I am a system admin for a mid size business in milwaukie Oregon, However I
am from alaska, and have only been down here for a couple years. In order to
PCIDSS compliant, you have to be scanned quarterly by one of the certified
scanners on the list, who is given a more indepth list of everything that is
considered a vulnerbility. All of our servers have custom kernels, and
everything on them is built from source, because debian does a bad job in my
opinion of keeping things upto date. i.e php5 the latest release I believe
debian has is php5.2.3 I want to say for etch. I am running 5.2.7 because
5.2.8 was recalled. I see that as being outdated. The only vulnerabilities
that were detected in our system. was OS detection from nmap, and they just
said that as long as nmap could detect the OS on your system it is a
vulnerbility. The second risk, is that ssh gives the build, and that is a
security risk.
I am sorry I do not care if someone is going to try and hack into our
webservers, they are not going to get very far. Seeing as our webservers are
on a different dmz than our ERP system, they do communicate, but they
communicate through a MySQL database, which uses a php script that we wrote
on a seperate server to get info that the webservers put into the database,
and transfer to the ERP system. So they are going to have to get into the
webserver through the second server and then into the ERP, even then all the
information is stored in a MySQL CLUSTER. Which all vital information is
encrypted, and can only be unencrypted with the wonderful 128 character key.
Sorry for the tangent, but I really do not see the point of half of these
new PCIDSS compliant issues.
Richard
On Wed, Feb 11, 2009 at 9:06 PM, Royce Williams <royce@alaska.net> wrote:
> Richard Moore wrote, on 2/11/2009 4:53 PM:
> > I guess it does not matter, but to be PCIDSS compliant in 2010, it cannot
> > show the build version, all it can show is SSH2 or SSH, and cannot be
> able
> > to get the OS version with nmaps OS detection.
>
> You have to edit the source to obscure the ssh version, IIRC. This is
> by design from the OpenSSH team. If they thought that obscuring it
> was good security practice, they'd probably make it a knob (unless
> some distros come with a widgeted version? I suppose that's possible,
> but I haven't encountered one).
>
> Don't get me wrong. I think that a little obscurity can keep a lot of
> the bots from hammering you 24x7 ... but it takes a truly
> self-disciplined admin to not take misguided comfort in the fact that
> their unpatched sshd has a suppressed version.
>
> And for the nmap, there's some stuff that you can tweak in the kernel
> (I'm thinking Solaris) or firewall configurations, depending on your
> distro, to make you a little harder to peg ... but nmap is as good as
> the fingerprint database. That arms race is going to make most
> compliant boxes non-compliant pretty fast, so I'm not sure that I
> really see the point. cbrown may chime in here at some point ...
>
> In other words, if the PCI folks think that these things are going to
> help, I'm switching to cash. :-) I just flipped through PCIDSS
> version 1.2 and didn't see anything about nmap or SSH versioning, and
> couldn't find a link to any drafts - where did you find the 2010 heads-up?
>
> Are you in the payment card industry? (Are you at liberty to say?) :-)
>
> Royce
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Feb 11 21:05:42 2009
This archive was generated by hypermail 2.1.8 : Wed Feb 11 2009 - 21:05:42 AKST