Topics

1

23.7 Legacy Series / Significant CPU drop when disabling IDS rules?

« on: October 23, 2023, 08:59:19 am »

Hi,

due to high CPU usage I turned OFF IDS/IPS under Services --> Intrusion Detection --> Administration --> Settings --> Intrusion Detection ENABLED=OFF. CPU usage dropped as expected, so for testing purposes I installed Maltrail to have at least some intrusion protection.


This worked fine for few weeks.

Yesterday I went again to Services --> Intrusion Detection --> Administration --> Download --> Rulesets and just to clean it out, set all rulesets to DISABLED. IDS service was still OFF from before.
What's weird is since then CPU usage dropped significantly since then!?

I do not understand.
IDS service was OFF all the time. How can CPU drop by just disabling rulesets under DISABLED service?
....or are those rulesets used elsewhere, maybe with Maltrail, too?

2

Intrusion Detection and Prevention / Maltrail vs. Suricata

« on: September 28, 2023, 10:08:26 pm »

Hi,

in previous versions I've been always using Suricata, but with 23.x it begun consuming a lot of CPU. Maybe it was due to some inheritable settings, maybe rules vs policies...dunno.
So I got rid of Suricata for now and gave a try to Maltrail. I did not get into details, Suricata seems more powerfull, but performance-wise I notice all web services behind my OPNSense are now (with Maltrail instead of Suricata) noticeably more responsive and faster. Also CPU load is cut on half now.

Thoughts?

3

General Discussion / [SOLVED] Cannot login via SSH

« on: September 26, 2023, 06:17:54 pm »

Hi,

any idea why I cannot login via SSH to my 23.7 version anymore? I am using Putty, terminal window opens, asks for login, I enter my username, then prompts for password, and as soon as I enter password, Putty terminal window closes. I can Putty to all other servers and devices, so I guess Putty is OK.

Logs in OPNSense web consile show like I am logged in, but I am not:

Code: [Select]

2023-09-26T18:12:11 Critical nologin Attempted login by myusername on /dev/pts/0
2023-09-26T18:12:11 Informational sshd Accepted keyboard-interactive/pam for myusername from 123.212.63.25 port 52121 ssh2
2023-09-26T18:12:11 Notice audit user myusername authenticated successfully for sshd [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
Lol...solution:
somwhow under my username I've had login shell set to /sbin/nologin, which is a polite refusal of login. Changed this to /bin/sh and I am in.

4

Intrusion Detection and Prevention / IPS/IDS for webhosting purpose?

« on: September 26, 2023, 12:11:42 am »

Hi,

what direction is IDS/IPS protecting? From LAN to WAN or vice versa?
I mean, I am using OPNSense only to protect a dozen of web and mail servers behind (NAT-ed) and I am wondering, if there's any use of IDS/IPS at all in this case?

For example... rule ET POLICY Cleartext WordPress Login ... will it kick-in if attacker is comming from WAN, trying to hack one of Wordpress sites that I am hosting?

5

Hardware and Performance / Migrating from ver. 19.1 to latest - to do or not to do?

« on: September 20, 2023, 08:17:24 pm »

Hi,

I have one pretty powerfull ESX 6.7 host with a dozen of web and mail services. All are protected with another virtual machine:
OPNsense 19.1.10_1-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019

I've tried to upgrade many times before, but failed, dunno what exactly went wrong, but due to failures I simply kept it running at this old version.

I have over hundred of rules, aliases, tunnels, routes and stuff, which I will need to manually retype into new OPNSense, if I decide to do so. And I will definitelly go for it, but I need a good reason - what you say, will I benefit in performance or somewhere else, if I go with new version? Or should I expect same performance and security after a week of manually migrating all over?

6

Hardware and Performance / Disk 109% full, how to increase size

« on: February 24, 2022, 10:30:25 am »

Hi,

My OPNSense 19.1.10_1-amd64 is running FreeBSD 11.2-RELEASE-p10-HBSD as a VIRTUAL MACHINE on ESX 6.5 server. It says DISK USAGE: 109% (100G/100G)

I dunno how is this even possible, and it is still running, but I will obviously need to act NOW.

Please...I have only copy/paste Linux knowledge - any reliable instructions on how to resize disk?

7

22.1 Legacy Series / Should I migrate 19.1. to 22.1 performance wide?

« on: February 02, 2022, 07:33:14 pm »

Hi,

I have 19.1. on ESX 6.5 server and yes, it's working. A lot of rules, a lot of NAT translations, and a lot of blocklists (aliases, external lists). Cannot auto-upgrade to any newer version, dunno why, but it does not work.

