Netgate Store

Author Topic: Add a header to webConfigurator server  (Read 534 times)

0 Members and 1 Guest are viewing this topic.

Offline rock99x

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Add a header to webConfigurator server
« on: February 14, 2018, 03:08:54 pm »
I'm getting failures from Qualys security scans of my pfSense boxes for missing this header in the connection to the webConfigurator

HTTP Security Header Not Detected

X-XSS-Protection HTTP Header missing on port 443.

They want this in the output of the server connection.

X-XSS-Protection "1; mode=block"

I made the change to the /etc/inc/system.inc file so it was included.

Is there a way to make this change permanent or will that be something pfSense will have to include in their updates?

Thanks,
Chuck

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2694
  • Karma: +218/-9
    • View Profile
Re: Add a header to webConfigurator server
« Reply #1 on: February 15, 2018, 04:03:54 am »
Hi,

You got it backwards.
The GUI should be visible from LAN only - as it has been setup when you installed. Not from WAN. The GUI should never never be exposed on WAN, it isn't build for that.
If you need to access the GUI from the WAN side, use the VPN facilities build into pfSense.

https://www.ssllabs.com/ssltest/ is a tool to test public web sites. The GUI is everything but a public web site.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Add a header to webConfigurator server
« Reply #2 on: February 16, 2018, 05:39:13 am »
While I agree completely the web gui should not be exposed to the public, and really should be limited to admin access from a secure network anyway.

Why would you not follow current practice for specific headers.

There are many headers that are recommend to be set.. Along with the X-XSS-Protection I don't see either

Content-Security-Policy
Referrer-Policy

set as well.

I am not too worried about it since you can only access my gui from my secure network anyway.. From my trusted machine - but again why not set recommended security headers?

You can view the headers easy with simple curl to your pfsense gui from your secure lan side - no reason to expose it to the public for some test site to hit.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21835
  • Karma: +1526/-26
    • View Profile
Re: Add a header to webConfigurator server
« Reply #3 on: February 16, 2018, 07:26:12 am »
Content-Security-Policy

There's a ticket open for this one: https://redmine.pfsense.org/issues/6647

Not sure about the others. Probably due for a review in general, when that ticket gets addressed. Might drop a comment on there with the others.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Add a header to webConfigurator server
« Reply #4 on: February 16, 2018, 07:29:01 am »
Thanks Jimp Will take a look and add comment as appropriate
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline rock99x

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Add a header to webConfigurator server
« Reply #5 on: February 19, 2018, 10:44:26 am »
In a perfect circumstance, we would limit the admin panel to only known addresses.

This may still be an option, but either way, we are being required by one of our customers to scan our firewall IP externally through Qualys with a PCI compliance scan.

We're failing the Qualys PCI scan and this problem is one on my to-do list to figure out.

Blocking the IP of the firewall from these scans is not an option to keep the customer.

I just need to address this failure with a response and try to come up with a fix that will satisfy Qualys and the customer. We're working on it is fine for now. I will probably come up with some kind of cron job or file change detection to edit the system.inc file when it changes to keep the scan compliant.

This will still leave a window of opportunity for the scan to find the problem.

On another note... just my opinion, it's a firewall. If it isn't designed to be directly connected to the Internet, then it probably shouldn't be called a firewall.

Thanks,
Chuck

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2694
  • Karma: +218/-9
    • View Profile
Re: Add a header to webConfigurator server
« Reply #6 on: February 19, 2018, 11:26:08 am »
....
But, ok, I'm curious now. I'll open up tomorrow my WAN on port 443 for GUI access, and test the access with ssllabs.com.
I'm not an nginx expert, but I guess I can come up with a small edit that will make the GUI comply.
Done.

It took me some time to setup my DNS, so pfsense.brit-hotel-f*m*l.n*t point to my WAN IP.
Opened WAN GUI access and launched the test : (see image).

My conclusion : The nginx web server used by pfSense is ok - nothing to add or remove.
An A+ out of the box.


PS : I'll throw in a CAA record for even more green ;)
« Last Edit: February 20, 2018, 07:50:05 am by Gertjan »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Add a header to webConfigurator server
« Reply #7 on: February 19, 2018, 12:27:34 pm »
"Blocking the IP of the firewall from these scans is not an option to keep the customer."

Huh??  Your customer seems like they don't understand what is going on here.  While I agree putting in special rule that blocked the scanning IP would be wrong and reason to fail pci compliance.  But where in the pci compliance documentation does its say that you have to OPEN up a port to the outside to scan it when that service is never meant to be open to the internet... That is just stupid...

That is like complaining that your pin on your door to bathroom in the building is only 4 digits when the only way to get access to the bathroom is to get into the building first where you have a key to the outside door, which you also have to have a 12 digit pin and also pass a bio security check, and get past the security ninja that guards the door. Because some doc says pins on doors have to be a min 6 digits.. Think for 2 seconds..

They are complaining about a header that will never ever be open to the public internet anyway..

Open up the ports you need to forward through pfsense and let them scan.. They should not be scanning pfsense web gui on the public interface for pci compliance..  It makes ZERO sense!!!

