I have read much about how to make website PCI Compliant, but I still have issues that I’m trying to resolve, first is MySql port being open, which is an automatic fail, but looking at iptables confused me, since I did not see mysql listed, is there something I have to do to close it, seems like its not open by the looks of IPTables, but I don’t want to hose the server and my iptables knowledge has locked me out of a server before, so I want to make sure I do it right.
CentOS 5.8
My guess would be to not allow access on all, then add the accept ones back in
Drop all, which always gets me in trouble
iptables -A INPUT -j DROP
Local host access to port
iptables -I INPUT 1 -i lo -p tcp --dport mysql -j ACCEPT
iptables -I INPUT 2 -i lo -p udp --dport mysql -j ACCEPT
MySQL doesn’t actually listen for remote connections by default… if you don’t need it listening for remote connections, I’d recommend just disabling that option.
netstat -anlp | grep 8443 returned empty, just as I would think it should, I think this is the PCI scanner program that security metrics uses, my guess it is that they test for it, and they think they found it.
The Edit to my.cnf didn’t crash Drupal, Joomla, phpMyAdmin or Wordpress, and it didn’t show up on my last scan, so I’m good to go, you might want to add this to your PCI compliance document, my understanding of it is that it just keeps it from being able to connect remotely to the database, not from localhost, which is a must for PCI comliance, they do not allow remote connections to database.
The Edit to my.cnf didn’t crash Drupal, Joomla, phpMyAdmin or Wordpress, and it didn’t show up on my last scan, so I’m good to go, you might want to add this to your PCI compliance document
MySQL only listens on localhost on a fresh installation. It doesn’t listen on 0.0.0.0 by default for security reasons.
As seen here, its still listening on 3306 netstat -an | grep :3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
That does suggest MySQL is still listening on port 3306. Did you restart MySQL after making those changes? If so, can you post your my.cnf file?
Note that all those websoftwares you listed WILL crash if they cannot access the MySQL database on your server via TCP. So putting “skip-networking” in the config is a bad idea, you should better restrict it to accept connections only from localhost, using the Webmin MySQL module, section “MySQL Server Configuration”, and set “listening address” to “127.0.0.1”
Port 20000 is Usermin… so although you set Webmin to only use strong ciphers, you’d also need to do the same for Usermin in Webmin -> Webmin -> Usermin Configuration -> SSL Encryption.
Also, it doesn’t look like port 8443 is responding, so that’s good! Are they still flagging that as a problem though?
If I recall correctly, Virtuozzo uses port 8443 for its virtual machine control panel. I rented such a system a while back and I think I remember that port from there.
Is your system by chance located on such a virtual machine host?
Seems to me that back-porting should have taken care of these, but how do I prove that to them?
Description: vulnerable Apache version: 2.2.3 Severity: Area of Concern CVE: CVE-2006-4110 CVE-2006-5752 CVE-2007-1863 CVE-2007-3303 CVE-2007-3304 CVE-2007-4465 CVE-2007-5000 CVE-2007-6388 CVE-2007-6420 CVE-2007-6421 CVE-2007-6422 CVE-2008-0005 CVE-2008-0455 CVE-2008-0456 CVE-2009-1195 CVE-2009-1891 CVE-2009-2412 CVE-2010-0425 CVE-2010-0434 CVE-2010-1452 CVE-2010-1623 CVE-2011-0419 CVE-2011-1928 CVE-2011-3192 CVE-2011-3348 CVE-2011-3607 CVE-2011-4415 CVE-2012-0031 CVE-2012-0053
Impact: A remote attacker could crash the web server or execute arbitrary commands.
Resolution [http://httpd.apache.org/download.cgi] Upgrade Apache 2.0.x to a version higher than 2.0.64 when available, or a version higher than 2.2.21 when available.
Patches for the mod_cache DoS can be applied for [http://people.apache.org/~mjc/cve-2007- 1863-2.0.patch] 2.0 or [http://people.apache.org/~mjc/cve-2007- 1863-2.2.patch] 2.2.
Alternatively, apply a fix from your operating system vendor. Vulnerability Details: Service: https Received: Server: Apache/2.2.3