Messages

Yes, that's perfectly normal. And also yes, the consumer routers don't even bother to create such logs, as they're not useful to their intended audience (since the average user couldn't do anything about it, anyway) and in fact more likely to cause the effect you experienced. ;)

Yes, the truth is that I was surprised by the number of scans. But I am not surprised so much that these scans exist, but rather in the sense that, if they exist, and considering that no system is perfect, additional measures must be put in place immediately afterwards. They have suggested incorporating Fail2Ban but I was looking for a plugin that could scan the packets that can bypass the blocking rule.
It is true that the home user did not understand the information provided by the logs, most do not even know how to enter the configuration, but it would not be superfluous to incorporate a simple log into each router for any technician who may need it to audit or correct any anomaly.

Skimming these screenshots, there seems to be only a single instance of an actual "port scan" in the traditional sense, which is the one coming from 185.246.128.192. All others either are "trickle scans" (which is unlikely, you only use these when you have a specific mark and know they're looking out for scans) or just misdirected connection attempts by legitimate users. These come from outdated dynamic address info, which you get literally on a daily basis with IPv4 (the entire point of using DynDNS services). Most are single connects, which could be looking for one specific service to (ab)use (probably some IoT stuff, which has a high probability of being both outdated and unprotected. Maybe a botnet trying to find peers.). But then again, the ports wouldn't differ so much (IMO). If you're curious, you could try looking up these ports to see what they might be after. Or it might just be what happens when something like bittorrent is started with a cache more than a few weeks old. And then look at the guy on 45.142.193.191, several attempts to the same port (52073). Probably someone trying to connect to their buddies self-hosted game server. Or someone about to find out that their own DynDNS had failed, as happened to me more than once. :) You'd probably see a few pings afterwards the first time they experience that. ;)

In this regard, given that it is a domestic connection with dynamic IP, surely many attempts can be inherited from whoever previously had this IP assigned. While it is true that there are probably remnants of previous scans, this does not mean that IPs from Shodan "care" more, since they may have a clear intention to expose credentials. Hence, take precautions as much as possible.

So, as has been said: make certain to only have ports open that you know about, and then make certain these services are protected as good as you can manage, and also run only when they actually need to run. The really dangerous stuff would appear in green, indicating something was allowed through. So you'd filter for unexpected connection attempts to the services you do have open and check the logs of these services. You could also try to find any suspicious activity from their pattern (if there is any), and then ponder what could possibly be done to prevent that.
For a while I was wondering about the lucky chance of someone probing a port that has been opened for replies to an outgoing request, but that's why firewalls track those (this is the "state violation" part of the message). Note that if you open some port for games or such you'll not be in immediate danger when the game isn't running: the packet will be allowed into the LAN, reach your PC and then go poof. However, your system will send an ICMP error message, so the attacker knows that a system is reachable on that port, but has nothing there. So it could be used to map you out and plan an attack based on that info, but attackers are lazy and will just move on to find easier prey. Especially with your IP address changing daily, they'd lose track of you unless they are tracking your IP. In that case, you should indeed be worried, but of course you'll never know about that until it's too late (or not even then).

In my case the exposed ports are from P2P applications. They are not from games or anything else. Which means that I can even disable them and enable them again when I need them since I have control of the Firewall myself. This would allow me to analyze the erroneous attempts more slowly and filter the open ports when I have more time to analyze.

So, the net sure has become busier than a decade ago, but that's a given with the number of devices and people connected. More noise, and more potential victims.

Of course, I have IoT devices that I need to review. Home Assistant is implemented so that in the long run everything will be under local control, but there are some devices that still connect to the manufacturer's cloud and therefore expose part of the system. Hence the intention (not yet implemented) to isolate IoT devices in a separate VLAN as I have done with the Management VLAN for managing Proxmox Hosts and other devices at the administrative level. For me, it is the best way to segment and isolate.

Ransomware usually arrives through email. Basically, anything with an attachment definitely is, and anything without has links to either phishing or more malware. This has always been the most successful attack, and its likelihood of working against you increases with every account you create: more places to steal information from, more information to be stolen, more context to create a believable scam. Currently, there seems to be quite the success with "Payment declined: your cloud data is in immediate risk of being deleted". Of course this works better than the "African prince inheritance fund" scam, because so many people made the mistake of using cloud storage services. Yes, I think it's a liability for businesses, too.

The cases of Ransomware experienced by third-party companies during my working life activate caution with unknown sources. All accounts that can be compromised with MFA and random passwords of at least 20 self-generated characters, local password manager with access via VPN or local, never from the WAN. And obviously the certainty that princely inheritances do not touch and that if it is necessary to update bank data, for example, the entity must request a visit to an office in person. I think what happens with most people is that they see computing as the use of another household appliance and that they are not aware of the danger of identity theft or data theft with which to blackmail. Although, due to many preventive measures, we are all human and can fall for scams, I think that in this aspect I am sufficiently aware. My concern is more about implementing effective additional protections than believing that in an interconnected world an operator router is sufficient to protect an infrastructure.

BTW: please correct me if any of my conclusions or reasonings are flawed!

Thank you for your responses. I'm coming from HGU Mitrastar from O2 Spain and there's no logs like this. Maybe I'm suffering this from time ago but OPNsense brings more control aboust who's trying to access than ISP's router.

