaGFk IGEgKnZlcnkqIGJhZCBoaXN0b3J5IG9mIGhhdmluZyBzY2FubmVycyBkZXRlcm1pbmUgc29mdHdh cmUgdmVyc2lvbnMgYW5kIGZsYWcgYSB0b24gb2YgZXhwbG9pdHMsIGV2ZW4gdGhvdWdoIHRob3Nl IHdlcmUgZml4ZWQgYnkgdGhlIGRpc3RyaWJ1dGlvbuKAmXMgcmVwbyBtYWludGFpbmVycyB2aWEg YmFja3BvcnRpbmcgcGF0Y2hlcyB0byB0aGUgdmVyc2lvbiB0aGV54oCZcmUgbG9ja2VkIHRvLg0K DQpGb3IgdGhlIG1vc3QgcGFydCBzZW5kaW5nIGEgYnVuY2ggb2YgZmFsc2UtcG9zaXRpdmUgcmVw b3J0cyBzaG93aW5nIOKAnENWRS1YWFggd2FzIGZpeGVkIGluIHdoYXRldmVyLVVidW50dTEyIHdo aWNoIGlzIHJlcG9ydGVkIGFzIHYxLjIuM+KAnSBnb3QgdXMgcGFzdCBhbGwgb2YgdGhhdCwgYnV0 IGl0IHdhcyBhIG1hc3NpdmUgYW1vdW50IG9mIG1hbnVhbCB3b3JrIGxvb2tpbmcgdXAgZXZlcnkg Q1ZFIGFuZCBjcm9zcy1yZWZlcmVuY2luZyBwYXRjaGVzIGFwcGxpZWQgdG8gdGhlIHJlcG9zaXRv cnkgYW5kIHNob3dpbmcgd2UgaGFkIHRob3NlIHBhdGNoZXMgYXBwbGllZC4gT24gdG9wIG9mIDNy ZCBwYXJ0eSBzY2FucyBlYXNpbHkgY29zdGluZyA1IGZpZ3VyZXMgdGhpcyBzdHVmZiBnZXRzIHNv IGV4cGVuc2l2ZSBzbyBmYXN0IGZvciBubyBnb29kIHJlYXNvbi4NCg0KSXTigJlzIHBhcnQgb2Yg d2h5IEkga2luZCBvZiBncnVtYmxlIHRoYXQgdGhlIHNlY3VyaXR5IGluZHVzdHJ5IGlzIGEgcmFj a2V0LCBoYWxmIHRoZSB0aW1lIEnigJl2ZSBnb25lIG92ZXIgdGhpcyB3aXRoIGNvbXBhbmllcyBy dW5uaW5nIHRoZXNlIHNjYW5uZXJzIHRoZXkgaGFkIG5vIGNsdWUgd2hhdCB3ZSB3ZXJlIHRhbGtp bmcgYWJvdXQsIHNpZ2jigKYNCg0KV2lsbGlhbSBSb3VzaCB8IGh0dHBzOi8vd3d3LnJvdXNodGVj aC5uZXQvDQpPZmZpY2U6IDQyMy45MzMuMjExNCB8IENlbGw6IDQyMy40NjMuMDU5MiB8IEVtYWls OiB3aWxsaWFtLnJvdXNoQHJvdXNodGVjaC5uZXQ8bWFpbHRvOndpbGxpYW0ucm91c2hAcm91c2h0 ZWNoLm5ldD4NCg0KDQoNCkZyb206IENodWdhbHVnIDxjaHVnYWx1Zy1ib3VuY2VzQGNodWdhbHVn Lm9yZz4gT24gQmVoYWxmIE9mIERhdmlkIFdoaXRlDQpTZW50OiBNb25kYXksIE5vdmVtYmVyIDI1 LCAyMDE5IDc6MTEgUE0NClRvOiBDaGEuIFVuaXggR251IEFuZHJvaWQgTGludXggVXNlciBHcm91 cCA8Y2h1Z2FsdWdAY2h1Z2FsdWcub3JnPg0KU3ViamVjdDogUmU6IFtDaHVnYWx1Z10gUENJIENv bXBsaWFuY2UgUXVlc3Rpb24gZm9yIFNTSA0KDQpUcnVzdHdhdmUsIGluIHBhcnRpY3VsYXIsIGxp a2VzIHRvIGZsYWcgU1NIIG9wZW4gdG8gcHVibGljLiAgVGhlcmUgYXJlDQp0d28gd2F5cyBhcm91 bmQgdGhpcy4gIDEpIGxpbWl0IFNTSCBhdmFpbGFiaWxpdHkgc28gdGhlIHNjYW5uaW5nIGRvZXNu J3QNCnNlZSBpdCwgb3IgMikgKFNheSBpdCB3aXRoIG1lKSAiV2UgYWNjZXB0IHRoZSByaXNrIG9m IHJ1bm5pbmcgU1NIIi4NCg0KVGhleSBhcmUgaW5kZWVkIHRoZSBvbmVzIGRvaW5nIHRoZSBjb21w bGlhbmNlIHNjYW4uDQpUcnkgZXhwbGFpbmluZyB0aGUgY29uY2VwdCBvZiAiYWNjZXB0aW5nIHRo ZSByaXNrIiBhbmQgIm1pdGlnYXRpbmcgY29udHJvbHMiIHRvIGEgc21hbGwgbm9ucHJvZml0IG9y Z2FuaXphdGlvbiB0aGF0IGRvZXNuJ3QgdW5kZXJzdGFuZCBjb25jZXB0cyBsaWtlIHRoYXQgLS0g d2hlbiB0aGV5IGhhdmUgYSBiaWcgZmF0ICJjb21wbGlhbmNlIHJlcG9ydCIgaW4gZnJvbnQgb2Yg dGhlbSBzaG93aW5nIHRoYXQgT3BlblNTSCAoYW5kIFNDUCkgaGFzIGFib3V0IDEwIGRpZmZlcmVu dCB2dWxuZXJhYmlsaXRpZXMuDQoNCkkgZGlzY3Vzc2VkIGF0IGxlbmd0aCB3aXRoIHRoaXMgcGFy dGljdWxhciBjbGllbnQsIGFuZCBnYXZlIHRoZW0gdGhlIG9wdGlvbiB0byBnbyB3aXRoIGEgbWFu YWdlZCBWUFMsIGFuZCB0aGF0J3Mgd2hhdCB0aGV5IGRlY2lkZWQgdG8gZG8uDQpJIGVuY291cmFn ZWQgdGhlbSBzZXZlcmFsIHRpbWVzIHRvIGludmVzdGlnYXRlIHdoZXRoZXIgb3Igbm90IHRoZXkg d2VyZSBhY3R1YWxseSByZXF1aXJlZCB0byBtZWV0IHRoZSBjb21wbGlhbmNlIHN0YW5kYXJkcywg YW5kIHRvbGQgdGhlbSBzZXZlcmFsIHRpbWVzIHRoYXQgb3VyIHNoYXJlZCBob3N0aW5nIGluZnJh c3RydWN0dXJlIHdhcyAic2VjdXJlIi4NCldoaWxlIHRoZXkgYmVsaWV2ZWQgbWUgYW5kIHRydXN0 