Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

Fri, 24 Jul 2015 14:14:28 -0700

I'm 95% sure the answer is "wait for the developers to fix those issues" and/or "become a developer and fix those issues" :-).
Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that generates the configuration. 


In theory, all you need to add to /var/etc/lighty-webConfigurator.conf 
would be


|ssl.cipher-list "DHE-RSA-AES256-SHA
    DHE-RSA-AES128-SHA
    EDH-RSA-DES-CBC3-SHA
    AES256-SHA
    AES128-SHA
    DES-CBC3-SHA
    DES-CBC3-MD5
    RC4-SHA
    RC4-MD5"|


but you need to find where in the PHP framework that file gets written.  
I can't find it in under 60 seconds, so you're on your own there.



As to updating sshd, that's replacing a core piece of the system. I'm 
not even going to speculate how or what the impact would be.


-Adam


On 07/24/2015 03:51 PM, Ted Byers wrote:

I have checked our installation of our website (a classic protected LAN
with a DMZ formed by two pfsense machines serving as our inner and outer
firewall, and one machine in the DMZ and the rest behind the inner
firewall) using a PCI scanner.

The PCI scan identified two vulnerabilities WRT our pfsense machines.

First, the scanner complains that TLS1 is supported and we need to restrict
it to TLS1.2.  We modified the configuration of lighttpd to use TLS1.2, but
that did not make the complaint go away, so is there anything else that
uses TLS that we need to reconfigure to use only TLS1.2?
Second, it appears that ssh-server on pfsense is version 6.6 and it would
be good if we can upgrade that to 6.9 or better (well, if there is better -
the scan only complains the version if earlier than 6.9)

If we can fix these two things, a little over half of the complaints from
the scanner will be resolved.  I have spent a couple days using google,
trying to resolve these, but to no avail (compounded by the fact the signal
to noise ratio in my searches was abysmal).

Thanks

Ted



_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold






















					Reply via email to