Messages

I have 5 dedicated IP addresses that host webservers and a Postfix/Dovecot mail server in my office. We use port forwarding to split the IP addresses all feed into the OPNSense firewall(?). As attempted hackers and scanners are caught by Fail2ban. We put them into blocklists on the firewall so we can delete the thousands of intruders and block them not just for the one server but for ALL of them.

We use Let's Encrypt and thus we are forced to have Port 80 open for renewals, but Port 80 is the only one open and only for the two servers that host the mail server and websites.

Your comment:
OPNsense by default blocks everything coming in on WAN, anyway.

Is obviously not true, because ONLY Censys and a couple of other scanners have an open door to ALL my servers. Now if you have 10,000 IP addresses that are blocked and NONE ever allow the same IP address back again then there are a bunch of scanners that ARE allowed free access. Are you saying it's a coincidence, it's MY fault because I'm an idiot who doesn't know what he's doing or are you one of them in your byline at the bottom?

When people instantly and rudely go on the defensive. I guess I'm onto something.

Three weeks ago, I blocked the entire subnets for the Censys menace
167.94.146.0/24, 167.94.145.0/24. and 167.94.138.0/24

I've also blocked IN ADDITION, the individual IP addresses that still get through the firewall and suck up my bandwidth. What's the point of a firewall if it still has holes in it for the scanner menaces? I sometimes think there are more scanners than people on the internet.

Is this deliberate? Is OPNSense set up to allow certain addresses through it or have they devised a strategy that gives them access no matter what? In which case, it's time you did something about it.

I find this VERY disturbing. NO ONE has the right to probe my servers and try to access my mail server without my permission.

Don't tell me it's MY mistake. the firewall blocks everyone else in the blocklist including subnets, but Censys, Shodan and some others that are blocked by individual IP addresses keep coming back.

And PLEASE don't tell me that these are all 'benign' and for my own good. How would you like it if I came around to your home every day and checked all the doors and windows, hoping to find one open?

I need to whitelist Let's Encrypt Certbot's Acme Challenge through.

With my limited knowledge, I created this firewall WAN rule:

Action - Pass
Interface - WAN
Direction - In
TCP Version - IPV4
Protocol - TCP
Source - any
Destination - Single Host - 72.xx.xxx.xxx The public IP of the mail server /32
Destination Port Range 80 to 443 (or do I need one rule for each?)
Gateway - ?? Default (or should it be) My internal or Wan-ppoe?

I left it at default.

I moved the rule to the top of my list of blocked IP addresses (Country Block), but it doesn't work.

The people at Let's Encrypt tell me that I've managed to block some of the AcmeChallenge servers, and I had hoped that this would fix it.

What have I done wrong?

https://github.com/SilvrrGIT/IP-Lists/blob/master/stretchoid
https://gitlab.com/ohisee/block-shodan-stretchoid-census

There are plenty others, seek and thou shalt find.

OK, clever guys, so riddle me this:-
I have a very simple installation. All traffic is allowed except for the IPAddresess on blocklists which are:
hacker_drop
stretchoid_drop
shodan_drop
misc_scanners_drop
int_census.drop

There are now fancy rules so I don't see how such a comment as troubleshoot is relevant.

SO PLEASE explain as this IS reproducible. You can try it yourself.

Create a blocklist stretchoid_drop and if you like you can create all the others, but make sure you put stretchoids addresses in stretchoid.
Go to Firewall --> Diagnostics -->Aliases and check that all the above are populated.

Now reboot OPNSense.

Go to Firewall --> Diagnostics -->Aliases and check that all the above are populated.

hacker_drop FINE
shodan_drop FINE
misc_scanners_drop FINE
int_census.drop FINE

Stretchoid_drop is BLANK every IP address is GONE.

Now YOU troubleshoot THAT!

I already feel I'm wasting my time. If I have 5,000 IP addresses in my block list and 4,999 of them work. WTF are you asking me to show you the rule?

I didn't ask for HELP. I wanted to know WHY.

IS OPNSense deliberately allowing IPs to penetrate their firewall by request/demand of the US government? THAT is my question.

To satisfy YOUR question, I downloaded the (readily available - if you take the trouble to search for them) lists and entered EVERY one into the firewall BY HAND and YES they are all there and YES they all work except the three I've spotted so far.

