The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Scanning Being Blocked

Discussion in 'Security' started by Mr_Kings, Feb 29, 2016.

  1. Mr_Kings

    Mr_Kings Registered

    Joined:
    Oct 20, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Hello!

    We have a customer who is set up with ControlScan (Axia) for their PCI compliance. The last scan resulted in a "scan may have been dynamically blocked by an IPS" for port 80.

    I have PS_INTERVAL set to 0 in my CSF configuration, and I have ControlScan's scanning IP range but I'm not sure if I need to set that somewhere or not. Is there a way to disable the port-scanning detection/blocking temporarily or for an IP range? I have blocked all non-essential ports that we aren't using (143, 995, 25, etc.) from the public.

    I have already posted on the CSF forums, but have received no reply. Hoping someone on here can help, thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Have you tried whitelisting the IP range in the csf.allow file? It's documented at:

    http://download.configserver.com/csf/readme.txt

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You should never put a PCI vendor in csf.allow. Add their IP ranges to csf.ignore

    This will allow them to probe without being blocked, but will not cause you headaches with ports being mistakenly reported as "open" such as 3306 for MySQL which will cause your scan report to be failing status. If you put an IP range in csf.allow, every port appears open. You only need to 'ignore' them for LFD.

    Be sure to fully restart csf AND lfd after making this change, either via WHM, or on a root shell with:

    Code:
    csf -x ; csf -e 
    
     
    cPanelMichael likes this.
  4. Mr_Kings

    Mr_Kings Registered

    Joined:
    Oct 20, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    I have tried whitelisting the IP but it fails even worse, at it opens up all the ports for the scanner (insecure FTP on 22, email ports 995, 25, etc.). It seems there needs to be a way to block all unused ports with the firewall but disable the port scan detector so it doesn't block the scanner when it's running on the necessary open ports (web 80, ssl 443, etc.)

    I'm fairly new to WHM and CSF, so I apologize if I'm missing something.

    Thanks!

    EDIT: I had left my window open and replied before refreshing so I didn't see quizknows's tip. I will try it and report back...
     
  5. Mr_Kings

    Mr_Kings Registered

    Joined:
    Oct 20, 2015
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    This worked! Thanks for the help!
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Glad to help, thanks for checking back.
     
Loading...

Share This Page