Securing direct access to HTTPS page when accessing WAN IP

[davecowley]

Hi

I was hoping someone could help me with securing NPM please? I have recently had a pentest and it flagged a page which loads when accessing the external IP + 443 port externally.
When accessed it loads a "Your connection is not pricate" page and uses a self assigned certificate which is valid for 10 years.

I think I am on the right track but need some guidance please.

I have created /data/nginx/custom/http_top.conf and added in the below:

charset utf-8;server {listen 443;server_name _;return 444;}

My understanding is that it would block anything which doesnt have a hostname assigned. The above caused any https page to not load. I now think that I need to set the actual hostnames/domain names and then activate the above code.

Firstly does anyone know which file and the location of the config file which needs to be modified? I have tried adding the below in to http_top.conf but it doesnt seem to like it.

server {listen 443;server_name *.companysite.com;}
server {listen 443;server_name *file.companysite.com;}

my http_top.conf then looked like

server {listen 443;server_name *.companysite.com;}
server {listen 443;server_name *file.companysite.com;}

charset utf-8;server {listen 443;server_name _;return 444;}

I am pretty much stuck but I think I am getting close to the answer.

Can anyone help please?

[jeremy-chua]

Can you share what specifics are you solving?
If its the self signed certificate, the only solution is to use a public CA signed certificate. You can explore Let's Encrypt for free public certificates, however you need a public domain.

Hope this helps!

[davecowley]

Hi,

I had a penetration test done on my external IPs on my infrastructure. When visiting Https://myexternalip:443 It didn't give a 404 page and loaded an error with a self assigned SSL valid for 10 years.

They said it was a medium low risk but that I should get it resolved.

[jeremy-chua]

The only remediation you can apply is to get a public cert.
Let's encrypt is free, but you need to have a public domain.
NPM has built-in feature which handles the Let's Encrypt portion.

[jeremy-chua]

i think i get what you mean.
u can modify the ngnix default settings.
this can't be done in NPM web interface

[davecowley]

Do you know how I can achieve this

[davecowley]

Any SSL will not work as it will not resolve to a domain as the error is with direct IP. I just need to be able to filter away anything trying to access NPM which doesn't have an active domain registered on NPM.

[jeremy-chua]

I think you are missing the issue. The vulnerability found is using self signed cert and not the IP address.
Certificates are tied to domains and not IP address