Our vulnerability scanner has reported several issues with the web server’s configuration in Freepbx 14.
I have no problem with correcting the issues however all the config files are autogenerated how do I ensure that my changes wont be reverted in the next upgrade?
The primary issues detected are regarding weak ciphers being offered, httpOnly cookie not set and clear text passwords for port 81.
Also installing mod_security would be a good touch. Has anyone done that without any negative side affects?
Mod security is not a good solution. What should the ciphers be and httponly will break freepbx and php. Clear text passwords are pretty normal configure https and that will solve that issue.
Security scanners are very broad and don’t take into account my factors. They end up giving you a false sense of security.