Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PCI Scan error

    Scheduled Pinned Locked Moved Firewalling
    8 Posts 4 Posters 861 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bwelch
      last edited by

      I am getting errors on the PCI Scan such as listed below along with a few others. Has anyone seen this, we are using a SG-2440 on firmware version
      2.3.2-RELEASE (amd64)
      built on Wed Jul 20 10:29:55 CDT 2016
      FreeBSD 10.3-RELEASE-p5

      Lighttpd Remote Privilege
      Escalation Vulnerability, CVE-
      2013-4559

      Lighttpd SQL Injection
      Vulnerability in
      mod_mysql_vhost.c, CVE-2014-
      2323

      Lighttpd SNI Weak Cipher
      Configuration Vulnerability, CVE-
      2013-4508

      Lighttpd Multiple Directory
      Traversal Vulnerabilities, CVE-
      2014-2324

      dotdashD 1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash @bwelch
        last edited by

        @bwelch said in PCI Scan error:

        2.3.2-RELEASE (amd64)

        Your first action should be to update to the current version.

        B 1 Reply Last reply Reply Quote 0
        • B
          bwelch @dotdash
          last edited by

          @dotdash

          Thanks for the quick response.

          That is on my list to do this weekend, do you know if that corrects this error? It looks like I have to go to 2.3.3_1 first which is listed on the Dashboard, then I would assume it will notify me of the update to 2.3.3_2.

          Just trying to find out if that will fix it or if the issue is related to something else.

          In any case I will be upgrading this weekend.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by dotdash

            Current version is 2.4.3-p1 I would save the config, install 2.4.3, restore and update to p1.
            I haven't gone over all the release notes, but there's a good chance those have been fixed.
            Edit- Just saw those are lighttpd hits- the web gui now uses nginx, so those are definitely fixed.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              The webgui and captive portal were switched to nginx in pfSense 2.3.0 so if the scanner is seeing lighttpd on 2.3.2 it is from something else.

              Could be pfBlocker+DNSBL or Lightsquid I think. Maybe others.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Why would your admin gui be open to the public net anyway. There is ZERO reason for the firewall to open up those ports to pass a pci compliance scan.

                The only thing that should be open on your box during the scan is actual services NEEDED to be open for you to do your business. That is not the gui, that is not anything else. If your forwarding traffic into 80 for some webserver your running behind pfsense, then what is running that needs to meet compliance.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  bwelch
                  last edited by

                  I wonder if that is the security camera that has remote viewing causing the issue. It is in a different port and different ip scheme with no access to the LAN network but I guess the pci scan would look at all ports and scan the camera as well.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Port forwarding in to a security camera and PCI compliance are pretty much mutually-exclusive. Set up a VPN if you need to access the camera from the outside.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.