Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz mo...@ymkatz.net wrote: Again, I agree with you that this shouldn't affect your score. I am simply explaining why they do it. based on this explanation, i agree. there's no reason for them to demand your certificate also signs any other domain name as long as it signs the one to which they are connecting and testing. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On 29.07.2015 18:02, Vick Khera wrote: On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz mo...@ymkatz.net wrote: Again, I agree with you that this shouldn't affect your score. I am simply explaining why they do it. based on this explanation, i agree. there's no reason for them to demand your certificate also signs any other domain name as long as it signs the one to which they are connecting and testing. Hi, the reason why it affects your score is simple: 1. client makes a request to https://www.example.net =if it does not redirect to https://example.net the checks stops here. All ist OK =if your server responds with a redirect to https://example.net, it does it with an untrusted certificate. Untrusted, because the server certificate is not certificated to be used from www.example.net. So you have 3 options: 1. disable redirection of https://www to https://bare (probably not what you wish) 2. give your https://www server a valid certificate, so that the redirect is trust-worthy (as done by https://www.web.de, that points to https://web.de) 3. if it is the same server, but only a separed config, you probably should get a certificate with CN:www.example.net and ALT-Names: DNS: www.example.net and DNS: example.net (example: https://xmodus-systems.de redirects to https://www.xmodus-systems.de, the cert is valid for both) Again: the connection to the https://www.example.net is technical not ok for shure. But this you probably already know. Now why does qualys check also the www.?: Qualys check this option for bare domains, because many users worlwide use to prefix www. on every domain without thinking about (bad habit). If the www. domain does not belong to you it is a potential risk that your customers think they are accessing your site but in real it is a possible man-in-the-midle side. = Security is not only a technical issue, but must also take account of human bad habits. Best regards, Claudio -- Working on OpenWrt CC for Xmodus GSM Router XM1710E http://www.xmodus-systems.de/openwrt ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org wrote: On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. Vick, Qualys *does* take off points if you have a certificate for your bare domain name without it having www as an alternate name. For example, a certificate for 'example.com' that doesn't work for 'www.example.com' is penalized, even if it is really only used for 'example.com'. I believe that the reason they do this is because they assume that people always have their sites set up so that www redirects to bare, bare redirects to www, or both bare and www show the same content. While this may not always be true, it is an assumption that Qualys and many other people make, so it is included in the grade. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Jul 28, 2015, at 2:50 PM, Moshe Katz mo...@ymkatz.net wrote: On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org mailto:vi...@khera.org wrote: On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. Vick, Qualys *does* take off points if you have a certificate for your bare domain name without it having www as an alternate name. For example, a certificate for 'example.com http://example.com/' that doesn't work for 'www.example.com http://www.example.com/' is penalized, even if it is really only used for 'example.com http://example.com/'. I believe that the reason they do this is because they assume that people always have their sites set up so that www redirects to bare, bare redirects to www, or both bare and www show the same content. While this may not always be true, it is an assumption that Qualys and many other people make, so it is included in the grade. Sure but if you try to load www.domain.com http://www.domain.com/ it sends you to the clean domain immediately. I am not testing www.domain.com http://www.domain.com/ - I am testing domain.com http://domain.com/ and there’s no evidence they’re trying to load www.domain.com http://www.domain.com/, only reading the certificate and seeing it doesn’t cover it. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Tue, Jul 28, 2015 at 3:54 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: On Jul 28, 2015, at 2:50 PM, Moshe Katz mo...@ymkatz.net wrote: On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org mailto: vi...