Back in 2015, I did a Security Metrics scan on my site for PCI compliance, and noticed I had 3 new failures when they rescanned my site in early 2016. What I suspect is that these tests were added:
Problem 1: TLS Version 1.0 Protocol Detection (PCI DSS)
Security Metrics is basically saying that having TLS Version 1.0 is a security vulnerability.
The remote service encrypts traffic using a protocol with known weaknesses. The remote service accepts connections encrypted using TLS 1.0.
If you are running apache, you might have a configuration parameter like this.
SSLProtocol all -SSLv2 -SSLv3
If you take a look at the docs here
It says that ‘all’ is a shortcut for “
+SSLv2 +SSLv3 +TLSv1” or – when using OpenSSL 1.0.1 and later – “
+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2”, respectively.
Change your apache config to
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
Restart your server and run
sudo service apache2 reload
Verify TLS 1.0 says ‘no’ and you are good to go
Problem 2: SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)Rest
Security Metrics is saying here that your server connection is accepting SSH connections with a diffie-hellman group 1 of 1024 bits.
The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits
First run this command on your server to verify the problem
nmap –Pn [domain/ip] –p [port] –script ssh2-enum-algos
ssh2-enum-algos: | kex_algorithms (8) | firstname.lastname@example.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group-exchange-sha1 | diffie-hellman-group14-sha1 | diffie-hellman-group1-sha1
Note here that the server is returning
You can read these two links for more info
To fix it go into
and run sudo restart ssh
Outside the box rerun the command and note that the kex algorithms are returning a smaller set.
nmap –Pn [domain/ip] –p [port] --script ssh2-enum-algos
| kex_algorithms (2) | email@example.com | diffie-hellman-group-exchange-sha256
Problem 3: Web Application Potentially Vulnerable to Clickjacking
The remote web server may fail to mitigate a class of web application vulnerabilities.
The remote web server does not set an X-Frame-Options response header in all content responses
The fix for this is pretty easy as specified by https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/
In apache put in apache2.conf
Header append X-FRAME-OPTIONS "SAMEORIGIN"
restart your server, and verify by going to
Ensure X-Frame-Options gets returned
Rescan your site and you should be good to go for security metrics pci compliance!