Topics

[Intrusion Detection ENABLED=OFF]

Hi,

due to high CPU usage I turned OFF IDS/IPS under Services --> Intrusion Detection --> Administration --> Settings --> Intrusion Detection ENABLED=OFF. CPU usage dropped as expected, so for testing purposes I installed Maltrail to have at least some intrusion protection.


This worked fine for few weeks.

Yesterday I went again to Services --> Intrusion Detection --> Administration --> Download --> Rulesets and just to clean it out, set all rulesets to DISABLED. IDS service was still OFF from before.
What's weird is since then CPU usage dropped significantly since then!?

I do not understand.
IDS service was OFF all the time. How can CPU drop by just disabling rulesets under DISABLED service?
....or are those rulesets used elsewhere, maybe with Maltrail, too?

[Suricata]

Hi,

in previous versions I've been always using Suricata, but with 23.x it begun consuming a lot of CPU. Maybe it was due to some inheritable settings, maybe rules vs policies...dunno.
So I got rid of Suricata for now and gave a try to Maltrail. I did not get into details, Suricata seems more powerfull, but performance-wise I notice all web services behind my OPNSense are now (with Maltrail instead of Suricata) noticeably more responsive and faster. Also CPU load is cut on half now.

Thoughts?

[solution]

Hi,

any idea why I cannot login via SSH to my 23.7 version anymore? I am using Putty, terminal window opens, asks for login, I enter my username, then prompts for password, and as soon as I enter password, Putty terminal window closes. I can Putty to all other servers and devices, so I guess Putty is OK.

Logs in OPNSense web consile show like I am logged in, but I am not:

Code Select Expand

2023-09-26T18:12:11 Critical nologin Attempted login by myusername on /dev/pts/0
2023-09-26T18:12:11 Informational sshd Accepted keyboard-interactive/pam for myusername from 123.212.63.25 port 52121 ssh2
2023-09-26T18:12:11 Notice audit user myusername authenticated successfully for sshd [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]

Lol...solution:
somwhow under my username I've had login shell set to /sbin/nologin, which is a polite refusal of login. Changed this to /bin/sh and I am in. :)

Hi,

what direction is IDS/IPS protecting? From LAN to WAN or vice versa?
I mean, I am using OPNSense only to protect a dozen of web and mail servers behind (NAT-ed) and I am wondering, if there's any use of IDS/IPS at all in this case?

For example... rule ET POLICY Cleartext WordPress Login ... will it kick-in if attacker is comming from WAN, trying to hack one of Wordpress sites that I am hosting?

[will I benefit in performance or somewhere else]

Hi,

I have one pretty powerfull ESX 6.7 host with a dozen of web and mail services. All are protected with another virtual machine:
OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019

I've tried to upgrade many times before, but failed, dunno what exactly went wrong, but due to failures I simply kept it running at this old version.

I have over hundred of rules, aliases, tunnels, routes and stuff, which I will need to manually retype into new OPNSense, if I decide to do so. And I will definitelly go for it, but I need a good reason - what you say, will I benefit in performance or somewhere else, if I go with new version? Or should I expect same performance and security after a week of manually migrating all over?

Hi,

My OPNSense 19.1.10_1-amd64 is running FreeBSD 11.2-RELEASE-p10-HBSD as a VIRTUAL MACHINE on ESX 6.5 server. It says DISK USAGE: 109% (100G/100G)

I dunno how is this even possible, and it is still running, but I will obviously need to act NOW.

Please...I have only copy/paste Linux knowledge - any reliable instructions on how to resize disk?

[will there be any benefit performance-wise or security-wise]

Hi,

I have 19.1. on ESX 6.5 server and yes, it's working. A lot of rules, a lot of NAT translations, and a lot of blocklists (aliases, external lists). Cannot auto-upgrade to any newer version, dunno why, but it does not work.

I am thinking about manually rewriting all rules to 22.1 version.
What ya think - will there be any benefit performance-wise or security-wise?

[What do you think - will I gain or loose performance wise if I upgrade to 21.7?]

Hi,

I have production on 19.1 version on this:
- Host is FUJITSU server on ESX 6.7.0 Update 2
- OPNSense is 19.1 with approx. 4000 active states on average
- it has some 40 NAT rules
- it also has quite large BLOCKLISTS on FW Aliases (loading external files of up to 4000 IP addresses to block
- WAN is 1 Gbps bandwidth in datacenter

What do you think - will I gain or loose performance wise if I upgrade to 21.7?
It is PITA, because I will "upgrade manually", meaninig I need to rewrite by hand all rules and settings. Auto upgrade is not possible.

Hi,

related to this: https://forum.opnsense.org/index.php?topic=15226.0 I am wondering, if ALIAS URL table, pulled from external source, is ever refreshed?

I have it configured to pull bad IPs to block them from external URL, but if I manually inject one testing IP there, it does not get blocked not after 1 hour, not after 1 day.
So I guess, whether list does not get updated ever, or maybe CRON for this update is not configured.

Any idea where refresh rate (update) can be set?

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

[how a 1000's of BLOCK ALIASES LIST would affect firewall performance]

Hi,

I am thinking about to aggregate all IP blacklists from various web sites (WP, Joomla, custom builds...), which write logs of attacking (brute-force, dictionary attacks...) IP hosts/addresses into database. I have a script in PHP to extract IP's from database for past 7 or 14 days.
Then I have plan to try/test retreive these into BLocked ALIASES list of OPNSense.

Now, since this list will contain hundreds or even thousands of IP addresses, I am wondering how a 1000's of BLOCK ALIASES LIST would affect firewall performance?

