On Mon, Jan 4, 2010 at 6:20 PM, keith smith
<klsmith2020@yahoo.com> wrote:
I have been working on an online store for a while. Part of what I am tasked with is keeping the cart Payment Card Industry (PCI) complaint.
I'm more of a programmer so my sys admin skills are not as developed as i would like.
We hired a company who scans our server and reports back to us.
Here is one of about 10 questions I have.
They report :
We were able to determine which versions of the SSH protocol the remote SSH daemon supports.
This gives potential attackers additional information about the system they are attacking.
Correct I believe Trustkeeper, also, for instance, dings you a YELLOW (minor hit) on being able to obtain the version of the OpenSSH.
[Nessus (Tenable) has plugins (like Trustkeeper and a few other commercial scan tools) that will report limited SSH version (OS) information:
http://unix.derkeiler.com/Mailing-Lists/SunManagers/2008-06/msg00040.html
http://www.watchmouse.com/en/nbe_view.php?seclog_demo=1&scanRunId=2178&ruleid=39306#ssh__22_tcp_
http://www.nessus.org/plugins/index.php?view=single&id=10267 They all say that same canned thing:
"
It is possible to obtain information about the remote SSH server by sending an empty authentication request."Here's more about securiing SSH:
http://www.securityfocus.com/infocus/1876
Hints: Use most recent secure version of SSH, disable root ssh, use source and destination controls (iptables for brute force and dictionary attacks or hosts.allow tcpwrappers), use protocol2, strong random 8 character passwords,
but ssh keys due to no need for an additional authentication step, are not allowed in PCI compliance (however, there appears to be a great deal of variance in application of the rules in OSI layered security models).
I believe that in a PCI compliant environment, you must have source and destination controls for SSH? I don't believe you can just have SSH open to internet scanning, which is what that message means.
AND
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
I ran nmap and the SSH port does not show. I've looked in the sshd_config and find nothing that would alert me to how I can turn off reporting it's config or it's existence.
It's a mock up connection plugin--> it analyzes the connection and is able to get the version there.
The only way around getting docked on the scan is by implementing the PCI regulation. IPFILTER the SCANNER (and everyone else who does not need access).*-
ScanSSH is supposed to provide something, however, it does not do a full version, just protocol information and proxy type.
http://www.monkey.org/~provos/scanssh/
Any help much appreciated!
------------------------
Keith Smith
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss