HI Keith! Ah, the PCI "third party scans"! I have seen a great many!
On Mon, Jan 4, 2010 at 6:20 PM, keith smith <klsmith2...@yahoo.com> wrote: > > > I have been working on an online store for a while. Part of what I am > tasked with is keeping the cart Payment Card Industry (PCI) complaint. > > I'm more of a programmer so my sys admin skills are not as developed as i > would like. > > We hired a company who scans our server and reports back to us. > > Here is one of about 10 questions I have. > > They report : > > We were able to determine which versions of the SSH protocol the remote SSH > daemon supports. > > This gives potential attackers additional information about the system they > are attacking. > Correct I believe Trustkeeper, also, for instance, dings you a YELLOW (minor hit) on being able to obtain the version of the OpenSSH. [Nessus (Tenable) has plugins (like Trustkeeper and a few other commercial scan tools) that will report limited SSH version (OS) information: http://unix.derkeiler.com/Mailing-Lists/SunManagers/2008-06/msg00040.html http://www.watchmouse.com/en/nbe_view.php?seclog_demo=1&scanRunId=2178&ruleid=39306#ssh__22_tcp_ http://www.nessus.org/plugins/index.php?view=single&id=10267 They all say that same canned thing: "*It is possible to obtain information about the remote SSH server by sending an empty authentication request."* Here's more about securiing SSH: http://www.securityfocus.com/infocus/1876 Hints: Use most recent secure version of SSH, disable root ssh, use source and destination controls (iptables for brute force and dictionary attacks or hosts.allow tcpwrappers), use protocol2, strong random 8 character passwords,* but ssh keys due to no need for an additional authentication step, are not allowed in PCI compliance (however, there appears to be a great deal of variance in application of the rules in OSI layered security models).* *I believe that in a PCI compliant environment, you must have source and destination controls for SSH? I don't believe you can just have SSH open to internet scanning, which is what that message means.* AND > > It is possible to obtain information about the remote SSH server by sending > an empty authentication request. > Yes, that is just the testers message to remind them to determine if keys are actually in place....FLUNK! Like this perl module, it scans ssh to get a hash that it compares against a known database: http://search.cpan.org/~hirose/Net-Scan-SSH-Server-SupportedAuth-0.02/lib/Net/Scan/SSH/Server/SupportedAuth.pm > > I ran nmap and the SSH port does not show. I've looked in the sshd_config > and find nothing that would alert me to how I can turn off reporting it's > config or it's existence. > It's a mock up connection plugin--> it analyzes the connection and is able to get the version there. The only way around getting docked on the scan is by implementing the PCI regulation. IPFILTER the SCANNER (and everyone else who does not need access).*- ScanSSH is supposed to provide something, however, it does not do a full version, just protocol information and proxy type. http://www.monkey.org/~provos/scanssh/ > Any help much appreciated! > > ------------------------ > Keith Smith > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- Skype: (623)239-3392 AT&T: (503)754-4452 http://obnosis.110mb.com/nuke/index.php http://uncyclopedia.wikia.com/wiki/Arizona
--------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