Yes you need to do a pentest against your firewalls public IP.. But specifically opening up the gui just so you can scan it is not what a pentest is at all..   Did you have the gui open to the public for some reason when they did your first scan?  If so the solution to the problem is that that port has since been closed - the web gui to the firewall is no longer available to the public internet... See here is the scan to prove it, their is no specific firewall rule blocking anyone from scanning anything..

While There is a redmine about what headers could be set, etc.  And I agree some should be set just out of best practices - but doing so has little to do with a pentest or pci compliance scan.
« Last Edit: February 19, 2018, 12:39:59 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline rock99x

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Add a header to webConfigurator server
« Reply #8 on: February 19, 2018, 12:53:25 pm »
I totally agree, it makes no sense to me either. If the IP is not open for traffic inbound, then it's secure right?

Sounds like it should pass the test to me too.

Unfortunately, I was told this isn't the case with the scan we are required to get.

I'm even having an issue with an IP that is not assigned to a firewall, but is in fact a NAT IP address on a Cisco router. There is no way to make that IP ping. That is not how NAT works on those devices. So they are requiring me to port forward to a reachable host on that IP.

To me that sounds like to opposite of securing the IP, doesn't it?

If I have to guess, it looks like it comes from the "scanning procedures" section in the PCI requirements doc.
https://www.pcisecuritystandards.org/pdfs/pci_scanning_procedures_v1-1.pdf

"The ASV must scan all filtering devices such as firewalls or external
routers (if used to filter traffic). If a firewall or router is used to establish a
demilitarized zone (DMZ), these devices must be scanned for
vulnerabilities"

So technically, if the IP isn't available to scan, it fails the scan... ?

I don't know, I'm just trying to get the PCI scan to pass for the boss.

Thank you for all the help guys.

Chuck

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21835
  • Karma: +1526/-26
    • View Profile
Re: Add a header to webConfigurator server
« Reply #9 on: February 19, 2018, 12:55:54 pm »
Sounds like someone who doesn't know how to run a scanner. Some default to skipping an address if ping fails. OpenVAS would do that, but it's a simple flag to switch in the scan config.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Add a header to webConfigurator server
« Reply #10 on: February 19, 2018, 01:11:05 pm »
^ Yup I bet that is the case for sure - what should never open anything special for a scan... Just because an IP doesn't answer ping, doesn't mean that 443 is not open, etc.  But yeah out of the box typical nmap scan even unless you tell it NOT too will ping first before running the rest of the scan, etc.

Which is funny is then prob be hit for answering ping ;)  If you open that up to allow for icmp echo.

Are you kicking off the scan.. Or is the customer or 3rd party running the qualys scan?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2694
  • Karma: +218/-9
    • View Profile
Re: Add a header to webConfigurator server
« Reply #11 on: February 20, 2018, 07:51:37 am »
Oops, instead of replying I edited an old message.
Anyway, the results are here : https://forum.pfsense.org/index.php?topic=144026.msg784950#msg784950 (surprise !!)

edit : I'll leave my WAN IP open for some a couple of hours. So everybody can "test".

Also : pretty nice result actually for a connected-device GUI. What was the question again, because now I think I didn't understood the question.
« Last Edit: February 20, 2018, 07:57:31 am by Gertjan »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Add a header to webConfigurator server
« Reply #12 on: February 20, 2018, 07:58:06 am »
That is great but that is not a PCI compliance scan - that is just a ssl scan..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2694
  • Karma: +218/-9
    • View Profile
Re: Add a header to webConfigurator server
« Reply #13 on: February 20, 2018, 08:14:57 am »
.. as I just figured out.
And these scans are not for free of course.

Quote
Any company that accepts, processes, or stores credit card information needs to comply with the requirements set by the Payment Card Industry Security Standards Council. Merchants passing a free PCI Scan will receive the official certification they need to submit to their acquiring bank.
What has the pfSense WEB GUI to do with money transactions ?

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 16019
  • Karma: +1528/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Add a header to webConfigurator server
« Reply #14 on: February 20, 2018, 10:19:53 am »
"What has the pfSense WEB GUI to do with money transactions ?"

Nothing ;)  But the PCI scan looks for specific things at the target IP. Pfsense web gui would never come into play - but their might be some web server that is part of the transaction, etc.  Say something you port forwarded on pfsense to something behind it.

Since the OP opened up the webgui to the scan, the it would have to meet those requirements.  Our point has been that pfsense as you correctly stated the web gui should not be under scan since it should/would never be available in path of compliance..

My take away from this whole mess is there are some best practice headers that can be added, even when the web gui is never open to the internet or would need to pass a pci scan.  It is a good thing to use best practices from security standpoints for headers, etc.  I am sure they will get to it - but pretty sure there are more pressing matters to be sure since as I think we all agree the pfsense web gui should never be opened up to the public internet for any reason.  Let a lone pci.

Its great to see that its getting an A+ from a ssl point of view.

nice to see pfsense.org getting an A+ as well - but they should prob add the CAA entry in dns as well.  Which is currently missing ;)
« Last Edit: February 20, 2018, 10:29:51 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)