No announcement yet.

PCI Compliance for Passive FTP Ports

  • Filter
  • Time
  • Show
Clear All
new posts

  • PCI Compliance for Passive FTP Ports

    I am facing a problem with Controlscan showing I am not compliant for ports open in the firewall for passive FTP.

    Information From Target:
    Service: 37557:TCP
    Server accepted SSL 3.0 RC4 cipher: SSL3_CK_RSA_RC4_128_MD5

    Information From Target:
    Service: 51838:TCP
    Supported ciphers: DES-CBC-SHA:TLSv1/SSLv3:56-bit RC4-MD5:TLSv1/SSLv3:128-bit RC4-SHA:TLSv1/SSLv3:128-bit

    These ports are open in for my passive FTP range, which is 36000:55000.
    However, my ftp is set to HIGH:!TLSv1:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL

    So, what is responding in this range that isn't Passive FTP, but uses TLSv1 and SSLv3

  • #2
    Passive ports will come if and only if an FTP connection is attempted over port 21. You may check the output of "netstat -lpn" to see some services that are bound to a listening port. You had be seeing under "Active Internet connections" in the "local address" column.


    • #3
      You are able to review the output of the netstat command referenced in the previous response to see what's running on those ports? You may also wish to refer with Controlscan right to see if it is a common false positive.