Also, you could do the following:
1) Limit the scope of the PCI certification by placing all CC storing or
processing systems on a DMZ behind an appropriately configured firewall;
AND
2) make sure that your FTP server is outside of this DMZ.
This assumes that the FTP server does not contain or process credit card
data, and does not have access to the new credit card processing
environment.
Appropriately configured firewall of course means configured according
to the principle of least privilege, and in accordance with the rest of
the PCI DSS requirements.
Mark Maxey wrote:
You can approach this a couple of ways
1. eliminate plaintext ftp all together. SSHv2 is an excellent free
replacement here or you can use FTP-SSL
2. restrict access to this service in your firewall by ip
3. put the ftp behind vpn
I'm a visa QDSP and these are a couple of things you could do.
Joachim Schipper said:
On Fri, Oct 06, 2006 at 12:56:43PM -0400, stuartv wrote:
Hello list,
The company I work for is required to get PCI (Payment Card
something-or-other) certified in order to keep doing some of the things
that
we
are doing with credit card payments. When I started working here it was
an
all MS
shop, including the FTP server. In order to help secure things (at
all), I
talked the boss into letting me setup an OpenBSD server as the FTP
server
instead of
windows2003. Since then, I have also setup firewalls, mail server, IDS
etc.
all based
upon OpenBSD (and loving every minute of it). However, now that we need
this cert,
one of the few things still standing in the way is the requirement that
we
set up
the FTP server to lockout (for 30min.) any account that fails to login 3
times in a row. I haven't been able to find any ftp software that does
that. The FTP server that ships with OpenBSD uses system accounts, and
I
haven't
figured out how to do that there either.
If I don't get this figured out soon, The boss will loose patience and I
will be right
back to MS hell trying to secure a win2003 ftp server just because it
will
lockout
an account that fails login 3 times in a row. (and then probably figure
out
how to
setup a win2003 firewall, IDS, exchange server, etc etc etc... you get
the
pic)
If anyone has any suggestions, please let me know.
How about writing a login_* program for /usr/libexec/auth? It would be
sufficient to check if there have been too many login attempts recently,
and if not, call /usr/libexec/auth/login_passwd (or similar), and pass
the response.
There is quite a bit of information in login.conf(5). You'll also need
to modify this file, so it's a good place to start.
Joachim
