OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of labsy »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - labsy

Pages: [1] 2 3 4
1
23.7 Legacy Series / Significant CPU drop when disabling IDS rules?
« on: October 23, 2023, 08:59:19 am »
Hi,

due to high CPU usage I turned OFF IDS/IPS under Services --> Intrusion Detection --> Administration --> Settings --> Intrusion Detection ENABLED=OFF. CPU usage dropped as expected, so for testing purposes I installed Maltrail to have at least some intrusion protection.


This worked fine for few weeks.

Yesterday I went again to Services --> Intrusion Detection --> Administration --> Download --> Rulesets and just to clean it out, set all rulesets to DISABLED. IDS service was still OFF from before.
What's weird is since then CPU usage dropped significantly since then!?

I do not understand.
IDS service was OFF all the time. How can CPU drop by just disabling rulesets under DISABLED service?
....or are those rulesets used elsewhere, maybe with Maltrail, too?


2
Intrusion Detection and Prevention / Re: Maltrail vs. Suricata
« on: September 29, 2023, 07:21:34 pm »
Huh...tough question, because I shut it down and removed all rules and policies (...to be ready for new installation, once v. 7 comes out). But as I remember, I scrolled down quite a lot, so it was definitelly more than 50 or even close to 100 rules.

I think there's also a question, what I need:
This is a small webhosting setup, I only want to protect a dozen of WEB and MAIL servers behind OPNSense against attacks from internet. There are no client computers behind, so no web surfing, mail clients etc to protect.
On the other hand, I do not want to slow down package transition too much, so to keep services responsive.

3
Intrusion Detection and Prevention / Maltrail vs. Suricata
« on: September 28, 2023, 10:08:26 pm »
Hi,

in previous versions I've been always using Suricata, but with 23.x it begun consuming a lot of CPU. Maybe it was due to some inheritable settings, maybe rules vs policies...dunno.
So I got rid of Suricata for now and gave a try to Maltrail. I did not get into details, Suricata seems more powerfull, but performance-wise I notice all web services behind my OPNSense are now (with Maltrail instead of Suricata) noticeably more responsive and faster. Also CPU load is cut on half now.

Thoughts?

4
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 27, 2023, 07:26:25 pm »
IPv4 GW is now marked as default and is working just fine. By disabling IPv6 gateway I also got rid of above mentinoed error, so I guess all is working fine now.

5
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 26, 2023, 10:45:39 pm »
Good point - IPv6!
Dunno if I need it, or rather want it. We were all talking about it years ago, IPv4 will get out of number space....now all somehow settled down, I actually forget about it, ecept if somebody points it out just like you did :)
You were right - DEBUG level revealed one message before error:
Code: [Select]
2023-09-26T21:35:20 Error opnsense /system_gateways.php: ROUTING: not a valid default gateway address: ''
2023-09-26T21:35:20 Notice opnsense /system_gateways.php: ROUTING: configuring inet6 default gateway on wan
Regarding tunnables errors.... I just went to SYSTEM --> TUNABLES and swept for coloured settings, which were all long time obsolete. Deleted them and got rid of those warnigns in log.

Thank you very much for helping me out!

6
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 26, 2023, 09:37:30 pm »
After reboot I've got this in log:
Code: [Select]
2023-09-26T21:00:58 Warning opnsense /usr/local/sbin/pluginctl: warning: ignoring missing default tunable request: net.inet.ip.fastforwarding
2023-09-26T21:00:58 Warning opnsense /usr/local/sbin/pluginctl: warning: ignoring missing default tunable request: debug.pfftpproxy
2023-09-26T21:00:56 Warning opnsense /usr/local/etc/rc.newwanip: Interface '' (ovpns1) is disabled or empty, nothing to do.
2023-09-26T21:00:55 Error dhcp6c transmit failed: Can't assign requested address
2023-09-26T21:00:55 Error opnsense /usr/local/etc/rc.bootup: ROUTING: not a valid default gateway address: ''
So I went to GW settings and marked it as default UPSTREAM. After applying I've got:
Code: [Select]
2023-09-26T21:35:20 Error opnsense /system_gateways.php: ROUTING: not a valid default gateway address: ''

7
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 26, 2023, 08:54:15 pm »
Excellent observations, thanx! I spent half an hour to determine which is which, now you made it easy :)

8
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 26, 2023, 06:35:24 pm »
Will try your plugin...I have 3 instances of GW_WAN and have no idea, which one is in use...

