Remove the nginx file from PFSense

fer.henrick · Apr 29, 2020, 3:32 PM

Is it possible to remove the default Nginx file using the PFSense web interface?

Scanning Tenable detected the default Not Found 404 error page in PFSense.

Because of this problem, I am unable to earn an ASV Certificate.

Please can help me?

NollipfSense · Apr 29, 2020, 4:51 PM

@fer-henrick I imagined that Nginx is the foundation of pfSense webGUI so not sure that's possible without tearing the software apart. What is difficult to grasp is that Nginx alone is somehow preventing you from obtaining an ASV certificate.

Let's hope others more senior will chime in.

johnpoz · Apr 29, 2020, 4:50 PM

@fer-henrick said in Remove the nginx file from PFSense:

ASV Certificate

I take it they are taking about a PCI scan? If so the webgui of pfsense shouldn't be being scanned in the first place..

fer.henrick · Apr 29, 2020, 8:33 PM

@NollipfSense, understand.

I try alter setting file.

I change to line:

error_page 404 =200 /index.html;

try_files $uri $uri/ /index.html;

But not work.

The change config line of file system.inc, but not work.

@johnpoz the firewall is scanned, because have transactions.

I continue try, but is hard!!!!

fer.henrick · Apr 29, 2020, 9:07 PM

We killed the Nginx config file, and the server didn't generate any errors.

It should, but there was no mistake!

johnpoz · Apr 29, 2020, 9:20 PM

@fer-henrick said in Remove the nginx file from PFSense:

@johnpoz the firewall is scanned, because have transactions.

No the firewall webgui does not need to be scanned - because it should not be open to the public in the first place..

Your external scan sure - but web gui is not open to the public, so how would it be scanned? If you opening up your public IP to any any, your doing it WRONG!!!

fer.henrick · Apr 29, 2020, 9:36 PM

@johnpoz you're right.

Yes I agree.

However, the firewall is part of the architecture of the PCI environment.

Transactions pass through the firewall.

The firewall not is open for public.

johnpoz · Apr 30, 2020, 12:43 PM

@fer-henrick said in Remove the nginx file from PFSense:

The firewall not is open for public.

Then they wouldn't be seeing anything related to what httpd runs the web gui... What they would be seeing is what you pass through to that actually does your PCI stuff on http/https - nothing to do with pfsense at all.

SteveITS · Apr 30, 2020, 3:20 PM

There are PCI scans for internal networks, in fact the first search result I found was a Tenable page. Presumably, OP is on a LAN with credit card processing devices.

From my experience with PCI scans they identify anything "not perfect" as "problem." For instance against CentOS/RHEL servers some only look at version numbers and not to check whether a vulnerability is actually patched (RHEL doesn't increment version numbers). In the past I've been able to protest/appeal a flagged item and explain the version number is irrelevant.

I'm not sure why a 404 error would be a problem. Maybe they are connecting to 192.168.0.1/randomtext and expecting to be redirected to a login page?

A quick workaround is to block the IP doing the scanning from accessing the pfSense web GUI. Or just allow access from specific management IPs.

johnpoz · Apr 30, 2020, 3:30 PM

Internal scan is only if your service provider... And you sure and the hell do not need to make the web gui of pfsense available on the networks that are involved in the PCI..

For example - we are service provider, we host stuff that is PCI for customers... We don't need to scan the management vlan, only need to scan the networks that are directly involved in the processing of the payments..

We are not scanning every single network in the company... You only need to scan the network related to your pci environment.. If your switches and or routers and firewall interfaces are available on your pci networks - your doing it wrong!