PCI Scanning Being Blocked

M

Mr_Kings

Registered
Oct 20, 2015
3
0
51
Earth
cPanel Access Level
Root Administrator
Hello!

We have a customer who is set up with ControlScan (Axia) for their PCI compliance. The last scan resulted in a "scan may have been dynamically blocked by an IPS" for port 80.

I have PS_INTERVAL set to 0 in my CSF configuration, and I have ControlScan's scanning IP range but I'm not sure if I need to set that somewhere or not. Is there a way to disable the port-scanning detection/blocking temporarily or for an IP range? I have blocked all non-essential ports that we aren't using (143, 995, 25, etc.) from the public.

I have already posted on the CSF forums, but have received no reply. Hoping someone on here can help, thanks!
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,258
463
Q

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You should never put a PCI vendor in csf.allow. Add their IP ranges to csf.ignore

This will allow them to probe without being blocked, but will not cause you headaches with ports being mistakenly reported as "open" such as 3306 for MySQL which will cause your scan report to be failing status. If you put an IP range in csf.allow, every port appears open. You only need to 'ignore' them for LFD.

Be sure to fully restart csf AND lfd after making this change, either via WHM, or on a root shell with:

Code: 
csf -x ; csf -e
 
  • Like
Reactions: cPanelMichael
M

Mr_Kings

Registered
Oct 20, 2015
3
0
51
Earth
cPanel Access Level
Root Administrator
cPanelMichael said:
Hello :)

Have you tried whitelisting the IP range in the csf.allow file? It's documented at:

http://download.configserver.com/csf/readme.txt

Thank you.
Click to expand...
I have tried whitelisting the IP but it fails even worse, at it opens up all the ports for the scanner (insecure FTP on 22, email ports 995, 25, etc.). It seems there needs to be a way to block all unused ports with the firewall but disable the port scan detector so it doesn't block the scanner when it's running on the necessary open ports (web 80, ssl 443, etc.)

I'm fairly new to WHM and CSF, so I apologize if I'm missing something.

Thanks!

EDIT: I had left my window open and replied before refreshing so I didn't see quizknows's tip. I will try it and report back...
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
J PCI+ Scan Issues Security 5
B In Progress CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl Security 5
B PCI Scan Issues Security 1
V pci scan blocked by IPS? Security 4
V PCI Scan - /webmail fails Security 7
Similar threads
PCI+ Scan Issues
In Progress CPANEL-42515 - PCI Scan complaint about Web Server Predictable Session ID Vulnerability with port 2087 / tcp over ssl
PCI Scan Issues
pci scan blocked by IPS?
PCI Scan - /webmail fails
Top Bottom