HI Keith!
Ah, the PCI "third party scans"! I have seen a great many!
On Mon, Jan 4, 2010 at 6:20 PM, keith smith <
klsmith2020@yahoo.com> wrote:
>
>
> I have been working on an online store for a while. Part of what I am
> tasked with is keeping the cart Payment Card Industry (PCI) complaint.
>
> I'm more of a programmer so my sys admin skills are not as developed as i
> would like.
>
> We hired a company who scans our server and reports back to us.
>
> Here is one of about 10 questions I have.
>
> They report :
>
> We were able to determine which versions of the SSH protocol the remote SSH
> daemon supports.
>
> This gives potential attackers additional information about the system they
> are attacking.
>
Correct I believe Trustkeeper, also, for instance, dings you a YELLOW (minor
hit) on being able to obtain the version of the OpenSSH.
[Nessus (Tenable) has plugins (like Trustkeeper and a few other commercial
scan tools) that will report limited SSH version (OS) information:
http://unix.derkeiler.com/Mailing-Lists/SunManagers/2008-06/msg00040.html
http://www.watchmouse.com/en/nbe_view.php?seclog_demo=1&scanRunId=2178&ruleid=39306#ssh__22_tcp_
http://www.nessus.org/plugins/index.php?view=single&id=10267
They all say that same canned thing:
"*It is possible to obtain information about the remote SSH server by
sending an empty authentication request."*
Here's more about securiing SSH:
http://www.securityfocus.com/infocus/1876
Hints: Use most recent secure version of SSH, disable root ssh, use source
and destination controls (iptables for brute force and dictionary attacks or
hosts.allow tcpwrappers), use protocol2, strong random 8 character
passwords,* but ssh keys due to no need for an additional authentication
step, are not allowed in PCI compliance (however, there appears to be a
great deal of variance in application of the rules in OSI layered security
models).*
*I believe that in a PCI compliant environment, you must have source and
destination controls for SSH? I don't believe you can just have SSH open to
internet scanning, which is what that message means.*
AND
>
> It is possible to obtain information about the remote SSH server by sending
> an empty authentication request.
>
Yes, that is just the testers message to remind them to determine if keys
are actually in place....FLUNK!
Like this perl module, it scans ssh to get a hash that it compares against a
known database:
http://search.cpan.org/~hirose/Net-Scan-SSH-Server-SupportedAuth-0.02/lib/Net/Scan/SSH/Server/SupportedAuth.pm
>
> I ran nmap and the SSH port does not show. I've looked in the sshd_config
> and find nothing that would alert me to how I can turn off reporting it's
> config or it's existence.
>
It's a mock up connection plugin--> it analyzes the connection and is able
to get the version there.
The only way around getting docked on the scan is by implementing the PCI
regulation. IPFILTER the SCANNER (and everyone else who does not need
access).*-
ScanSSH is supposed to provide something, however, it does not do a full
version, just protocol information and proxy type.
http://www.monkey.org/~provos/scanssh/
> Any help much appreciated!
>
> ------------------------
> Keith Smith
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
Skype: (623)239-3392
AT&T: (503)754-4452
http://obnosis.110mb.com/nuke/index.php
http://uncyclopedia.wikia.com/wiki/Arizona
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss