Messages

[Intrusion Detection ENABLED=OFF]

Hi,

due to high CPU usage I turned OFF IDS/IPS under Services --> Intrusion Detection --> Administration --> Settings --> Intrusion Detection ENABLED=OFF. CPU usage dropped as expected, so for testing purposes I installed Maltrail to have at least some intrusion protection.


This worked fine for few weeks.

Yesterday I went again to Services --> Intrusion Detection --> Administration --> Download --> Rulesets and just to clean it out, set all rulesets to DISABLED. IDS service was still OFF from before.
What's weird is since then CPU usage dropped significantly since then!?

I do not understand.
IDS service was OFF all the time. How can CPU drop by just disabling rulesets under DISABLED service?
....or are those rulesets used elsewhere, maybe with Maltrail, too?

Huh...tough question, because I shut it down and removed all rules and policies (...to be ready for new installation, once v. 7 comes out). But as I remember, I scrolled down quite a lot, so it was definitelly more than 50 or even close to 100 rules.

I think there's also a question, what I need:
This is a small webhosting setup, I only want to protect a dozen of WEB and MAIL servers behind OPNSense against attacks from internet. There are no client computers behind, so no web surfing, mail clients etc to protect.
On the other hand, I do not want to slow down package transition too much, so to keep services responsive.

[Suricata]

Hi,

in previous versions I've been always using Suricata, but with 23.x it begun consuming a lot of CPU. Maybe it was due to some inheritable settings, maybe rules vs policies...dunno.
So I got rid of Suricata for now and gave a try to Maltrail. I did not get into details, Suricata seems more powerfull, but performance-wise I notice all web services behind my OPNSense are now (with Maltrail instead of Suricata) noticeably more responsive and faster. Also CPU load is cut on half now.

Thoughts?

IPv4 GW is now marked as default and is working just fine. By disabling IPv6 gateway I also got rid of above mentinoed error, so I guess all is working fine now.

Good point - IPv6!
Dunno if I need it, or rather want it. We were all talking about it years ago, IPv4 will get out of number space....now all somehow settled down, I actually forget about it, ecept if somebody points it out just like you did :)
You were right - DEBUG level revealed one message before error:

Code Select Expand

2023-09-26T21:35:20 Error opnsense /system_gateways.php: ROUTING: not a valid default gateway address: ''
2023-09-26T21:35:20 Notice opnsense /system_gateways.php: ROUTING: configuring inet6 default gateway on wan

Regarding tunnables errors.... I just went to SYSTEM --> TUNABLES and swept for coloured settings, which were all long time obsolete. Deleted them and got rid of those warnigns in log.

Thank you very much for helping me out!

After reboot I've got this in log:

Code Select Expand

2023-09-26T21:00:58 Warning opnsense /usr/local/sbin/pluginctl: warning: ignoring missing default tunable request: net.inet.ip.fastforwarding
2023-09-26T21:00:58 Warning opnsense /usr/local/sbin/pluginctl: warning: ignoring missing default tunable request: debug.pfftpproxy
2023-09-26T21:00:56 Warning opnsense /usr/local/etc/rc.newwanip: Interface '' (ovpns1) is disabled or empty, nothing to do.
2023-09-26T21:00:55 Error dhcp6c transmit failed: Can't assign requested address
2023-09-26T21:00:55 Error opnsense /usr/local/etc/rc.bootup: ROUTING: not a valid default gateway address: ''

So I went to GW settings and marked it as default UPSTREAM. After applying I've got:

Code Select Expand

2023-09-26T21:35:20 Error opnsense /system_gateways.php: ROUTING: not a valid default gateway address: ''

Excellent observations, thanx! I spent half an hour to determine which is which, now you made it easy :)

Will try your plugin...I have 3 instances of GW_WAN and have no idea, which one is in use...

Code Select Expand

  <gateways>
    <gateway_item>
      <descr>Interface wan Gateway</descr>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>1.2.3.4</gateway>
      <name>GW_WAN</name>
      <weight>1</weight>
      <interval>1</interval>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>1.2.3.4</gateway>
      <monitor_disable>1</monitor_disable>
      <name>GW_WAN</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
    <gateway_item>
      <descr>Interface WAN Gateway</descr>
      <defaultgw>1</defaultgw>
      <ipprotocol>inet</ipprotocol>
      <interface>wan</interface>
      <gateway>1.2.3.4</gateway>
      <monitor_disable>1</monitor_disable>
      <name>GW_WAN</name>
      <interval>1</interval>
      <weight>1</weight>
    </gateway_item>
  </gateways>


[solution]

Hi,

any idea why I cannot login via SSH to my 23.7 version anymore? I am using Putty, terminal window opens, asks for login, I enter my username, then prompts for password, and as soon as I enter password, Putty terminal window closes. I can Putty to all other servers and devices, so I guess Putty is OK.

