My pfsense failed an audit by securitymetrics.com

kapara · Jan 29, 2010, 10:01 PM

TCP 443 https Risk Level:5
Synopsis : The remote service supports the use of medium strength SSL ciphers. Description :
The remote host supports the use of SSL ciphers that offer medium strength encryption, which
we currently regard as those with key lengths at least 56 bits and less than 112 bits. Solution:
Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk
Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Is this easily resolved? And I mean not by disabling https access.

jimp · Jan 30, 2010, 5:19 AM

You chose to leave your WebGUI (or an internal web server?) exposed to the world, it will always be a risk, regardless of cypher strength.

The real solution is to not do that – require a VPN connection of some sort (OpenVPN, IPsec, etc) which can then grant you access to the WebGUI.

If it's an internal web server with a forwarded port, then, it's not a pfSense issue, this is a problem with your web server.

kapara · Jan 30, 2010, 7:18 PM

This was for the pfsense web gui. Is there a way to make the https server on pfsense use a stronger cipher say minimum 256? That would actually be considered acceptable.

jimp · Jan 30, 2010, 7:22 PM

You might be able to generate a stronger key, but I cannot emphasize enough how bad an idea it is to leave your router's web interface exposed to the world.

Regardless of cipher, I would flag that as a failure on an audit myself.

lotacus · Jan 31, 2010, 7:18 PM

I agree. Never expose your firewall to the world. That's a big mistake and defeats the purpose of the firewall. Like suggested, if you need to make changes to the firewall from a remote location… always use SSH.

jlepthien · Jan 31, 2010, 7:41 PM

I would also suggest you use ssh with password login disabled. Only pub-key auth…

The you can tunnel port 443 into ssh and get your WI with https://localhost from your computer initiating the ssh session.

jimp · Jan 31, 2010, 8:57 PM

I wouldn't recommend leaving ssh open to the world on the default port, either.

Pub key auth is a must, as well as using non-standard ports. Something unlikely to be guessed or scanned, but in reality anything but port 22 is probably safer.

jlepthien · Jan 31, 2010, 9:56 PM

But with pubkey enabled it is quite safe to use port 22…

jimp · Jan 31, 2010, 9:56 PM

No reason to tempt fate there. :-)

kapara · Feb 1, 2010, 7:26 AM

Thanks for all the feedback. As a bandaid I locked it down to only me remote network for HTTPS. I will also look into the other suggestions. Thanks again.

Mark

djamp42 · Feb 16, 2010, 4:21 AM

Instead of just allowing everyone to access the WebGui, restrict it to cretin IP ranges that you often use. This has proven good to me so far with SSH and WebGUI. I do this in case the VPN tunnel breaks, i still have a way in.

The best way for normal access should be through a VPN.

jus10 · Feb 19, 2010, 7:08 PM

Assuming pfsense is still using lighttpd as the webserver, you can configure what ciphers it speaks. http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL

If you look at the PCI DSS Compliance section that shows some higher security ciphers. You can configure lighttpd to only use those. This is of course besides the sensible advice above about restricting access to the web interface. But should you ever see this issue on another lighttpd server you can see how to correct it :).

kapara · Mar 4, 2010, 5:26 AM

Tried setting up SSH Authorized Key but it does not seem to work.

I pasted the following from the Public Key File created using puttygen:

–-- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100303"
AAAAB3NzaC1yc2EAAAABJQAAAIEAiNNMQ8KAZQhyRdek5p/anBZpBiBCsiF3BzGb
vDhGtCC+oFj7/jJsmLcPmUcxQp/L5Gz0fBzQUEcd1AZK3gTG/pEHzE8x2PU5iqSX
+LBbHIDQZuz461iiMwnL9Xu8I9T2+B7i3KX/t34SvubWYPvP6ZO/Q/+Rdmbwmmsb
GZ2FC1U=
---- END SSH2 PUBLIC KEY ----

I was still able to connect via SSH without the need of any private key. Also disable passord login for secure shell. Still getting prompt for username password and able to login.

jimp · Mar 4, 2010, 5:28 AM

Try omitting the begin, end, and comment lines.

kapara · Mar 4, 2010, 6:30 AM

Like this:

AAAAB3NzaC1yc2EAAAABJQAAAIEAiNNMQ8KAZQhyRdek5p/anBZpBiBCsiF3BzGb
vDhGtCC+oFj7/jJsmLcPmUcxQp/L5Gz0fBzQUEcd1AZK3gTG/pEHzE8x2PU5iqSX
+LBbHIDQZuz461iiMwnL9Xu8I9T2+B7i3KX/t34SvubWYPvP6ZO/Q/+Rdmbwmmsb
GZ2FC1U=

or

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiNNMQ8KAZQhyRdek5p/anBZpBiBCsiF3BzGb
vDhGtCC+oFj7/jJsmLcPmUcxQp/L5Gz0fBzQUEcd1AZK3gTG/pEHzE8x2PU5iqSX
+LBbHIDQZuz461iiMwnL9Xu8I9T2+B7i3KX/t34SvubWYPvP6ZO/Q/+Rdmbwmmsb
GZ2FC1U=

jlepthien · Mar 4, 2010, 7:08 AM

Like the second one. That's what I do…

kapara · Mar 4, 2010, 7:30 AM

When I use the one with ssh-rsa I get connection refused. When I go to auth in putty and select the private.pkk file and try to open the connection I get connection error.

jlepthien · Mar 4, 2010, 7:32 AM

Did you get your key by opening puttygen and loading your private key there?

kapara · Mar 4, 2010, 7:33 AM

I generate public key and copy then export private key. Right?

jlepthien · Mar 4, 2010, 7:35 AM

You can use puttygen to generate a pair and then copy the key from the top of the window which says "Public key for pasting into OpenSSH authorized_keys file:"…