IG1lLCB0aGV5IHByZWZlcnJlZCB0byBnbyB3aXRoIHRoZSBWUFMgc28gaW4gdGhlIGVuZCwgdGhh dCdzIHdoYXQgd2Ugd2VudCB3aXRoLg0KDQoNCk9uIE1vbiwgTm92IDI1LCAyMDE5IGF0IDY6NTUg UE0gV2lsbGlhbSBSb3VzaCA8d2lsbGlhbS5yb3VzaEByb3VzaHRlY2gubmV0PG1haWx0bzp3aWxs aWFtLnJvdXNoQHJvdXNodGVjaC5uZXQ+PiB3cm90ZToNClllYWggZ2VuZXJpYyBzZWN1cml0eSBz Y2FucyBjYW4gY2F0Y2ggYWxsIGRpZmZlcmVudCBraW5kcyBvZiB0aGluZ3MgdGhhdCBhcmVuJ3Qg YWN0dWFsbHkgaGFyZCBQQ0ktRFNTIGZhaWx1cmVzLg0KDQoNCldpbGxpYW0gUm91c2ggfCBodHRw czovL3d3dy5yb3VzaHRlY2gubmV0Lw0KT2ZmaWNlOiA0MjMuOTMzLjIxMTQgfCBDZWxsOiA0MjMu NDYzLjA1OTIgfCBFbWFpbDogd2lsbGlhbS5yb3VzaEByb3VzaHRlY2gubmV0PG1haWx0bzp3aWxs aWFtLnJvdXNoQHJvdXNodGVjaC5uZXQ+DQoNCg0KDQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0t LQ0KRnJvbTogQ2h1Z2FsdWcgPGNodWdhbHVnLWJvdW5jZXNAY2h1Z2FsdWcub3JnPG1haWx0bzpj aHVnYWx1Zy1ib3VuY2VzQGNodWdhbHVnLm9yZz4+IE9uIEJlaGFsZiBPZiBEYXZlIEJyb2NrbWFu DQpTZW50OiBNb25kYXksIE5vdmVtYmVyIDI1LCAyMDE5IDEyOjEyIFBNDQpUbzogY2h1Z2FsdWdA Y2h1Z2FsdWcub3JnPG1haWx0bzpjaHVnYWx1Z0BjaHVnYWx1Zy5vcmc+DQpTdWJqZWN0OiBSZTog W0NodWdhbHVnXSBQQ0kgQ29tcGxpYW5jZSBRdWVzdGlvbiBmb3IgU1NIDQoNCk9uIDExLzI0LzIw MTkgOTo1OCBQTSwgV2lsbGlhbSBSb3VzaCB3cm90ZToNCj4gSXTigJlzIGJlZW4gYXdoaWxlIHNp bmNlIEkgZGlkIHRoZSBmdWxsIFNBUSBEICsgTWVyY2hhbnQgUVNBIGNvbXBsaWFuY2UNCj4gYnV0 IEkgZG9u4oCZdCByZW1lbWJlciAvYW55dGhpbmcvIHNheWluZyB0aGF0IFNTSCBjb3VsZCBub3Qg YmUgb3BlbiB0bw0KPiB0aGUgaW50ZXJuZXQuIEEgYnVuY2ggb2YgcnVsZXMgYWJvdXQgL2hvdy8g aXTigJlzIGRvbmUgKHN0cm9uZw0KPiBwYXNzd29yZHMsIHN0cm9uZyBjaXBoZXJzLCBldGMuKSwg YnV0IG5vdCB0aGF0IGl0IGNhbuKAmXQgYmUgZG9uZS4NCg0KVHJ1c3R3YXZlLCBpbiBwYXJ0aWN1 bGFyLCBsaWtlcyB0byBmbGFnIFNTSCBvcGVuIHRvIHB1YmxpYy4gIFRoZXJlIGFyZSB0d28gd2F5 cyBhcm91bmQgdGhpcy4gIDEpIGxpbWl0IFNTSCBhdmFpbGFiaWxpdHkgc28gdGhlIHNjYW5uaW5n IGRvZXNuJ3Qgc2VlIGl0LCBvciAyKSAoU2F5IGl0IHdpdGggbWUpICJXZSBhY2NlcHQgdGhlIHJp c2sgb2YgcnVubmluZyBTU0giLg0KDQpDaGVlcnMsDQoNCi1EYXZlDQoNCl9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpDaHVnYWx1ZyBtYWlsaW5nIGxpc3QN CkNodWdhbHVnQGNodWdhbHVnLm9yZzxtYWlsdG86Q2h1Z2FsdWdAY2h1Z2FsdWcub3JnPg0KaHR0 cDovL2NodWdhbHVnLm9yZy9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vY2h1Z2FsdWcNCg0KDQot LQ0KRGF2aWQgV2hpdGUNCg== X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: David White ------------------------------------------------------ Yeah, unfortunately, some of the CVEs have indeed not been backported. We successfully "disputed" a number of the issues that came up, and addressed a few more by tightening up the ciphers and what-not, but I confirmed that RedHat (and thus CentOS) were not going to address a few of the CVEs that popped up. On Mon, Nov 25, 2019 at 7:39 PM William Roush wrote: rs patches .3=E2=80=9D got us . a racket, anners nt liance en to . o

=============================================================== From: Stephen Kraus ------------------------------------------------------ As long as you are using pub key only auth, ssh is fine. I preffer it behind a firewall. Bonus if you setup Google MFA PAM for SSH t**see nt n pliance pen to e.