Code: [Select]
  <gateways>
    <gateway_item>
      <descr>Interface wan Gateway</descr>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>1.2.3.4</gateway>
      <name>GW_WAN</name>
      <weight>1</weight>
      <interval>1</interval>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>1.2.3.4</gateway>
      <monitor_disable>1</monitor_disable>
      <name>GW_WAN</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>1.2.3.4</gateway>
      <monitor_disable>1</monitor_disable>
      <name>GW_WAN</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
  </gateways>

9
General Discussion / [SOLVED] Cannot login via SSH
« on: September 26, 2023, 06:17:54 pm »
Hi,

any idea why I cannot login via SSH to my 23.7 version anymore? I am using Putty, terminal window opens, asks for login, I enter my username, then prompts for password, and as soon as I enter password, Putty terminal window closes. I can Putty to all other servers and devices, so I guess Putty is OK.

Logs in OPNSense web consile show like I am logged in, but I am not:

Code: [Select]
2023-09-26T18:12:11 Critical nologin Attempted login by myusername on /dev/pts/0
2023-09-26T18:12:11 Informational sshd Accepted keyboard-interactive/pam for myusername from 123.212.63.25 port 52121 ssh2
2023-09-26T18:12:11 Notice audit user myusername authenticated successfully for sshd [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
Lol...solution:
somwhow under my username I've had login shell set to /sbin/nologin, which is a polite refusal of login. Changed this to /bin/sh and I am in. :)

10
Intrusion Detection and Prevention / Re: Suricata crashing
« on: September 26, 2023, 03:54:45 pm »
I tried reinstalling suricata module, disabling and reenabling it...and now I get a bunch of other errors. Could this be related to ACME LE module? It is only used to get rid of SSL warning when acessing Web GUI.

Code: [Select]
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> [90.164.29.160] 338" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 45468
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qinwilrlju" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 40720
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET " from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 7533
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_DIRECTION(189)] - "" is not a valid direction modifier, "->" and "<>" are supported.
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox bot" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 19387
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found

11
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 26, 2023, 03:37:42 pm »
Thank you for confirmation, Franco!

BTW...manually editing config.xml? Is this just plain simple, like SSH to OPNSense box, locate config.xml, edit & save?

12
Intrusion Detection and Prevention / IPS/IDS for webhosting purpose?
« on: September 26, 2023, 12:11:42 am »
Hi,

what direction is IDS/IPS protecting? From LAN to WAN or vice versa?
I mean, I am using OPNSense only to protect a dozen of web and mail servers behind (NAT-ed) and I am wondering, if there's any use of IDS/IPS at all in this case?

For example... rule ET POLICY Cleartext WordPress Login ... will it kick-in if attacker is comming from WAN, trying to hack one of Wordpress sites that I am hosting?

13
Intrusion Detection and Prevention / Re: Suricata crashing
« on: September 26, 2023, 12:06:02 am »
Me to....when starting IPS/IDS.
I tried to reinstal, but seems like a lot of config conflicts:

Code: [Select]
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.servequake .com Domain"; flow:established,to_server; http.host; content:".servequake.com"; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains/; classtype:bad-unknown; sid:2042817; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_t" from file /usr/local/etc/suricata/opnsense.rules/emerging-info.rules at line 8730
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found

14
23.1 Legacy Series / Re: duplicated Gateway msgs flood my logfile
« on: September 25, 2023, 10:36:17 pm »
Same in my just upgraded box:

Code: [Select]
2023-09-25T22:34:06 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:06 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:05 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:05 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:04 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
Maybe usefull for debugging:
I had 19.1 version, pulled out config, setup new 23.7 virtual machine, then ran wizard just to get access to web interface, then I imported old config. Maybe Wizard put duplicated GW_WAN entries there?

15
Hardware and Performance / Re: Migrating from ver. 19.1 to latest - to do or not to do?
« on: September 25, 2023, 01:20:47 pm »
Well, I disabled IDS/IPS entirely, because I have weird connectivity problems with servers behind this firewall. BTW...disabling IDS/IPS cut down 50% of CPU load.

What connectivity problems I have after upgrading 19.1 --> 23.7 version?

Well...looks like TLS traffic either timeouts or gets rejected. For example:

- MAIL server behind OPNSense has now postfix LOG with a lot of errors like this:
 
Code: [Select]
postfix/smtps/smtpd[16986]: SSL_accept error from some.mail.server[123.10.14.72]: -1
- Then another MAIL server behind firewall has problems resolving blacklist multi.uribl.com:
 
Code: [Select]
554 5.7.1 Service unavailable; Sender address [some.name@gmail.com] blocked using multi.uribl.com; 127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 172.253.12.3]
I tracked down logs and those errors begin just at the time when I put new OPNSense 23.7 into production.
Ideas welcome...

Pages: [1] 2 3 4
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2