: If I must turn off passive ports to be PCI compliant, how do I upload my website? Our company is undergoing procedures to ensure we are PCI compliant. My site host tells me that they have
Our company is undergoing procedures to ensure we are PCI compliant.
My site host tells me that they have disabled passive ports in order to pass the PCI scans. This has the effect of disabling uploads over ftp. Obviously I still need to be able to upload changes to the site.
The site is on a windows server. So currently I can move the files over Remote Desktop Connection, but this is somewhat inconvenient and platform dependant. Are there any other ways I can upload the site and remain PCI compliant? Do the passive ports really need to be closed to pass the scans?
More posts by @Ann8826881
2 Comments
Sorted by latest first Latest Oldest Best
SCP/SFTP, provided by most SSH implementations is what I use for just about all simple remote file transfer. This is available in any Linux/BSD setup either by default or very easy to setup/install and there are several options for Windows including cygwin which includes a port of the same OpenSSH clients and servers used by most Linux setups.
Another option is to setup a VPN, using something like OpenVPN, that you connect to the server, you can then FTP over that without making the FTP service available to the outside world (or use any other file transfer option such as using Windows shares directly).
FTP can work without its passive mode in many cases, but I would recommend moving away from FTP anyway for various reasons:
security: everything is sent plain (i.e. unencrypted) with FTP
security: this includes your login authentication credentials
efficiency: SCP/SFTP usually works out quicker (esp. over a high latency link when sending multiple objects) as it all happens over one connection not requiring a new data link per object like FTP
efficiency: SSH (and so SCP/SFTP) support compression as do most VPN solutions which could make a difference depending on what you are transferring
firewall/routing issues: the FTP protocol's use of separate data connections per transferred object can be a source of failure depending on firewall setups at either end - SCP, SFTP and anything-over-ssh (like rsync) use a single bi-directional connection for everything.
Another good option for efficiently updating remote content from a local reference is rsync over ssh which does a very good job of just sending the minimum needed to update the remote end - I use this for maintaining off-site backup copies and such.
Note: Don't confuse SFTP with FTPS. SFTP is "SSH file transfer protocol" and FTPS is "FTP over SSL" which solves the encryption related security issues but not the other disadvantages of FTP.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.