=============================================================== From: Michael Harrison ------------------------------------------------------ Last time I passed PCI, (6 months ago) I turned off SSH. That server reverse tunnelled during the scans. Current environment uses OpenVPN.. and in an emergency, serial or KVM console access. BTW: The new Raritan KVM's are frigging awesome and don't require Java or Flash! (and not cheap). f . ers e g patches 2.3=E2=80=9D got us n. a these ont l o n pliance pen to e.

=============================================================== From: David White ------------------------------------------------------ As long as you keep your servers patched, etc..., I wholeheartedly agree. That said, standards are standards, and when you need to comply with something, sometimes "common sense" isn't good enough. We all (or at least most of us) know that following a standard doesn't necessarily make you secure, but we also know that sometimes you don't have a choice, and you have to meet standards. That's where I and my clients have found ourselves right now. It wasn't possible for me to turn off SSH or put it behind a firewall or anything on the existing server, because that's a shared server running cPanel. Hence, why I put them onto their own fully managed VPS. I've seen results from at least 2-3 scans in the last year, and I'm confident that we'll pass the next scan or two. If anything comes up in the next scan, I'll at least be able to address those results much more easily now that they are on their own VPS. On Mon, Nov 25, 2019 at 9:24 PM Michael Harrison wrote: d of s. ners se ng patches .2.3=E2=80=9D got us on. s a g these t ront al t mpliance open to ne. t

=============================================================== From: Dave Brockman ------------------------------------------------------ There are ning "./ It smelled like one of theirs... :) I've been there, and done that. It just depends upon the situation, and whether the client is paying my time to validate or just to remediate. Most people can understand the concept of "Yes, this service is running. The only user who can connect is X, and to connect, X has to have this file, and the password to unlock it. I also have automated means to roll to a new key at any time in the case of a compromised or even lost key". Having 10 different vulns listed makes me think you're running an older version of something though. Cheers, -Dave X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Dave Brockman ------------------------------------------------------ ners kporting Yep> =2E2.3=E2=80=9D got d on. Yep, that's part about being paid to validate vs remediate. One takes time and manual labor, the other usually just requires a couple of firewall tweaks. s a g these Actually engaging scanners for discussion is always an interesting venture. It's refreshing when you find one who actually knows WTF you're talking about, but increasingly rare. Cheers, -Dave X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=