Can you now find something else to divert away from giving a straight answer to my question?

If it isn't deliberate THERE's A BUG

Internet_defence is supposed to be a list of threats which you can use in OPNsense to block threats. (https://internetdefensesystems.com/list/badips.bydate.part01.txt)

Many of the IP addresses in there appear in the firewall (as the info I sent) but many of them (especially scanners) DON'T GET BLOCKED. This is why I created my own blocklist. This means that OPNSense is reading the list, but why are some being bypassed?

My own blocklist works. I have over 5,000 bad actors in it and with the exception of the three I mentioned from stretchoid, once they are in my blocklist I never see them again, so there is NO reason why (so far) three IP's from stretchoid are bypassing the firewall.

I don't have the other two I never wrote them down as I though maybe I had messed up. I'm sure they'll be back. These scanners are using  a massive amount of bandwidth and they are at it 24 x 7. Since I started blocking them the speed of all our computers have improved dramatically.

I've caught as many as TEN scanners all hacking away at my servers simultaneously.

To list the ones I have and the number of scanners:

Alphastrike - 10
Binary Edge Ninja - 128
Internet Census - 198
Leakix - 51
Netsystems research - 139
Onyphe - 51
Rapid 7 - 108
SecurityIP - 59
Shadow Server - 190
Shodan - 81
Stretchoid - 1828

Most of these lists also contain subnets from /28 to /24 so the actual number is far higher than those above. That's a total of >2844 scanners trying to hack your computers and servers, and wasting the bandwidth 24 x 7

All these lists are available on the web if you go search for them.

Now if YOU are happy with some asshole checking all the doors and windows of your house and taking inventory of all your belongings, 24 x 7, good for you. I'm NOT.

IMO it's pretty obvious who uses stretchoid and it definitely is NOT benign.

This isn't the first time this has happened.

107.170.237.26 is blocked by Internet Defense. I caught this same IP address a week ago, trying to hack my mail server., so I added it to my own block list.

Yesterday the same IP tried again to hack my mail server
Accepted POP3 connection with: 107.170.237.26
19:11:05 1CF *** NEW PHYS. CONNECTION, Tbl Entry=0, Socket=82
19:11:05 1CF POP3 command: MGLNDD_xxx.xxx.xxx.xxx_110
19:11:06 1CF POP3 session ended: 107.170.237.26
19:11:06 1CF *** PHYSICAL PORT DISCONNECTED, Tbl Entry=0, Socket=82

Not just this one attempt TEN TIMES.

This IP belongs to stretchoid, who have close to 2,000 of these so-called 'research scanners' all running world-wide on Digital Ocean.

Don't come with the BS that this is 'ethical hacking' to make the world a better place. To be an ethical hacker YOU NEED PERMISSION.

If I go around houses checking the front and back doors of every house, what do you think Mr Plod is going to say when I tell him "it's only for research."?

My question is:
Is this a BUG in OPNSense or is it a deliberate back door for the US Alphabet agencies.

Oh and before you tell me, I haven't entered it properly, I have checked it.

Enter an IP address to show in which aliases it is used.
107.170.237.26
internet_defence
stretchoid_drop (my own block list)

This is NOT the first stretchoid IP address that has succeeded in bypassing OPNsense. The two previous ocassions I thought maybe it was me. IT ISN'T.

[July 21, 2022, 06:40:42 pm]

I just want to get this straight. As a complete newbie to OPNsense, I run into a problem.

I post a cry for help :

Help neeged for a problem with Port Forwarding
« on: July 21, 2022, 06:40:42 pm »

My site is down, I'm getting nowhere fast.

SIXTEEN days later, I get a response. I'm really surprised that anyone bothered. Beginners on this site seem to be ignored. My other three questions are still totally ignored.

In the meantime, I had to look for help from other Linux sites. who, like me were pretty surprised at the great support from OPNsense, if the question happens top be a beginner's. Anything complex seems to attract a flurry of answers within hours.

What a great way to attract new users. I have yo be honest, OPNsense support is the worst so far that I have come across even including Microsoft.

I've found googleuserbots that I add to my block list, but they simply ignore it and keep coming back. I've picked up several other IP addresses that simply ignore blocks and keep popping up. How is this possible? Does OPNsense allow certain IP addresses unconditional access?

