Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - labsy

Pages: [1] 2 3

Intrusion Detection and Prevention / Re: How often is ALIAS URL table refreshed, if ever?

« on: February 02, 2020, 10:44:48 pm »

Chemlud, I just wanted to reply to you, that this is what I first tried. And I have tried many combinations there, each minute, each hour...
...BUT I took a look at this Cron guide https://www.codementor.io/@akul08/the-ultimate-crontab-cheatsheet-5op0f7o4r and realized, that I *might* have entered numbers wrong!
For example, I entere 5 for minutes and 0 for hours and 0 for days....whixch would in best case mean every day at 0:05 hours, but as also day was 0, I am not sure what that meant to Cron job.

So today I put my glases on, saw those dots are not asterisks * but rather zeros 0....oh, geeez, my oh my... Then I read the above mentioned cheat sheet

)

So, for the URL TABLE Alias to reload every 2 minutes, picked up the following Cron job:
Update and reload firewall aliases

...and entered the following schedule:
*/2 * * * *

Now it works like a charm!
Thank you for kicking me back to the track!

BTW...If anybody else wants to take advantage of this list, it get's updated instantly. You are all welcome to use it: http://secureit.si/lockouts/list.php

Intrusion Detection and Prevention / Re: How often is ALIAS URL table refreshed, if ever?

« on: February 02, 2020, 02:28:02 pm »

Any idea on this subject?
How can I set URL TABLE refresh?
Is there any LOG of URL TABLE alias refresh scron?

My webhosting servers are under constant attacks, hundreds of brute force login attempts every minute, across all web sites. Attacking script maybe tries from same URL a dozen of times, then it obviously switches over to another web site at some other webhosting services.
My trap sites detect attacks at their first attempt, as they are made of traps actually. And immediately they push attacker's IP to the BAN LIST. So I am very interested to reload this BAN LIST into OPNSense FW --> ALiases --> URL TABLE list as son as possible, say every 1 minute at least to prevent any further attacks from the same IP.
It's crucial for me this mechanism to work.

Intrusion Detection and Prevention / Re: How often is ALIAS URL table refreshed, if ever?

« on: January 10, 2020, 11:21:02 pm »

Thank you, Franco, I assumed the same, too.
There are 2 fields with predefined values:
- Days: 0
- Hours: 4.00
How can I set it to refresh every 2 or 5 minutes?
I tried with 0.05 or 0.02 in hours field, but it does not seem to work.

Intrusion Detection and Prevention / [SOLVED] How often is ALIAS URL table refreshed, if ever?

« on: January 09, 2020, 11:15:10 pm »

Hi,

related to this: https://forum.opnsense.org/index.php?topic=15226.0 I am wondering, if ALIAS URL table, pulled from external source, is ever refreshed?

I have it configured to pull bad IPs to block them from external URL, but if I manually inject one testing IP there, it does not get blocked not after 1 hour, not after 1 day.
So I guess, whether list does not get updated ever, or maybe CRON for this update is not configured.

Any idea where refresh rate (update) can be set?

Intrusion Detection and Prevention / Re: How to check if Firewall blocking rule is working?

« on: January 08, 2020, 07:10:33 am »

I am checking those ALIAS rules, but it seems like it is not pulling IP's from the list. I mean, source IP is not blocked, and source IP is not within IP ALIASES.

I have CRON set to check LIST ALIAS every 5 minutes.

Any idea what's wrong?
Any LOG I can check?

Intrusion Detection and Prevention / Re: How to check if Firewall blocking rule is working?

« on: December 31, 2019, 07:58:55 pm »

Ok, but LIVE VIEW I assume shows near realtime logs. I cannot check there, for example:
"Dear tech support, our team member is on vacation on Barbados and they cannot send mail."
Where can I check things like this, when I only suspect issue happened 3 days ago?

Intrusion Detection and Prevention / How to check if Firewall blocking rule is working?

« on: December 07, 2019, 11:03:39 pm »

Hi,

I have kinda smart FW rule, made of collected IP addresses from numerous web sites (Joomla and Wordpress) on many of our servers, which have some sort of security plugin installed. Every few minutes I pull all blocked/attacker/hacker IP addresses from thosee website plugins (mysql) and inject them via TXT table into firewall ALIAS table.
If anyone interested, here's the list: http://secureit.si/lockouts/list.php

Now, I want to check if firewall is really blocking these IPs.
Where can I see LOGS, if this rule is doing the job? "Logging" is enabled inside this rule, but where can I see those logs?

