Are dreamhost servers PCI compliant?


#1

Can any existing customers tell me whether dreamhost servers are PCI compliant? (I know that this PCI compliance stuff is mostly a scam, but I need hosting that will pass anyway, long story)

If you go to https://www.securitymetrics.com/eval_scan.adp and specify your domain hosted by dreamhost, it will run a scan for free (you have to pay for the scan to be “official”). If a current customer could do this and tell me the results (total score plus summary of anything scoring 1 or greater) I would really appreciate it.


#2

I do not know what the TLA PCI means but why not pick a domain and run it at that URL?
Mine is here somewhere!


Norm

Opinions are my own views, not DreamHosts’.
I am NOT a DreamHost employee OK!! :@

You act on my advice at your own risk!


#3

Your post confused me at first, as I assumed you were referring to Peripheral Component Interconnect, as in the expansion slots used in computers. :slight_smile:

I am more than happy to help out, but after browsing to the URL you listed and filling in the relevant forms, I was presented with the following;

[color=#0000CC]"An email has been sent to you@yourdomain.com with a link to start your free evaluation scan.

Your test will begin when you click on the link in your email."[/color]

Well, that was about 15 minutes ago and I am still waiting for that email. Rest assured, when it arrives I will attempt to do the evaluation scan and report the results.

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#4

I don’t think that would work Norm, as you need to click on an activation link in the email they send you and the email address must match the domain to be scanned.

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#5

right, you need to either pay them the $$ for a domain or have an email account at the domain to do the free test. No sense paying to have a test domain “officially” tested.

You might want to check your spam folder for their activation link email, I’ve had them get flagged by spamassassin in the past.

BTW, PCI compliance is some gimmick that the Visa/MC folks came up with. It basically says your website is secure becauase it has reasonably up-to-date versions of various software, etc. Of course for shared hosting this is a joke because some other account/website on the server could be compromised (this test doesn’t check all domains on a server) and then use a root exploit from there (which this test also doesn’t check for).


#6

So it has nothing to do with the Pickled Cucumber Industry as I first thought?

I should imagine that DH would be fairly compliant (can you be ‘almost compliant’?) since they do update their server softwares as the softwares are made available. Provided that the softwares are stable of course.


Norm

Opinions are my own views, not DreamHosts’.
I am NOT a DreamHost employee OK!! :@

You act on my advice at your own risk!


#7

I have the junk filter disabled for that domain, but still no email. :frowning:

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#8

There is a limit on the total score and the highest individual vulnerability test score you can have. If you have some server software (php, openssl, apache, mod_whaterver, etc.) that has vulnerability known for a few months and a patch is available, you will fail.

These folks at “security” metrics check against some horribly long list of possible things that can be bad, and the results are non-negotiable. If you have “vulerability” X and you are 100% sure there is no risk and have some legitimate reason why you can’t fix it to be how they want, they don’t care, you fail.


#9

Well I am still waiting for the link to arrive. Perhaps they send out job lots every hour although I would have thought it was in their own interests to be prompt.
Maybe I failed at the first hurdle with the weirdly named email servers that DH use!


Norm

Opinions are my own views, not DreamHosts’.
I am NOT a DreamHost employee OK!! :@

You act on my advice at your own risk!


#10

hmm… it should come right away, they don’t actually do the test til you click on the link in the email… maybe try resubmitting? If the first submission when through it should give you an error that you can’t submit the same domain twice. Maybe someone else can try it?


#11

Yep, re-submitted and got the following;

[color=#0000CC]“You have already run a free evaluation scan.”[/color]

Which isn’t exactly true, as I still haven’t received the email. It doesn’t sound like Norm is having any luck either.

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#12

I have tried a few submissions now and have varied the data, but no link. Other email has arrived at the email account so I know that is working okay.

When the data is entered on the page and the submission is clicked I stay at the same page rather than go to a ‘success’ page. Is that normal?

Perhaps they do not believe that I process more than 6 million cc transactions per year for my noseflutes. :slight_smile:


Norm

Opinions are my own views, not DreamHosts’.
I am NOT a DreamHost employee OK!! :@

You act on my advice at your own risk!


#13

No it should take you to a page where it tells you the URL will be emailed. Maybe it is your browser? I forget whether firefox or opera gave me a problem, but I remember that happening (the same page being redisplayed) sometimes with one of them and I had to press submit a few times for it to actually work…


#14

That’s not what happened here, at least not for my one (hopefully) successful submission. After a couple of seconds I was taken to the success page which informed me that my email was on its way, presumably by carrier pigeon. :slight_smile:

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#15

Is it the same page though with just:-

Free PCI Evaluation Scan

A link will be emailed to you to start your FREE PCI Evaluation Scan once you have completed the form below.

in red at the top of the page, albeit with your details entered?

Ah! I have tried again using FF as opposed to Opera and this time it started to send me to several pages for details. I ended at a huge terms and conditions page so I backed out :wink: . I would have to let my lawyers read the small print first!

The first person to make a chicken noise will be sued.


Norm

Opinions are my own views, not DreamHosts’.
I am NOT a DreamHost employee OK!! :@

You act on my advice at your own risk!


#16

So I ended up just signing up for a dreamhost account and moving one domain to test things out. Turns out dreamhost passes Security Metrics PCI test with a total score of 4. The only “problems” it reported are:

1 The remote host, when queried on open ports, replies with differing TTL values. This could be an indicator that a transparent proxy is on the way, or that this host is a forwarding router, honeypot, etc…

1 The remote host is running an ident (also known as ‘auth’) daemon. The ‘ident’ service provides sensitive information to potential attackers. It mainly says which accounts are…

1 The test server sent several emails containing the EICAR test strings in them to the postmaster of the remote SMTP server. The EICAR test string is a fake virus which triggers anti-viruses, in order…

1 The test server sent several emails containing the EICAR test strings in them to the postmaster of the remote SMTP server. The EICAR test string is a fake virus which triggers anti-viruses, in order…

(that last one is listed twice in the results) These are all minor and since they’re all a score of 1, the server passes.


#17

Thanks for researching all that, and reporting it back to us. That’s information that should be very helpful to others :slight_smile: Oh, Yeah…Welcome to Dreamhost!

–rlparker


#18

I am still waiting for my email to arrive. :frowning:

Mark


Save [color=#CC0000]$50[/color] on DreamHost hosting using promo code [color=#CC0000]SAVEMONEY[/color] ( Click for promo code details )


#19

Before moving an important domain to dreamhost that the PCI test has been paid for, I tried moving a less important domain first and running the free test. I never got the email either, but if I use a domain on my old server, I get the email right away. Somewhere dreamhost is losing/blocking the email.


#20

turns out the emails are being blocked since securitymetrics.com’s IP is in the spamhaus XBL.