Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [PCI Result] Vulnerable SSH versions

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    13 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fernando.domenike
      last edited by

      I did a vulnerability scan with Tenable and the version of Vulnerable SSH was detected. Look:

      • OPIE w/ OpenSSH Account Enumeration
      • OpenSSH < 7.6
      • OpenSSH S/KEY Authentication Account Enumeration
      • OpenSSH >= 2.3.0 AllowTcpForwarding Port Bouncing

      Four SSH vulnerabilities were found, how can I justify or evidence for passing PCI?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Not sure why ssh would be open to pci path of data flow? Turn it OFF would be the simple solution ;)

        Where does it say when doing PCI certification that you need to scan ssh on the firewall that is only available via management network?

        If that was the case you should be scanning all your switches with ssh from say cisco, they sure and the F are not greater than 7.6 ;) for example..

        The key to passing pci compliance is to scan what is required to be scanned - not every freaking device in your whole network ;)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          FreeBSD patches relevant vulnerabilities without updating the visible version, especially if it's being probed remotely. If it's guessing purely on version number then it's almost certainly incorrect.

          If you can cite specific CVE IDs it would make searching FreeBSD easier to find relevant fixes.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • F
            fernando.domenike
            last edited by

            The problem with these scanning, in generating vulnerabilities based on banners. :(

            Is it possible to remove the default Nginx page or change the HTML?

            jimpJ 1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate @fernando.domenike
              last edited by

              @fernando-domenike said in [PCI Result] Vulnerable SSH versions:

              The problem with these scanning, in generating vulnerabilities based on banners. :(

              Yes, which is horribly inaccurate. Though the alternative is actively attempting to exploit the problems for which it's scanning but that's much more disruptive.

              Is it possible to remove the default Nginx page or change the HTML?

              Where are you seeing that used? It's certainly not offered by the GUI web service by default. The default file is in /usr/local/www/nginx-dist/index.html but that directory is not served by the GUI web server.

              Maybe it's from an add-on package you're running, or maybe it's actually scanning something to which you are forwarding a port and not pfSense directly.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Are you doing the external scan or internal scan? The scope of what actually needs be scanned when your doing internal is open for interpretation for sure. But your ssh and or web gui should not be available on any network that would be involved in your pci process.

                If so your doing basic security wrong - and should fail compliance just for that, be it the services have open vulnerabilities or not..

                When you go for pci compliance - you don't have to scan your PC network, or your IOT network for example. So why are you scanning a management network that only can only be accessed via access controls in the first place..

                And you only have to do an internal scan if your a provider, etc. When you do internal scan, only high or critical stuff has to be addressed. And since its an internal scan you can apply your own risk assessment and take into account restricted access, segregation of the network, likely hood of attack from the outside, etc. etc..

                These sorts of services should not be available at all to any network that is dealing with the PCI equipment, and therefore scans of such services like the web gui to a switch or router or firewall that is only available via a restricted network, with other security controls to access no matter what the vulnerability of said service would be mitigated to a very low risk..

                Which vendor are you having do that scan that is saying pfsense ssh service is a issue?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  fernando.domenike
                  last edited by

                  @johnpoz, I'm doing the External PCI Scan.
                  It is a banking startup.
                  We need the ASV Certificate to continue operating.

                  I'm using Tenable.

                  Nginx was also identified because of the banner.

                  There is some planning for Netgate to mitigate "vulnerabilities". Example: change the SSH banner and the default error page?

                  We will disable SSH.

                  @johnpoz and @jimp thanks a lot for the help.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    So this is an external scan - wtf do you have ssh or web gui open on your public IP for?

                    SSH nor the gui is open to the public internet out of the box.. You would of had to open those ports up on purpose - why would be the big question?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      fernando.domenike
                      last edited by

                      Not.

                      Is have segmented. ;)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        If ssh is not open to your external scan, then it wouldn't shown up in their scans. If you forwarded stuff, those the destination device is what you have to fix, not pfsense.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • F
                          fernando.domenike
                          last edited by

                          The team create rules, to Tenable access and execute scanning.

                          But the "external Scan" follow architecture of banking.
                          Not is open for world, is segmented.

                          The have fear the application PFSense not work e lost access to server.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            @fernando-domenike said in [PCI Result] Vulnerable SSH versions:

                            The team create rules, to Tenable access and execute scanning.

                            Well that is failure right there - there is nothing in the in the PCI compliance testing that says a firewall has to be set to ANY ANY on its wan for a scan..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • F
                              fernando.domenike
                              last edited by

                              The team create rules, to Tenable access and execute scanning.

                              But the "external Scan" follow architecture of banking.
                              Not is open for world, is segmented.

                              The Team have fear the application PFSense not work e lost access to server.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.