Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 5 subscribers
  • Views 40237 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Warnings

SteveHart

I hace an SFTP server in my DMZ. There's a DNAT entry and firewall policy allowing access from Internet IPV4 using port 22 to the server. No other ports are open. No SSL cert is installed on the server.

When we run a Pen test from outside the company, it's throwing a bunch of SSL errors. 

SSL Certificate Cannot Be Trusted, SSL Certificate with Wrong Hostname, SSL Self-Signed Certificate

Turns out, the scanner is returning info from the UTM's SSL cert. How do I fix this?

 



This thread was automatically locked due to age.
  • 0 in reply to kerobra_retired

    Thanks Kevin that explains a lot. We are using REDs, so that port is open.

    Why is it answering a NATted IP? Can I stop it from doing that?

  • 0

    PCI tests are all automated and no human at your testing service looks at anything closely enough other than to say, "It looks like you have some things to work on."  It's a pet peeve of mine that they don't even keep track of your responses to the same issues at the prior test - you just need to keep that ready for them for the next time...

    I've seen the argument made that the RED connection is actually more secure with a self-signed cert as that actually makes it more difficult for someone to gain access for nefarious purposes.  After all, it's not like this is something open to the public or that there is anything that the tester could see - their tests are not that sophisticated.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Why is the UTM responding to port 3400 on all IPs?

  • 0 in reply to SteveHart

    It would be a feature request to be able to limit that as one can limit User Portal access.  The workaround is a blackhole DNAT for such traffic arriving on the "(Address)" objects you don't want to respond (see #2 in Rulz).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    So I would just set up a DNAT rule like so:

    Traffic from Internet IPv4

    Port 3400

    To the outside NATted address of my SFTP server

     

    Routed to a nonexistant server?

  • 0 in reply to SteveHart

    Yes, just be sure the blackhole DNAT is above the DNAT for your SFTP server.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to SteveHart

    Is there a security risk associated with this port being open?   I suspect there is, so I would raise it as such with support.  The same behavior occurs with SMTP 25, but there is no incremental risk because port 25 is already open on the internet, and the traffic flows into the MTA in the same manner from ang source IP.  In this case, it seems 3400 should not be exposed at all.

  • +1 in reply to DouglasFoster

    This seems to have been fixed in one of the newer versions of firmware.

Unfiltered HTML