Security Configuration Guide for Acunetix Standard and Premium On-Premises
Your Acunetix installation contains a number of sensitive data items which need to be kept secure from unauthorized access. The Acunetix Security Configuration Guide will provide information on the areas in your Acunetix installation which require particular attention as they may contain such sensitive data items.
Recommendations for added security
Securing Network Access to the Acunetix machine (inbound)
You should restrict incoming traffic to your Acunetix installation in the same way you would restrict access to any other corporate server containing critical data. Basically, only allow incoming traffic from sources which are legitimate authorized users. You would typically achieve this by whitelisting only trusted IP addresses, and forcing remote authorized users to reach the machine through a corporate VPN layer to ensure legitimate access from the corporate LAN and not from some untrusted source.
More specifically, you need to keep in mind that Acunetix needs to receive inbound connections on the following ports:
- port 3443 for the UI and for API access, including CI/CD integration
- port 7880 for the AcuSensor bridge when AcuSensor agents are in use
Securing Network Access from the Acunetix machine (outbound)
Your Acunetix installation has legitimate needs to contact other network devices to perform its scanning activities. It needs to contact:
- Target web application to scan them for vulnerabilities
- Other services, which provide additional functionality in Acunetix. These include:
- mail server to send email notifications
- issue tracker web services
- OpenVAS Network Scanner
- proxy servers to pass traffic through them before reaching target web applications or other Acunetix services
Let’s look at each of these in more detail.
Securing Network access to the Target Web Applications
Acunetix must be able to connect to the web applications that you wish to scan. The scanning is usually done on TCP ports 80 and 443. In this case, you might want to restrict all outbound access with appropriate corporate firewall rules, with exceptions for ports 80/443. Since your Acunetix installation will need to scan various web applications, it is normally acceptable to allow unrestricted outbound access to destination TCP ports 80 and 443 (for HTTP and HTTPS respectively) in the public internet space, and to specific local area network hosts where applicable.
These same firewall rules will be used to allow Acunetix to connect to the Acunetix services, such as the License Management System and the service used to detect Out of Band vulnerabilities.
Securing Network access for other services used by Acunetix
For all other destinations, you should create exceptions to allow outbound traffic to only those other services strictly necessary for the operation of your Acunetix installation, such as:
- proxy servers used for outbound communications
- mail servers for notification delivery
- issue trackers used for integration with Acunetix
- network scanning engines (OpenVAS)
Obviously, if you are not leveraging some of these functionalities, you can avoid opening up ports unnecessarily.
Special Note about the use of Proxy Servers
If you have configured your Acunetix installation to use proxy servers for its outbound traffic needs, you will need to apply the same restriction concepts mentioned above on the proxy servers themselves.
Moverover, if you have configured your Acunetix installation to use proxy servers for ALL its traffic, you may be able to further restrict outbound access on the Acunetix machine to non-proxy-server hosts.
Keep your Acunetix installation separate from other services
To further harden your Acunetix installation, you should ensure that no other unnecessary services / applications are deployed to the Acunetix machine.
Blocking Acunetix from connecting to reserved IP Address ranges
You can further enhance the hardening of your Acunetix installation by blocking access to restricted IP Addresses. You can do this when you do not need to scan any resources on ip addresses situated in the local area network. This comes in handy when you have Acunetix installed on cloud hosting services, such as Amazon AWS, Google Cloud or Microsoft Azure, and you want to ensure that no scanning is affected on machines which are part of your network.
Edit the custom_settings.xml file to set the BlockReservedIps setting (read this for more information about the custom_settings.xml file):
<HTTPGeneral> <!-- other settings --> <BlockReservedIps>1</BlockReservedIps> <!-- other settings --> </HTTPGeneral> |
This will block the scanner and the LSR from connecting to:
- IPv4 restricted IP Addresses:
- 0.0.0.0/8
- 10.0.0.0/8
- 127.0.0.0/8
- 172.16.0.0/12
- 192.0.2.0/24
- 192.88.99.0/24
- 192.168.0.0/16
- 198.18.0.0/15
- 198.51.100.0/24
- 169.254.0.0/16
- 203.0.113.0/24
- 224.0.0.0/4
- 240.0.0.0/4
- IPv6 restricted IP Addresses:
- Loopback
- Link Local addresses
- Site Local addresses
- Private addresses
This would, for example, block access to the AWS EC2 meta-data endpoint provided by Amazon for each EC2 instance. The meta-data endpoint IP Addresses are 169.254.169.254 (IPv4) and fd00:ec2::254 (IPv6). For more information about the AWS EC2 meta-data endpoint: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html