HTTP Security

Our vulnerability scanner has reported several issues with the web server’s configuration in Freepbx 14.
I have no problem with correcting the issues however all the config files are autogenerated how do I ensure that my changes wont be reverted in the next upgrade?

The primary issues detected are regarding weak ciphers being offered, httpOnly cookie not set and clear text passwords for port 81.

Also installing mod_security would be a good touch. Has anyone done that without any negative side affects?

Thanks,
Kirk

Mod security is not a good solution. What should the ciphers be and httponly will break freepbx and php. Clear text passwords are pretty normal configure https and that will solve that issue.

Security scanners are very broad and don’t take into account my factors. They end up giving you a false sense of security.

The weak ciphers identified are:
TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA
TLS1_EDH_RSA_DES_192_CBC3_SHA
TLS1_RSA_DES_192_CBC3_SHA
TLS1_ECDHE_RSA_WITH_DES_192_CBC3_SHA
TLS1_EDH_RSA_DES_192_CBC3_SHA

I had https configured and ran into problems. I thought I had them resolved but apparently I just disabled it.
I’ll work on getting it re-enabled.

Ok. If you have time open an issue for the ciphers. Thats an easy fix.

1 Like

Done. - Thanks
https://issues.freepbx.org/browse/FREEPBX-19002

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.