actually I did the same audit a few weeks ago via nmap.
esxi system, with freenas (11.1), pfsense, debian and windows. apart from a suspicious open port 6xxx in freenas* I did not find much. PFsense with installed pfblockerng had more issues. mainly with an insecure DH algorithm.
this got addressed and will be fixed with the next release.
would be good to know more about your findings and how the "audit" was made.
all of the findings above looks for me like the scan was done on the system itself, not like in real world, where you need to find the open port & the volun. to get access.
hardening done from myself in tunetable:
under Services / SMB should "Allow Empty Password" be deactivated, same for NTLMv1
Since I am only using windows 10 as clients, I deactivated NetBios
-> "Auxiliary Parameters"
disable netbios = yes
smb ports = 445
smb encrypt = mandatory
*this strange open port is called HA and got addressed as a bug (#28031) behind this open port you will find an NGINX http server with phython.
The "bug" got rejected by ix.
link to redmine
esxi system, with freenas (11.1), pfsense, debian and windows. apart from a suspicious open port 6xxx in freenas* I did not find much. PFsense with installed pfblockerng had more issues. mainly with an insecure DH algorithm.
this got addressed and will be fixed with the next release.
would be good to know more about your findings and how the "audit" was made.
all of the findings above looks for me like the scan was done on the system itself, not like in real world, where you need to find the open port & the volun. to get access.
hardening done from myself in tunetable:
Code:
Variable freenas.services.smb.config.server_min_protocol Value SMB3_10 Type sysctl
under Services / SMB should "Allow Empty Password" be deactivated, same for NTLMv1
Since I am only using windows 10 as clients, I deactivated NetBios
-> "Auxiliary Parameters"
disable netbios = yes
smb ports = 445
smb encrypt = mandatory
*this strange open port is called HA and got addressed as a bug (#28031) behind this open port you will find an NGINX http server with phython.
The "bug" got rejected by ix.
link to redmine
Last edited: