PCI Compliance - FTP on a Shared Account


#1

Hey Everyone,

I’m hoping someone can help. I’ve submitted a support ticket 6 days but have yet to hear anything back.

We are trying to make our site PCI compliant and the last issue is that FTP is transmitting usernames/passwords in clear text. All of our accounts are either SSH or SFTP. I also have “Disallow FTP” on all of the users.

The PCI compliance company (or the merchant) is saying this isn’t good enough and FTP has to be disabled. From what I understand, on shared accounts, this isn’t possible. But, Dreamhost advertises that their shared accounts are PCI compliant.

I’m lost here. We’ve fixed ALL of our PCI issues except for this and now we are stuck. Dreamhost isn’t responding and the merchant says it needs to be fixed.

Any help???

Edit: We are on a Dreampress VPS account.


#2

Go here:

https://panel.dreamhost.com/index.cgi?tree=users.users&

Click on “edit” for the user in question. Under “User Type” tick the box marked “Disallow FTP?:”


#3

Already did that. They saying that’s not enough. FTP needs to be disabled totally from what it sounds like.


#4

Which do you have shared hosting or VPS?

It’s true you can’t disable ftp on a shared server, other users might want it.

If you have a VPS tho, that doesn’t apply because it’s not shared hosting.

If you have a VPS open a ticket and ask for help disabling ftp for PCI compliance.

Note: “Disallow ftp” disables a specific user from logging in via ftp and works on shared or VPS, “Disallow FTP” does not disable ftp, for that you want port 21 (or ftp) to just be closed or not answer.


#5

The account type is Wordpress VPS but when I click on “VPS” in the side panel, it brings up a screen as if we don’t have it.

I’ve already opened two tickets with Dreamhost. First ticket they said to set all users for SSH or SFTP and disallow FTP (which I did). PCI compliance scan didn’t like that. I opened a second ticket now 7 days ago and have received no response. I did an online chat to ask they status and they said they “had no updates”. I asked typically how long does it take to get a reply and they said “I can’t say for sure”.


#6

Is dreampress the dreamhost product you are using?


#7

Yes, the account information says “DreamPress VPS” and it has the associated domain next to it that we are working on.


#8

You might try support again, I would think they would be able to help you since it’s a VPS, and not shared hosting. That said, I really have no idea how they configure the dreampress VPS’s and if it is or isn’t sharing anything common with other dreampress VPS’s

If you get the same, “no updates”, “can’t say” type answers remind them the topic is PCI compliance and ask to have the matter escalated to a supervisor.