Logs in OPNSense web consile show like I am logged in, but I am not:

Code Select Expand

2023-09-26T18:12:11 Critical nologin Attempted login by myusername on /dev/pts/0
2023-09-26T18:12:11 Informational sshd Accepted keyboard-interactive/pam for myusername from 123.212.63.25 port 52121 ssh2
2023-09-26T18:12:11 Notice audit user myusername authenticated successfully for sshd [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]

Lol...solution:
somwhow under my username I've had login shell set to /sbin/nologin, which is a polite refusal of login. Changed this to /bin/sh and I am in. :)

I tried reinstalling suricata module, disabling and reenabling it...and now I get a bunch of other errors. Could this be related to ACME LE module? It is only used to get rid of SSL warning when acessing Web GUI.

Code Select Expand

2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> [90.164.29.160] 338" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 45468
2023-09-26T14:56:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_RULE_ARGUMENT(270)] - no rule options.
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qinwilrlju" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 40720
2023-09-26T14:53:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET " from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 7533
2023-09-26T14:47:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_DIRECTION(189)] - "" is not a valid direction modifier, "->" and "<>" are supported.
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox bot" from file /usr/local/etc/suricata/opnsense.rules/abuse.ch.threatfox.rules at line 19387
2023-09-26T14:39:10 Error suricata [100352] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found

[editing config.xml]

Thank you for confirmation, Franco!

BTW...manually editing config.xml? Is this just plain simple, like SSH to OPNSense box, locate config.xml, edit & save?

Hi,

what direction is IDS/IPS protecting? From LAN to WAN or vice versa?
I mean, I am using OPNSense only to protect a dozen of web and mail servers behind (NAT-ed) and I am wondering, if there's any use of IDS/IPS at all in this case?

For example... rule ET POLICY Cleartext WordPress Login ... will it kick-in if attacker is comming from WAN, trying to hack one of Wordpress sites that I am hosting?

Me to....when starting IPS/IDS.
I tried to reinstal, but seems like a lot of config conflicts:

Code Select Expand

2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rdp enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol mqtt enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol rfb enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-25T23:42:28 Warning suricata [100443] <Warning> -- [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - App-Layer protocol sip enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details.
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.gocd.auth' is checked but not set. Checked in 2034333 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'et.WinHttpRequest' is checked but not set. Checked in 2019823 and 0 other sigs
2023-09-24T19:54:23 Warning suricata [100330] <Warning> -- [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit 'ET.armwget' is checked but not set. Checked in 2024241 and 1 other sigs
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.servequake .com Domain"; flow:established,to_server; http.host; content:".servequake.com"; endswith; reference:url,www.noip.com/support/faq/free-dynamic-dns-domains/; classtype:bad-unknown; sid:2042817; rev:2; metadata:attack_target Client_and_Server, created_at 2022_12_14, deployment Perimeter, former_category INFO, performance_impact Low, signature_severity Informational, updated_at 2022_12_14, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_t" from file /usr/local/etc/suricata/opnsense.rules/emerging-info.rules at line 8730
2023-09-24T19:54:22 Error suricata [100330] <Error> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - no terminating ";" found

Same in my just upgraded box:

Code Select Expand

2023-09-25T22:34:06 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:06 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:05 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:05 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal
2023-09-25T22:34:04 Warning dpinger Gateway: duplicated entry "GW_WAN" in config.xml needs manual removal

Maybe usefull for debugging:
I had 19.1 version, pulled out config, setup new 23.7 virtual machine, then ran wizard just to get access to web interface, then I imported old config. Maybe Wizard put duplicated GW_WAN entries there?

[postfix]

Well, I disabled IDS/IPS entirely, because I have weird connectivity problems with servers behind this firewall. BTW...disabling IDS/IPS cut down 50% of CPU load.

What connectivity problems I have after upgrading 19.1 --> 23.7 version?

Well...looks like TLS traffic either timeouts or gets rejected. For example:

- MAIL server behind OPNSense has now postfix LOG with a lot of errors like this:
 

Code Select Expand

postfix/smtps/smtpd[16986]: SSL_accept error from some.mail.server[123.10.14.72]: -1

- Then another MAIL server behind firewall has problems resolving blacklist multi.uribl.com:
 

Code Select Expand

554 5.7.1 Service unavailable; Sender address [some.name@gmail.com] blocked using multi.uribl.com; 127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 172.253.12.3]

I tracked down logs and those errors begin just at the time when I put new OPNSense 23.7 into production.
Ideas welcome...