PCI Vulnerability: Remote Access Software OpenSSH


#1

Hello DreamHost Forum,

I’m new to passing PCI compliance. I hope this is the right place to post, or please direct me.

Issue is:
208.113.252.162
protocol: tcp
port: 22
See Note 2 Remote Access Software:
SSH (OpenSSH)
NOTE 2
Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this
software to the ASV and confirm it is either implemented securely per Appendix D or disabled/removed. Please consult your ASV if you have questions about this Special Note.


Has anyone had success in explaining this for PCI passing?

Thank you,
Kimberly


#2

Are you on shared hosting, vps, dedicated, or dreamcompute.

On shared that can’t be disabled.


#3

Hello LakeRat,
Thank you for your reply.
We are on Shared hosting.

So, I need to supply a reasonable response that might be accepted by PCI compliance, or change to dedicated.
Suggestions on an appropriate response?

Thank you very much,
Kimberly


#4

I would disable FTP (edit your user on Manage Users in the panel to find “disallow ftp”) and tell them users for your site don’t have login permissions, but that the service can’t be disabled. Leave off why.


#5

LakeRat - I appreciate your replies. Thank you.


#6

What was the final consensus with your ASV? (Who is your ASV?)


#7

Yes.
After moving from DreamHost shared to DreamHost VPS.
After updating some software.
We have finally passed compliance.
We use fatt merchant and their pci seal is rapidscan secure by aperia.