@khera.org wrote: On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. Vick, Qualys *does* take off points if you have a certificate for your bare domain name without it having www as an alternate name. For example, a certificate for 'example.com http://example.com/' that doesn't work for 'www.example.com http://www.example.com/' is penalized, even if it is really only used for 'example.com http://example.com/'. I believe that the reason they do this is because they assume that people always have their sites set up so that www redirects to bare, bare redirects to www, or both bare and www show the same content. While this may not always be true, it is an assumption that Qualys and many other people make, so it is included in the grade. Sure but if you try to load www.domain.com http://www.domain.com/ it sends you to the clean domain immediately. I am not testing www.domain.com http://www.domain.com/ - I am testing domain.com http://domain.com/ and there’s no evidence they’re trying to load www.domain.com http://www.domain.com/, only reading the certificate and seeing it doesn’t cover it. Ryan, That is *exactly* what I said. They *don't* check whether you are redirecting, and they *don't* try to load the www version. They naively assume that the same certificate *must* cover both of those names because they assume you are redirecting one to the other. There is one reason that it matters, even in your case. Take the following four URLs: - http://domain.com/= redirects to SECURE on SAME DOMAIN - http://www.domain.com/ = redirects to SECURE on BARE DOMAIN - https://domain.com/ = the actual site - https://www.domain.com/ = SHOULD redirect to SECURE on BARE DOMAIN You have handled the first three of them - but not the fourth one. Instead of getting a redirect, you will get a certificate error. I don't know how you have configured your server - you may not even be listening for secure connections on the WWW subdomain. However, Qualys assumes that you are redirecting in that fourth case *and that you are using the same certificate to do it*, so they are testing for whether your certificate covers for it. Again, I agree with you that this shouldn't affect your score. I am simply explaining why they do it. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I have an issue with Qualy’s: They ding my certification because I have domain.com http://domain.com/ on it and not www.domain.com http://www.domain.com/ (multi-site cert). That’s not a reason to lower a score on security. The only way I can make sense of your sentence is that they are dinging you for having a certificate that does not match the name of the site you are visiting because one has www. and the other does not. That seems to be reasonable for them to ding you. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Jul 24, 2015, at 5:18 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote: On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 In the case of forwarded ports it's the Ubuntu machines that are triggering it. That has nothing to do with the firewall. In that case, then, the scan is wrong as all our Ubuntu machines are configured to use only TLS1.2 Or you think they are and they’re really not. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] How do I harden my pfsense install WRT TLS and ssh?
I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
I'm 95% sure the answer is wait for the developers to fix those issues and/or become a developer and fix those issues :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that generates the configuration. In theory, all you need to add to /var/etc/lighty-webConfigurator.conf would be |ssl.cipher-list DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC3-SHA AES256-SHA AES128-SHA DES-CBC3-SHA DES-CBC3-MD5 RC4-SHA RC4-MD5| but you need to find where in the PHP framework that file gets written. I can't find it in under 60 seconds, so you're on your own there. As to updating sshd, that's replacing a core piece of the system. I'm not even going to speculate how or what the impact would be. -Adam On 07/24/2015 03:51 PM, Ted Byers wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
If you are forwarding the ports to other machines, it is those machines which need and update, not pfSense. This is the test: get out your ssh client of choice and connect to the port from outside. If you get something that is not pfSense, then upgrading ssh on your firewall isn't going to help. - Y Sent from a gizmo with a very small keyboard and hyperactive autocorrect. On Jul 24, 2015 6:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 Port 443 must be open to support the web server in our DMZ, and we need ssh to connect to each machine for administration purposes. (if there is a better way, I do not know what it is or how to do it --I am a programmer tasked with setting this up, so network and system administration is new to me - I am out of my area of expertise here). Thanks Ted On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote: Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Thanks for this. I'd hoped it would be as simple as apt-get-update apt-get upgrade apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found. Thanks Ted On Fri, Jul 24, 2015 at 5:13 PM, Adam Thompson athom...@athompso.net wrote: I'm 95% sure the answer is wait for the developers to fix those issues and/or become a developer and fix those issues :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that generates the configuration. In theory, all you need to add to /var/etc/lighty-webConfigurator.conf would be |ssl.cipher-list DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA EDH-RSA-DES-CBC3-SHA AES256-SHA AES128-SHA DES-CBC3-SHA DES-CBC3-MD5 RC4-SHA RC4-MD5| but you need to find where in the PHP framework that file gets written. I can't find it in under 60 seconds, so you're on your own there. As to updating sshd, that's replacing a core piece of the system. I'm not even going to speculate how or what the impact would be. -Adam On 07/24/2015 03:51 PM, Ted Byers wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 Port 443 must be open to support the web server in our DMZ, and we need ssh to connect to each machine for administration purposes. (if there is a better way, I do not know what it is or how to do it --I am a programmer tasked with setting this up, so network and system administration is new to me - I am out of my area of expertise here). Thanks Ted On Fri, Jul 24, 2015 at 5:25 PM, Steve Yates st...@teamits.com wrote: Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally. If internal, can access be limited to certain IPs? This probably isn't the forum to discuss, but the TLS 1.0 one is a fun one...that will catch Remote Desktop Services, and Vista and below don't support TLS 1.1+ period, and Windows 7 with IE10 or earlier don't have TLS 1.1+ enabled by default. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