[Virtual SCSI disk controller]

Hi,

with last 2 versions 18.x upon update I had problems when rebooting. Firewall stuck on some disk mapping/mounting (or something disk-related...I do not know where to find those info) and was able to boot properly after some 3-4 soft-resets. Console showed it stuck on intializing or mounting some device, do not remember which one exactly, but it was always DIFFERENT stuck point.

Once it booted, then it worked fine, fast, no problems, and consequent reboots did NOT cause further problems.

I am running on ESX 6.5 with Virtual SCSI disk controller.
VMWare tools are (probably?) installed, but still for past 2 years I see constant warning in ESX GUI: "The configured guest OS (FreeBSD (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11.1-RELEASE-p18). You should specify the correct guest OS to allow for guest-specific optimizations."

Is there something slightly wrong with my config, or has OpnSense kernel changed in past version?

Hi,

is it somehow possible to create Unibound DNS override for TXT record? I only see A (AAAA) or MX records override.
Adding custom TXT records locally would be super useful for DNS ACME-02 challenge to generate wildcard LE certificates locally.

Hi,
just my 5 cents - the "Apply changes" warning stripe on top of previous versions was annoying, but now I see VERY HANDY and USEFUL! Now I am on 18.7 version and I really miss this annoying warning, as I am never 100% sure, whether I applied/saved the settings or not.
So my suggestion is to come back with some similar functionality in further releases.

[syslogd: /var/log/suricata.log: Operation not supported by device]

Hi,

I think after updating to 18.7 I see on terminal screen:
syslogd: /var/log/suricata.log: Operation not supported by device

Did this came from update?
Is this critical?

Hi,

I host hundreds of Wordpress, Joomla and other web sites behind OPNSense firewall. Beside those, I also have few MAIL servers here.
Now, some of web sites have good security measures via plug-ins, which detect brute-force attacks, some web sites use public black lists of compromised IP addresses to prevent access from...while other web sites do not have any of those.

My idea is to somehow connect those best security mechanisms of Wordpress, Joomla and others and then use "I don't know which mechanism" to block those  attackers at OPNSense entry level, so I would prevent those hackers to attack ANY of my web sites and to access to ANY of mail servers, which are behind my OPNSense.

Any ideas?

Hi,

does anybody have a clue about my specific problem.
It's about DNS (or any other traffic), where packets origin from within LAN, then go to WAN adapter and return back into LAN for destination - it seems those are rejected.

For example, I have 3 DNS servers:
- DNS 1 is on LAN, behind OpnSense
- DNS 2 is on LAN, behind OpnSense
- DNS 3 is on different WAN subnet
I have ALL DNS servers configured to sync to each other PUBLIC WAN IP address.
- Syncing inbetween DNS1 or DNS2 and DNS3 (and vice versa) is OK.
- But between DNS1 and DNS2 does not happen. I must configure manually DNS1 and DNS2 to sync using LAN IP addresses, not WAN...then sync is OK.

I guess OPNSense blocks the DNS traffic on port 53, if it originates from LAN and is setined via WAN back to LAN.

Any idea, what rule must I add to allow such traffic? (for DNS 53 port only)

Hi,

I am looking at IPS rules and I am a bit confused. I do not expect IPS being plug-n-play solution, and I know you need to watch the logs and alerts for weeks and months to select proper rules.
But still...this seems an enormous project!

Correct me if I am wrong:
- first, you need to ENABLE IPS and download rules
- they are all in ALERT only mode
- then you need to watch ALERT logs
- ...and click on EACH SUSPICIOUS log entry, switch rule from Alert to Drop, and click APPLY
- now I've got 1 of gozillion rules in real action

- then also many rules have direction $HOME_NET any -> $EXTERNAL_NET... I do not need those, because I protect only incoming traffic. But I can only see the rule direction when I click on rule, then click on description link. That's time consuming, very time consuming.

Do I really need to go through all IPS alert entries, one by one, day by day and click on each rule action from Alert to Drop? Aren't there any preconfigured set of rules for, say, "webhosting" or "home user" or such?

Hi,

I use OPNSense as main firewall for my webhosting servers. NOT for browsing, as behind OPNSesne there's only a bunch of servers, hosting web sites, like Wordpress, Joomla, Magento and others.
Among 300+ websites there's a dozen of my own sites and I can see hundreds of Brute Force attacks and vulnerability scans from all over the world. I can fight and protect by installing some Wordpress or Joomla security plugins, but I would like to mitigate attacks before they reach website engine - I'd like to configure some protection on OPNSense firewall for incoming attacks.

I do have most of IPS rules active, but here's problem no.1:
If I put rule on ALERT, I need to know exact source IP to find the alert in IPS log. I cannot search for, say "1.2.3.*" or "brute force". Is there some other way to see IPS alerts?

Now problem no.2:
Is there some better plugin or protection method to fight against brute force, password guessing and other attacks at firewall level, without impacting performance too much?

Hi,

I've asked this question elsewhere, so hoping maybe I get answer here.

What's the proper method to specify, for example LAN server with IP xy to use outbound masquerade using WAN IP xz? I have multiple WAN IP addresses and I want each local server to use it's own public IP (not all going out via the same IP...especially I want to specify outbound WAN IP for mail server).
I have 17.1.6 and I've tried OUTBOUND NAT using Virtual WAN IP, but no joy.Tried also with floating NAT rule, direction out, use different Wan IP as a gateway...but this does not pass traffic to real Wan gateway, instead traffic is stuck at WAN port.

I know this is one of hte basic functions, but how to approach?
...or is maybe 17.1.x buggy?

### EDIT ###
It was obviously a bug in FreeBSD kernel, as update to 17.1.8 solved the problem instantly:
https://forum.opnsense.org/index.php?topic=5229.msg21189#msg21189