OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: abel408 on July 18, 2017, 08:41:09 pm

Title: Locked out of OPNSense after enabling Intrusion Detection on LAN interface
Post by: abel408 on July 18, 2017, 08:41:09 pm

So I was configured Intrusion Protection on my OPNSense router and I enabled it for the WAN interface. Everything went well, I was receiving a lot of alerts and realized that some of them are low threat alerts that I didn't need. I then enabled the LAN interface as well (I was just receiving alerts from my WAN IP address to external hosts). This is when things broke. I am now not able to get into the web interface or SSH of my OPNSense box. All rules were set to alerts except for the Abuse.ch rules which were set to drop. I also created rules to automatically drop packets from different geographical locations (China, Russia, India).

To make matters worse, the actual console seems unresponsive. I plugged a keyboard and monitor in to my OPNSense box and I am not able to do anything. A reboot did nothing either.


The console output displays this:
GEOM_MIRROR: Device mirror/opnsenseMirror launched (2/2)
timecounter "TSC-low" frequency 1750032538 Hz Quality 1000
Trying to mount root from ufs:/dev/mirror/opnsenseMirror1a [rw]...
uhub0: 2 ports with 2 removable, self powered
uhub1: 2 ports with 2 removable, self powered
ugen1.2: <vendor 0x8087> at usbus1
uhub2: <vendor 0x807 product 0x8000, class 9/0, rev 2.00/0.05, addr 2> on usbus1


And it just stops there. Pressing enter on the keyboard does nothing. If I unplug the keyboard, I get output that the usb was unplugged.

Alt+sysrq+reisub doesn't seem to do anything either, but pressing the power button on my box shuts down the system. Is there anyway to interupt the boot process of OPNsense so I can disable the intrusion protection and get my system working again?

Title: Re: Locked out of OPNSense after enabling Intrusion Detection on LAN interface
Post by: abel408 on July 18, 2017, 09:53:00 pm

I'm beginning to think the only way I can fix this is with a recovery disk. If I boot into a recovery OS and mount my OPNsense disk, what and where would I need to go to disable Suricata?

Title: Re: Locked out of OPNSense after enabling Intrusion Detection on LAN interface
Post by: franco on July 19, 2017, 10:09:56 am

The file /conf/config.xml, look for "<IDS", then "<general>" and remove "<enabled>1</enabled>" contained within.


Cheers,
Franco

Title: Re: Locked out of OPNSense after enabling Intrusion Detection on LAN interface
Post by: abel408 on July 19, 2017, 06:16:35 pm

Thanks Franco...

Just want to make sure I am removing it and not just setting it to 0.


Also, I don't think the console issue is related to IDS anymore. I'm thinking IDS is just locking me out of SSH and the web gui... although I'm not sure why.

I vaguely remember the console breaking after an OPNSense upgrade. I have a supermicro board and the only thing I get on my console after a reboot is this: http://i.imgur.com/ezgLFJN.jpg (Ignore the pfsense mirror name. I created the mirror with pfsense, then installed opnsense on it).

Any recommendations to getting the console to work again?