Thanks. I will do this this evening. Thanks ted On Fri, Jul 24, 2015 at 6:18 PM, David Burgess apt@gmail.com wrote: On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers r.ted.by...@gmail.com wrote: Thanks for this. I'd hoped it would be as simple as apt-get-update apt-get upgrade apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found. PFSense is more like a firmware than an OS. While the possibility of updating, replacing, or adding components does exist, it is generally discouraged for the typical user. Log into the web UI and navigate to System: Firmware: Auto Update and run your upgrade from there. db ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
We have version 2.2.2. What is the easiest way to upgrade on eminor versiion? On Ubuntu, I'd use 'apr-get update' and/or 'apt-get upgrade', or one of the variants thereof. But, if I understand correctly, pfsense is built on freeBSD, about which I know nothing. Thanks Ted On Fri, Jul 24, 2015 at 5:13 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: First off you’d upgrade the installation of pfSense - what version do you have installed/running? The current version is 2.2.3. On Jul 24, 2015, at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) If we can fix these two things, a little over half of the complaints from the scanner will be resolved. I have spent a couple days using google, trying to resolve these, but to no avail (compounded by the fact the signal to noise ratio in my searches was abysmal). Thanks Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- R.E.(Ted) Byers, Ph.D.,Ed.D. t...@merchantservicecorp.com ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers r.ted.by...@gmail.com wrote: Thanks for this. I'd hoped it would be as simple as apt-get-update apt-get upgrade apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found. PFSense is more like a firmware than an OS. While the possibility of updating, replacing, or adding components does exist, it is generally discouraged for the typical user. Log into the web UI and navigate to System: Firmware: Auto Update and run your upgrade from there. db ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers r.ted.by...@gmail.com wrote: I have checked our installation of our website (a classic protected LAN with a DMZ formed by two pfsense machines serving as our inner and outer firewall, and one machine in the DMZ and the rest behind the inner firewall) using a PCI scanner. The PCI scan identified two vulnerabilities WRT our pfsense machines. First, the scanner complains that TLS1 is supported and we need to restrict it to TLS1.2. We modified the configuration of lighttpd to use TLS1.2, but that did not make the complaint go away, so is there anything else that uses TLS that we need to reconfigure to use only TLS1.2? That's one where maybe you can disregard compatibility concerns and only allow TLS 1.2. We're a bit more conservative for compatibility reasons where there isn't a significant security risk (though TLSv1 probably will get disabled in 2.3-REL). Update the code in /etc/inc/system.inc to generate the lighttpd config as you desire (and captiveportal.inc if you're using CP). Second, it appears that ssh-server on pfsense is version 6.6 and it would be good if we can upgrade that to 6.9 or better (well, if there is better - the scan only complains the version if earlier than 6.9) In that case your scanner is stupid, and you can't fix stupid applies. We use the SSH version used in the base FreeBSD version, which is 6.6 for 10.1. That's perfectly fine. You can't reasonably upgrade it, and there is no point at all in trying. Re: upgrading, which you should do as there are legit security reasons your scanner is blind to (though best to wait a few hours and you can go to 2.2.4), details here: https://doc.pfsense.org/index.php/Upgrade_Guide ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote: On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 In the case of forwarded ports it's the Ubuntu machines that are triggering it. That has nothing to do with the firewall. In that case, then, the scan is wrong as all our Ubuntu machines are configured to use only TLS1.2 Thanks. Ted ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?
On Jul 24, 2015, at 7:18 PM, Ted Byers r.ted.by...@gmail.com wrote: On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler c...@pfsense.com wrote: On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers r.ted.by...@gmail.com wrote: This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 In the case of forwarded ports it's the Ubuntu machines that are triggering it. That has nothing to do with the firewall. In that case, then, the scan is wrong as all our Ubuntu machines are configured to use only TLS1.2 I am curious as to what tool you were using. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold