Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On 29.07.2015 18:02, Vick Khera wrote: > On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz wrote: > >> Again, I agree with you that this shouldn't affect your score. I am >> simply explaining why they do it. > based on this explanation, i agree. there's no reason for them to demand > your certifica

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Tue, Jul 28, 2015 at 4:12 PM, Moshe Katz wrote: > Again, I agree with you that this shouldn't affect your score. I am > simply explaining why they do it. > based on this explanation, i agree. there's no reason for them to demand your certificate also signs any other domain name as long as i

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Tue, Jul 28, 2015 at 3:54 PM, Ryan Coleman wrote: > > > On Jul 28, 2015, at 2:50 PM, Moshe Katz wrote: > > > > On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera vi...@khera.org>> wrote: > > > >> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman > >> wrote: > >> > >>> I have an issue with Qualy’s: Th

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

> On Jul 28, 2015, at 2:50 PM, Moshe Katz wrote: > > On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera > wrote: > >> On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman >> wrote: >> >>> I have an issue with Qualy’s: They ding my certification because I have >>> domain.com >>> >

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Tue, Jul 28, 2015 at 3:44 PM, Vick Khera wrote: > On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman > wrote: > > > I have an issue with Qualy’s: They ding my certification because I have > > domain.com > > > > > > > > on it and not www.domain.com > > > >

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Sun, Jul 26, 2015 at 10:31 PM, Ryan Coleman wrote: > I have an issue with Qualy’s: They ding my certification because I have > domain.com > > > > on it and not www.domain.com > > > > (multi-site cert). > > That’s not a reason to lower a score on

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

> On Jul 25, 2015, at 2:02 AM, Chris Buechler wrote: > > On Fri, Jul 24, 2015 at 8:11 PM, Ryan Coleman wrote: >> >>> On Jul 24, 2015, at 7:18 PM, Ted Byers wrote: >>> >>> On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler wrote: >>> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers wrote:

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

> On Jul 24, 2015, at 5:18 PM, Ted Byers wrote: > > On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler wrote: > >> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers wrote: >>> This is an external scan. We forward ports such as 443 and 22 to >> specific >>> Ubuntu machines. But both sshd and apache ha

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Fri, Jul 24, 2015 at 8:11 PM, Ryan Coleman wrote: > >> On Jul 24, 2015, at 7:18 PM, Ted Byers wrote: >> >> On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler wrote: >> >>> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers wrote: This is an external scan. We forward ports such as 443 and 22 to >>

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

> On Jul 24, 2015, at 7:18 PM, Ted Byers wrote: > > On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler wrote: > >> On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers wrote: >>> This is an external scan. We forward ports such as 443 and 22 to >> specific >>> Ubuntu machines. But both sshd and apache ha

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Fri, Jul 24, 2015 at 6:29 PM, Chris Buechler wrote: > On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers wrote: > > This is an external scan. We forward ports such as 443 and 22 to > specific > > Ubuntu machines. But both sshd and apache have been configured to accept > > only TLS1.2 > > > > In the

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Fri, Jul 24, 2015 at 5:20 PM, Ted Byers wrote: > This is an external scan. We forward ports such as 443 and 22 to specific > Ubuntu machines. But both sshd and apache have been configured to accept > only TLS1.2 > In the case of forwarded ports it's the Ubuntu machines that are triggering it

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Fri, Jul 24, 2015 at 3:51 PM, Ted Byers wrote: > I have checked our installation of our website (a classic protected LAN > with a DMZ formed by two pfsense machines serving as our inner and outer > firewall, and one machine in the DMZ and the rest behind the inner > firewall) using a PCI scanne

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

If you are forwarding the ports to other machines, it is those machines which need and update, not pfSense. This is the test: get out your ssh client of choice and connect to the port from outside. If you get something that is not pfSense, then upgrading ssh on your firewall isn't going to help. -

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

Thanks. I will do this this evening. Thanks ted On Fri, Jul 24, 2015 at 6:18 PM, David Burgess wrote: > On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers wrote: > > Thanks for this. I'd hoped it would be as simple as apt-get-update && > > apt-get upgrade && apt-get update openssh-server. That is,

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

This is an external scan. We forward ports such as 443 and 22 to specific Ubuntu machines. But both sshd and apache have been configured to accept only TLS1.2 Port 443 must be open to support the web server in our DMZ, and we need ssh to connect to each machine for administration purposes. (if

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

On Fri, Jul 24, 2015 at 4:14 PM, Ted Byers wrote: > Thanks for this. I'd hoped it would be as simple as apt-get-update && > apt-get upgrade && apt-get update openssh-server. That is,whatever the > equivalent of apt-get is on a pfsense machine, I'd hoped it would be a > command invoked from ssh t

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

Thanks for this. I'd hoped it would be as simple as apt-get-update && apt-get upgrade && apt-get update openssh-server. That is,whatever the equivalent of apt-get is on a pfsense machine, I'd hoped it would be a command invoked from ssh to ask the system to check for updates and apply any found.

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

We have version 2.2.2. What is the easiest way to upgrade on eminor versiion? On Ubuntu, I'd use 'apr-get update' and/or 'apt-get upgrade', or one of the variants thereof. But, if I understand correctly, pfsense is built on freeBSD, about which I know nothing. Thanks Ted On Fri, Jul 24, 2015 a

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

Ted Byers wrote on Fri, Jul 24 2015 at 3:51 pm: > First, the scanner complains that TLS1 is supported and we need to restrict > it to TLS1.2. > Second, it appears that ssh-server on pfsense is version 6.6 Is this an internal scan or external? Hopefully those aren't exposed externally.

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

I'm 95% sure the answer is "wait for the developers to fix those issues" and/or "become a developer and fix those issues" :-). Configuration of lighttpd is controlled by the pfSense management framework, so once you discover the correct invocation, you could locally modify the PHP file that ge

Re: [pfSense] How do I harden my pfsense install WRT TLS and ssh?

First off you’d upgrade the installation of pfSense - what version do you have installed/running? The current version is 2.2.3. > On Jul 24, 2015, at 3:51 PM, Ted Byers wrote: > > I have checked our installation of our website (a classic protected LAN > with a DMZ formed by two pfsense machine