Open ports can be closed and open when they are needed. No problem. Having this amount of blocked connections shocked me at first, but I think it's normal since there are a lot of people acting like Script Kiddies scanning ports, and there's also a community of people that wants to access foreing systems to infect with Ransomware.

There are a some examples of my logs:

https://storage.imgbly.com/imgbly/1ESavGSJBM.png
https://storage.imgbly.com/imgbly/3gbNLC6bC3.png
https://storage.imgbly.com/imgbly/QfGScH2lcY.png
https://storage.imgbly.com/imgbly/QGRibM56FZ.png

And yes, these attemps are blocked by "default deny violation rule".

So, I think that I must consider my scenario as normal, right?

Thank you

Good afternoon,

I am writing this thread in reference to the logs of my virtualized OPNsense on Proxmox, in which I am seeing in LiveView of the Firewall logs that I am having constant attempts at port scans.

I have been evaluating for days whether to incorporate measures such as IDS/IPS but first I wanted to ask (sorry if it should be obvious).

First of all, is it normal to see all these attempts or does it mean that there is something exposed externally that should not be?

I only have 4 ports open by NAT to a single device on the LAN of P2P applications, which are also open with different ports to those used by default by the application itself and which I can also deactivate and activate when I need them.

Secondly, I would like to know if I can somehow improve the protection against these scans, either with IDS or IPS or with other tools or plugins. The learning I have gained since I started my HomeLab is growing but there are concepts and ways of working of how each packet is handled by a firewall that I still have to understand and I prefer to raise the issue to guide me towards the correct solution.

I can attach screenshots if necessary.

I've joined the translation, but I don't see any files to translate. Maybe I need to wait for acceptance?

Hello, I would like to help translate OPNsense into Catalan. How can I get started? How can I request that the language be added to poedit.com?

Hi, I want to start translation to Catalan. How to do it? It's possible to do it from poeditor.com ? How to add it and start tanslating and searching for other volunteers?

- In this way access to iLO is lost. Still investigating the reason.

Reason found: When the server is started, OPNsense is not running and iLO is configured to obtain IP configuration via DHCP. Therefore, iLO cannot obtain IP from DHCP server which is on LAN side of OPNSense, when it is not started. Resolved by setting static IP configuration within iLO.

Hi,

I am writing to raise some issues that I am encountering when trying to set up my Home Lab with an HPE ML30 Gen10 server, virtualization via Proxmox, and a VM with OPNsense.

First of all, I will raise the scenario:

- HPE ML30 server with 2 Gigabit LANs
- Fake RAID controller disabled in BIOS. BIOS in AHCI mode
- Installation of Proxmox on RAID 1 by software with ZFS file system.
- LXC container on Proxmox (ADGuard)
- Virtual Machine for Home Assistant (via Proxmox Helper Scripts)
- 2 Virtual Machines for testing (OPNsense and pfSense)
- 2 physical LAN interfaces
- 2 Linux Bridges: vmbr0 (LAN), vmbr1 (WAN)
- Management of Proxmox via physical LAN interface.
- OPNsense with 2 Linux Bridges

Initial equipment interconnection:

- Mitrastar HGU router (O2 Spain) with initial connection via CAT 6A cable to office, from office wall to 8-port switch NOT manageable.
- PC with Ubuntu GNU/Linux, HP printer and 2 NAS to 8-port switch.

Interconnection after installation of Proxmox on HPE ML30 Gen10:

- Mitrastar router DMZ activated to OPNsense WAN IP. Mitrastar router IP range changed, keeping the previous one for OPNsense LAN range.
- LAN1 of HPE ML30 Gen 10 server as LAN (shared with iLO and Proxmox management)
- LAN2 of ML30 server dedicated to WAN
- Cable from 8-port switch of the office to Router HGU to port LAN1, cable from port LAN2 to router HGU (ML30 of intermediary)

In this scenario I find:

- That the LAN1 connection gives access to VMs, Proxmox and OPNsense, but the link speed is 100Mbps (it is only physically detected since OPNsense shows a virtual link of 10Gbps).
- In this case, the tests from the Proxmox shell, reach a maximum of 700Mbit/s via Speetest CLI
- A test via www.speedtest.com from the PC with Ubuntu does not exceed 100Mbps.
- Network parameters of the datacenter, host and virtual machines are reviewed, LAN configuration of the OPNsense virtual machine is tried to be changed. Same result

Current scenario

- Checked the office cable with a tester. Cable OK.
- Added 8-port switch NOT manageable between the cable coming from the office and LAN1 port of the ML30 Gen10 server. In this way both cables link to Gigabit.
- In this way access to iLO is lost. Still investigating the reason.

Does anyone find everything I explain coherent?
Is it rational that the cable from the office to the HPE server links at 100Mbps?
Why does the Proxmox server test at ~700Mbit/s and the PC with Ubuntu at 100Mbps?
In this scenario: FTTH >> HGU / NAT / DMZ >> SWITCH >> PROXMOX / OPNSENSE / NAT >> SWITCH >> PC, is it normal that I cannot open ports? I have tried opening P2P ports and they are not listed as open.

Thank you very much