Messages

1

24.1 Legacy Series / Re: OpenSSH CVE-2024-6387

« on: July 10, 2024, 05:15:45 am »

All supported branches plus 13.2 (which is technically EOL but only for two day, now) received an SSH update that fixes the issue.

I am still finding my way around the software stack. What does "all supported branches plus 13.2" mean?

If I do a # ssl -V, I get OpenSSH_9.7p1. Do this mean that this is not vulnerable?
Just re-read the Qualys notice, and this version is vulnerable. My question above still stands, thanks.

2

24.1 Legacy Series / Missing Wireguard (Group) in the Firewall rules

« on: June 03, 2024, 02:10:05 pm »

Hi,

I am running v24.1.7.

Recently, I was playing around with Wireguard, and somehow, my Wireguard (Group) group no longer appears in the Firewall rules.
I tried rebooting, and also restarting Wireguard (un-check Enable, then re-check Enable) too. Neither helped.
I did create a Wireguard instance and also my Peer in the Wireguard configuration beforehand.

Any advice or things to try?

3

24.1 Legacy Series / Re: Unable to block traffic IN to LAN

« on: May 30, 2024, 04:23:33 pm »

I do apologise. I intended to attach 2 pictures previously, but one of them exceeded the max size and it wasn't attached.

I have now re-attached the 2 pictures. These 2 makes up the LAN auto-generated rules, which I understand to precede all other rules. If I understand correctly, all these rules are auto-gen and should be the same across any installation of OPNsense. This alias is auto-gen in *both* LAN and WAN rules, and both are set to block the IN direction.

What I am doing now is - I am using the __wazuh_agent_drop alias to block a particular IP, in this case 94.140.14.14. I have already ascertained that the Adguard IP is in the alias when I am testing the blocking.

What I don't understand is why the blocking does not occur. I don't see any preceding rule (before __wazuh_agent_drop) that triggers before it.

I am connecting a telnet session from a PC on the LAN to the Adguard IP.

4

24.1 Legacy Series / Re: Unable to block traffic IN to LAN

« on: May 30, 2024, 09:39:58 am »

Hi,

Thank you for the reply. I have been busy with trying to test Wazuh with OPNsense.

As a follow up, I am now using the alias '__wazuh_agent_drop' to effect a firewall block to the same Adguard DNS (94.140.14.14).
I am able to run the Wazuh active response script, which updates this alias to include the IP address 94.140.14.14.

I have attached the automatically generated rules (built-in by OPNsense), which includes the supposedly block rule in the LAN IN interface.

However, this rule is not being triggered. I verified this from the Live View log files. There's no blocking.

If I then test it with a WAN OUT rule that blocks __wazuh_agent_drop, the block is triggered successfully.

5

24.1 Legacy Series / Re: Unable to block traffic IN to LAN

« on: May 24, 2024, 07:08:03 am »

Thanks for replying.
I have attached the screenshots (not sure how to make it appear in post!)

This is the LAN rule.


This is the WAN rule.


This is the log files Live View.

6

24.1 Legacy Series / Unable to block traffic IN to LAN

« on: May 23, 2024, 09:31:13 am »

Hi,

I am having trouble with trying to block traffic IN to LAN to a specific public IP (e.g., Blocked_Internet_IP).
The firewall Log Files (Live View) is not showing any traffic when I send the traffic from a LAN host to this blocked IP on port 80, using "telnet Blocked_Internet_IP 80".

Strangely enough, the Firewall Log Files does show this connection OUT to WAN, to this Blocked_Internet_IP on port 80.
Furthermore, if I run a pcap capture (Interfaces -> Diagnostics) on the LAN interface, I can clearly see the traffic being received - which I assume must mean this is an IN traffic to the LAN interface.

I could create Block rules on the Firewall using WAN Interface OUT, but I understand this is not encouraged, therefore I would like to get to the bottom of this.

Thanks in advance for any tips.

7

Development and Code Review / Re: Wazuh Agent integration - call for tests

« on: May 18, 2024, 01:48:19 am »

I know, right?
Unfortunately, it's in production and the upgrade would be very disruptive, for now.

8

Development and Code Review / Re: Wazuh Agent integration - call for tests

« on: May 17, 2024, 05:23:00 pm »

Hi,

First of all, thank you for developing the plugin for OPNsense. It makes the integration of wazuh agent extremely easy.

I am, however, trying to run a older version of Wazuh Agent due to our manager running version 4.6.0.
As my OPNsense is the latest version (24.1.6) on FreeBSD 13.2-RELEASE-p11, I am finding that the installing using Plugin or using 'pkg' from CLI only has wazuh-agent 4.7.4 available.

To remedy this, I am trying to compile from the OPNsense ports

Code: [Select]

# opnsense-code ports
# cd /usr/ports/security/wazuh-agent
# git restore --source <hash> *
# make
# make install

I am currently stuck - do I run any post-install scripts? For example, add_localfiles.sh or gen_ossec.sh?

Furthermore, am I even on the right track?
Is this entire endeavour going to work?
Most instructions online call for the use of install.sh, but that's not included in the OPNsense port.

Any advice very much welcomed.