Server PCI Compliance – Insecure Communication Via FTP
When running a PCI scan on your server you may receive a warning similar to the following:
Description: PCI DSS Compliance : Insecure Communication Has Been Detected Synopsis: An insecure port, protocol or service has been detected.Impact: Applications that fail to adequately encrypt network traffic using strong cryptography are at increased risk of being compromised and exposing cardholder data. If an attacker is able to exploit weak cryptographic processes, he/she may be able to gain control of an application or even gain clear-text access to encrypted data.
Data Received: Although this FTP server supports ‘AUTH TLS’, it is not mandatory and USER and PASS may be sent without switching to TLS.
Resolution: Properly encrypt all authenticated and sensitive communications.
Risk Factor: Medium/ CVSS2 Base Score: 4.0
This happens because the server isn’t forcing the FTP client to use secure FTP. This can be easily fixed in WHM. Log on to your WHM panel and select Service Configuration > FTP Server Configuration. You will see an option for TLS Encryption Support. This should de set to required to ensure that only secure connections are allowed.