|OS type and version
||CentOS Linux 7.9.2009
I’m currently getting a server setup to be ‘PCI Compliant’ - e.g. pass an automated PCI scan.
There is some documentation here (PCI Compliance – Virtualmin) but it appears to be out of date. I have used it as a starting point and think I now have everything running on TLSv1.2
One of the items is mentions is CVE-2020-8820 in Webmin <=1.941 - however I am running Webmin 1.984
The evidence the scan tool is showing is that requests to port 2000 show “Server: MiniServ/1.834” in the response headers. Am I correct in thinking this is a false positive as the MiniServ version on port 20000 is the Usermin version rather than the Webmin version?
Port 20000 is the default port for Usermin, yes. Your scanner apparently doesn’t know the difference.
Thanks - I’ll report it as a false positive. It’s not my scanner, it’s PCI DSS Compliance Programme | Clover - but I’m unfortunately having to deal with it
I guess, it could be possible that I’ve configured Webmin to run on port 20000 instead of Usermin.
Perhaps you could have the option to remove the version info from MiniServ (like ServerTokens in Apache) or make it clear which product MiniServ is serving - e.g. MiniServ/Usermin/1.834 to make life easier for these automated tools, and in turn the sysadmins who have to fight with them.
another pci compliance test suite : Website Security Test | Security Scan for GDPR and PCI DSS Compliance
works with our virtualmin on :10000
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.