Like these

vsftpd:
    Authentication Failures:
       unknown (158.54.211.130.bc.googleusercontent.com): 1 Time(s)
       unknown (183.127.77.34.bc.googleusercontent.com): 1 Time(s)
       unknown (32.248.140.34.bc.googleusercontent.com): 1 Time(s)
       unknown (55.96.76.34.bc.googleusercontent.com): 1 Time(s)
       unknown (inspire.census.shodan.io): 1 Time(s)
    Invalid Users:
       Unknown Account: 5 Time(s)

This is driving me up the wall.

We have an old CentOS 7.3 server. We have  2 x SMP Forums running on it and a Welcome webpage.

It's worked for years and has never been updated.

We have a /29 network and we use xxx.xxx.xxx.57 as a Gateway and 58,59,60,61, and 62 are available. We only used 58 and 59. 58 is the old CentOS server and 59 is our mail server.

We use the OPNsense Firewall and the centos box does shftp, and the 2 Forums with Letsencrypt SSL certs. It works perfectly.

After installing a new Alma server, we cloned setup a new Virtual IP for xxx.xxx.xxx.60.
Setup an alias for Alma server (cloned centos and changed the necessary)

Cloned the Port forwarding from centos and changed the necessary.

Closed the Centos WAN rules and changed the necessary.

Copied the two Forums over to the same locations, copied the /etc/httpd/conf.d files for the Forums

Time to change the DNS. We have our own DNS servers. Entered the new server and internal address xxx.xxx.xxx.213 (the old one was 203).

Because we host a sub-domain in our office of the main domain (on a hosting site). We use Dynu to handle the sub-domain DNS. Added the new server took out the centos and entered xxx.xxx.xxx.60 for the 2 x forums the www page. IDENTICAL to the centos, just IP addresses different.

It's all gotta work, no?

Right, NO it doesn't.

I can ping xxx.xxx.xxx.60 from my workstation, from in the Alma server, no problem
If I try http://xxx.xxx.xxx.60 from any PC or from the Alma box. It times out.
I try to telnet to 80, 443, 20,21, SSH, (all these ports are configured on the OPNsense EXACTLY the same as the centos. NOTHING, NADA.

Now for the fun part. If I start the old centos server. NOW I can telnet and get the apache page when I type http://xxx.xxx.xxx.60.

WTF am I doing wrong. it MUST be the firewall. I've checked the firewall is setup on Alma EXACTLY the same as centos. SELinux is disabled (I hate it).

Can anyone out there help?

I've just installed and setup OPNsense. I THOUGHT I understood how the Virtual IPs, Aliases and Rules work, but I'm missing something here.

I have 4 Virtual IPs
Mailserver,
Webserver1
Webserver2
Plex

Both Webservers are on CentOS (one on CentOS 7 and the other CentOS 8) both are Virtual servers on Apache (I upgraded from Smoothwall Express 3.1 and they were working fine before the upgrade. In fact if I down the OPNsense and reload Smoothwall it all still works, so it's me. I've dome something stupid or I'm missing something.

I have 3 x DNS servers all have entries for the servers.

In NET--> Virtual IPs --> Settings I have xxx.xxx.xxx.xxx/29 one for each Virtual IP
In Aliases I have:
Mailserver and Mailserver Ports
Webserver1 and Webserver1 Ports
Webserver2 and Webserver2 Ports
Plex and Plex Ports

In NAT Port Forward, I have an entry for each of the above
Interface -WAN
TCPIP - IPV4
Protocol - TCP
Destination - one of the Virtual IP addresses
Destination Port Range - the Alias for Port range
Redirect Target IP - Alias of the server.

In Rules I have an entry Pass for each one.
My Mailserver works fine
Plex works fine.
Both my CentOS Webservers work INTERNAL, but no one can connect to them from EXTERNAL.

I thought Ports 80 and 443 are open by default. I was obviously wrong. I tried putting those ports into the Alias as well - same result

A customer tried to ping and tracert. Nada.

What have I missed / done wrong?

If I go to a VPN and try to access the site after a LONG wait I get the message:
write tcp 10.238.1.122:46489: write: connection timed out

WTF does 10.238.1.122 Nothing to do with us. we are on a 192.168.0.0/24 network