Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - opnuser1

#1
Sorry, I did not save it.  However, I did run the audit health before I destroyed that machine but it didn't detect anything. But I still suspected that the port scanning was coming from that drive so I removed the disk from the machine and scanned it with an AV.  I immediately got some detections in the opt folder so I just destroyed it.
4/4/2025 9:57:14 PM;Real-time file system protection;file;C:\av_test\Root\opt\npc\npc;a variant of Linux/Riskware.Nps.A application;cleaned by deleting
4/4/2025 9:57:47 PM;Real-time file system protection;file;C:\av_test\Root\usr\bin\npc-update;a variant of Linux/Riskware.Nps.A application;cleaned by deleting

I reinstalled opnsense from scratch and now no more port scanning attacks so I'm pretty sure it was compromised.
#2
Update...scanned the opnsense drive and it was compromised.  Damn.
#3
Sorry, let me clarify.  (that's the opnsense dark theme!)
All those other rules are disabled, I don't use them, I should delete them.  But when I enable the wireguard rule, I immediately get port scanning attacks.  here are some others they are similar:
3/31/2025 9:24:44 PM;TCP Port Scanning attack;Blocked;192.168.1.1:52872;192.168.1.111:139;TCP;Win32/Botnet.generic;;;;;;;
3/30/2025 7:02:16 AM;TCP Port Scanning attack;Blocked;192.168.1.1:47268;192.168.1.111:8888;TCP;Win32/Botnet.generic;;;;;;;

192.168.1.111 is my laptop getting these alerts.  192.168.1.1 is opnsense.
I don't run any IMAP server or anything.
There is another machine on the network and it also gets the alert as soon as I enable that rule.
And I have recently stopped a ransomware attack, so I am on the lookout for where the breach is and seeing as how the laptop and opnsense are the only machines on the network, I think opnsense is compromised but I am not sure.

I don't have any other custom rules or anything in the firewall I don't think other than the items from the Wireguard Roadwarrior instructions.  That's why I posted about that WAN rule because that is the one where if I enable it the alerts start.

I'm thinking of pulling the opnsense drive out and scanning it somehow, or just formatting it and starting over?  I just wanted your guys' opinion in case I am missing something.  Thank you.
#4
Eset is giving the alarm like this:
4/4/2025 3:03:09 AM;TCP Port Scanning attack;Blocked;192.168.1.1:34643;192.168.1.111:143;TCP;Win32/Botnet.generic;;;;;;;


This is the WAN rule (in the picture).

Thank you.
#5
I set up wireguard according to the opnsense road warrior tutorial.  But whenever I enable the WAN rule, all my computer tells me that there is a tcp port scanning attack (generic botnet).  Now I think my opnsense machine is compromised, it is coming from the opnsense ip and there are no other machines.  Am I missing something?  Thank you.
#6
I had an older version of opnsense installed.  It has since been corrected, so those entries are working now. Thank you.
#7
Quote from: Patrick M. Hausen on October 10, 2024, 03:27:11 PM
Quote from: Greg_E on October 10, 2024, 03:20:37 PMIn your DHCP, you could hand out the DNS servers like this:

1st: DC DNS address
2nd: firewall DNS address

This makes for all sorts of "interesting" failure modes unless you put a DNS forward for your internal domain in the Unbound config.

Services > Unbound DNS > Query forwarding

Add two entries:

- Domain: mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

- Domain: _msdcs.mydomain.lan
- Server IP: IP of your DC
- Server Port: 53

HTH,
Patrick
when i try to add the _msdcs.mydomain.lan it says "A valid domain must be specified." and I am unable to continue.  I can't seem to get past it.

edit... I just checked and it's the underscore that it won't accept.  Not sure how to get around it.
#8
Hi guys, I have the network up and running now.  So I found the only place in opnsense where I use the Windows DC information is here.
in DHCP4 > LAN
for DNS servers I put the ip address of the Windows DC server (192.168.1.78)
for the domain name i put the local lan name. (local.lan)

I found that without these settings, the network doesn't really work well.  But as I mentioned, if the DC is not connected, the internet is not accessible at all for any of the computers in the network.  I'd like the internet to still work, even if the DC is offline.  When I didn't use opnsense, and just used a router, this was the behavior...with the DC offline, the internet still worked with the router.

If there is a better way to configure this stuff, please advise.  Thank yo.

#9
Thank you gentlemen, for these responses.  Sorry for the delay.  I may be able to connect the machines soon and try these things out.  In the meantime, I am studying what you wrote and learning to see what I should do.  I'll respond again shortly.
#10
Ah yes, thank you for the response.  Yes you just reminded me of something.  I don't have the DHCP role on the windows DC, I actually am using opnsense for that and prior to that, I was using the DHCP on my regular wifi router.  Perhaps this is an issue also?  I was intending on moving it to the Windows DC.

I don't necessarily want to do anything weird, I just remember that before I used opnsense and just had that router, if the DC went down, the rest of the machines still had internet access.  I am trying to come up with a way to have that working with opnsense as well, if possible. 
#11
I have a bit of an unusual problem I've never been able to figure out.  I apologize in advance as I can't post any screenshots since my machines are in storage at the moment.  But this is a problem I was never able to fix, and I'll describe it as best as I can.
Before I had opnsense, I had just a regular wifi router.  I have a bunch of windows machines running on a Windows AD network.  When I got the opnsense machine, I placed it in front of everything.  The problem I have is that the internet to all the machines only works if the Windows domain controller server is connected.  I'd like the internet to work even if the DC is not connected, if that is even possible.  I'd like to do this without needing to move that role to opnsense since like I said it's a whole windows network.

Is there a way to do this?  As far as I remember, in opnsense, I had to put the internal lan name of the domain controller in the section of opnsense for general, system somewhere.  And everything works fine, I was wondering if there is a way for the internet to get passed through even when the DC is not actually connected.  or any other workaround where I can still have the windows DC handling those roles without transferring to opnsense that accomplishes the same thing.

Sorry if the info is not specific enough, this is the best I can remember.
#12
I had haproxy configured to forward ports 80, 443 to multiple servers based on the hostname.  it was working great.  then, I enabled Upnp, and it completely ruined the haproxy setup.  None of the sites were working in that it would just give cert errors and such.  The listen address are 0.0.0.0:80 etc. 

Once disabling Upnp, it all works again as expected.  I'm just curious what is the explanation.  Thank you.
#13
Quote from: cookiemonster on June 26, 2023, 04:27:45 PM
I'd call it fair. According to the header, the thread has been read 171056 times as of now. 37 pages of assistance.
Thank you.
Totally fair, and above and beyond.  Helped me solve a long standing goal of mine.  I was thinking of starting a similar thread, but maybe not a good idea if i do not even know the basics.
#14
TheHellSite has provided a great, extremely handy tutorial here, so thank you for that.  Very much appreciated.

He does get annoyed when people don't know what they are talking about.  But at the same time, if someone knows all these things they wouldn't be here for help.  So I don't get that.  But it does suck up your time, so either way I get it.
#15
I found the issue for my post above.  I had Upnp plugin installed and enabled.  For whatever reason that messed with my setup.  i disabled it and it works again.