PCI Scanning Being Blocked

Mr_Kings

Registered
Oct 20, 2015
3
0
1
Earth
cPanel Access Level
Root Administrator
Hello!

We have a customer who is set up with ControlScan (Axia) for their PCI compliance. The last scan resulted in a "scan may have been dynamically blocked by an IPS" for port 80.

I have PS_INTERVAL set to 0 in my CSF configuration, and I have ControlScan's scanning IP range but I'm not sure if I need to set that somewhere or not. Is there a way to disable the port-scanning detection/blocking temporarily or for an IP range? I have blocked all non-essential ports that we aren't using (143, 995, 25, etc.) from the public.

I have already posted on the CSF forums, but have received no reply. Hoping someone on here can help, thanks!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You should never put a PCI vendor in csf.allow. Add their IP ranges to csf.ignore

This will allow them to probe without being blocked, but will not cause you headaches with ports being mistakenly reported as "open" such as 3306 for MySQL which will cause your scan report to be failing status. If you put an IP range in csf.allow, every port appears open. You only need to 'ignore' them for LFD.

Be sure to fully restart csf AND lfd after making this change, either via WHM, or on a root shell with:

Code:
csf -x ; csf -e
 
  • Like
Reactions: cPanelMichael

Mr_Kings

Registered
Oct 20, 2015
3
0
1
Earth
cPanel Access Level
Root Administrator
Hello :)

Have you tried whitelisting the IP range in the csf.allow file? It's documented at:

http://download.configserver.com/csf/readme.txt

Thank you.
I have tried whitelisting the IP but it fails even worse, at it opens up all the ports for the scanner (insecure FTP on 22, email ports 995, 25, etc.). It seems there needs to be a way to block all unused ports with the firewall but disable the port scan detector so it doesn't block the scanner when it's running on the necessary open ports (web 80, ssl 443, etc.)

I'm fairly new to WHM and CSF, so I apologize if I'm missing something.

Thanks!

EDIT: I had left my window open and replied before refreshing so I didn't see quizknows's tip. I will try it and report back...