I am thinking about manually rewriting all rules to 22.1 version.
What ya think - will there be any benefit performance-wise or security-wise?

8

21.7 Legacy Series / Any performance gain from 19.1 to 21.7 version?

« on: September 14, 2021, 09:48:49 am »

Hi,

I have production on 19.1 version on this:
- Host is FUJITSU server on ESX 6.7.0 Update 2
- OPNSense is 19.1 with approx. 4000 active states on average
- it has some 40 NAT rules
- it also has quite large BLOCKLISTS on FW Aliases (loading external files of up to 4000 IP addresses to block
- WAN is 1 Gbps bandwidth in datacenter

What do you think - will I gain or loose performance wise if I upgrade to 21.7?
It is PITA, because I will "upgrade manually", meaninig I need to rewrite by hand all rules and settings. Auto upgrade is not possible.

9

Intrusion Detection and Prevention / [SOLVED] How often is ALIAS URL table refreshed, if ever?

« on: January 09, 2020, 11:15:10 pm »

Hi,

related to this: https://forum.opnsense.org/index.php?topic=15226.0 I am wondering, if ALIAS URL table, pulled from external source, is ever refreshed?

I have it configured to pull bad IPs to block them from external URL, but if I manually inject one testing IP there, it does not get blocked not after 1 hour, not after 1 day.
So I guess, whether list does not get updated ever, or maybe CRON for this update is not configured.

Any idea where refresh rate (update) can be set?

10

Intrusion Detection and Prevention / How to check if Firewall blocking rule is working?

« on: December 07, 2019, 11:03:39 pm »

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

11

19.7 Legacy Series / Large IP Blacklists...performance impact?

« on: April 22, 2019, 01:27:31 pm »

Hi,

I am thinking about to aggregate all IP blacklists from various web sites (WP, Joomla, custom builds...), which write logs of attacking (brute-force, dictionary attacks...) IP hosts/addresses into database. I have a script in PHP to extract IP's from database for past 7 or 14 days.
Then I have plan to try/test retreive these into BLocked ALIASES list of OPNSense.

Now, since this list will contain hundreds or even thousands of IP addresses, I am wondering how a 1000's of BLOCK ALIASES LIST would affect firewall performance?

12

18.7 Legacy Series / Each update hiccups upon reboot

« on: January 19, 2019, 05:52:29 pm »

Hi,

with last 2 versions 18.x upon update I had problems when rebooting. Firewall stuck on some disk mapping/mounting (or something disk-related...I do not know where to find those info) and was able to boot properly after some 3-4 soft-resets. Console showed it stuck on intializing or mounting some device, do not remember which one exactly, but it was always DIFFERENT stuck point.

Once it booted, then it worked fine, fast, no problems, and consequent reboots did NOT cause further problems.

I am running on ESX 6.5 with Virtual SCSI disk controller.
VMWare tools are (probably?) installed, but still for past 2 years I see constant warning in ESX GUI: "The configured guest OS (FreeBSD (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11.1-RELEASE-p18). You should specify the correct guest OS to allow for guest-specific optimizations."

Is there something slightly wrong with my config, or has OpnSense kernel changed in past version?

13

18.7 Legacy Series / Create DNS override TXT records for ACME-02 LE challenge

« on: January 17, 2019, 12:03:49 am »

Hi,

is it somehow possible to create Unibound DNS override for TXT record? I only see A (AAAA) or MX records override.
Adding custom TXT records locally would be super useful for DNS ACME-02 challenge to generate wildcard LE certificates locally.

14

19.1 Legacy Series / Get back the Apply changes warning stripe on top

« on: December 23, 2018, 05:05:32 pm »

Hi,
just my 5 cents - the "Apply changes" warning stripe on top of previous versions was annoying, but now I see VERY HANDY and USEFUL! Now I am on 18.7 version and I really miss this annoying warning, as I am never 100% sure, whether I applied/saved the settings or not.
So my suggestion is to come back with some similar functionality in further releases.

15

18.7 Legacy Series / suricata.log: Operation not supported by device

« on: September 09, 2018, 06:16:20 pm »

Hi,

I think after updating to 18.7 I see on terminal screen:
syslogd: /var/log/suricata.log: Operation not supported by device

Did this came from update?
Is this critical?