19.7 Legacy Series / Re: Not able to update and stuck at 19.7

« on: December 05, 2019, 10:24:08 pm »

Anybody else with same problems? Or me alone, meaning, I will need to manually re-type the whole config to fresh install...

19.7 Legacy Series / Re: Not able to update and stuck at 19.7

« on: November 14, 2019, 09:29:04 pm »

Hi Franco,

I've faced strange behavior upon upgrading from 19.1.10 to 19.7.x version. Seems like some of my configuration was misinterpreted, as simple PING to public internet did not work anymore. It was the same if I did upgrade of working system, or fresh install 19.7, update to latest, then import old config - in both cases ping to public internet fails, some NAT rules also stopped working...did not have time to investigate further.

Here's my BUG report if it maters anyhow: https://github.com/opnsense/core/issues/3809

BTW: You say that this command can install fresh over what you have, and preserve existing config? Is this in any way different than normal upgrade?

Code: [Select]

# opnsense-bootstrap

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 12, 2019, 11:36:55 pm »

Actually...how can I check if IP addresses were properly retreived and accepted by OPNSense?
I have them in format:
1.2.3.4
1.2.3.4
1.2.3.4
And filename is list.php, because it is dynamic and it generates fresh list each time file is displayed.
Is this proper format? How to verify?

*** EDIT ***
Solved! Found out myself!
there were 2 glitches:

1.) The called web site with public list is behind NAT and needs to have SplitDNS configured to be reachable from inside. In OPNSense it is under Services --> Unbound DNS --> Overrides --> Host Overrides

2.) There are actually TWO TYPES of ALIAS lists, URL and URL Table. First one is one-time static, and only second one is dynamic with expiration time.
If you select Type of Alias "URL (IPs)", then it seems to load only once, and requested format is unknown to me.
But if you select Alias Type as "URL Table (IPs)", then format is as above and you can set Expiration time, like 1 hour and it will reload once per hour. Tested & working!

If anyone is interested into sharing the list, here's the link:
http://secureit.si/lockouts/list.php
I might keep it alive for quite some time.

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 11, 2019, 01:42:25 pm »

Mine was reloaded yesterday, right after I created the list Alias.

I tried to add CRON job to test and check every 5 minutes for "Update and reload firewall aliases"...but after half an hour the directory of aliases tables still shows yesterday's date. So there must be some other settings, which control frequency of Alias Table list refresh and reload.

19.7 Legacy Series / Re: Large IP Blacklists...performance impact?

« on: May 11, 2019, 01:21:12 am »

Great news.
Anyone knows how often do these aliases reload from external source? And more important...how can I check, if they are loaded?

19.7 Legacy Series / Large IP Blacklists...performance impact?

« on: April 22, 2019, 01:27:31 pm »

Hi,

I am thinking about to aggregate all IP blacklists from various web sites (WP, Joomla, custom builds...), which write logs of attacking (brute-force, dictionary attacks...) IP hosts/addresses into database. I have a script in PHP to extract IP's from database for past 7 or 14 days.
Then I have plan to try/test retreive these into BLocked ALIASES list of OPNSense.

Now, since this list will contain hundreds or even thousands of IP addresses, I am wondering how a 1000's of BLOCK ALIASES LIST would affect firewall performance?

18.7 Legacy Series / Each update hiccups upon reboot

« on: January 19, 2019, 05:52:29 pm »

Hi,

with last 2 versions 18.x upon update I had problems when rebooting. Firewall stuck on some disk mapping/mounting (or something disk-related...I do not know where to find those info) and was able to boot properly after some 3-4 soft-resets. Console showed it stuck on intializing or mounting some device, do not remember which one exactly, but it was always DIFFERENT stuck point.

Once it booted, then it worked fine, fast, no problems, and consequent reboots did NOT cause further problems.

I am running on ESX 6.5 with Virtual SCSI disk controller.
VMWare tools are (probably?) installed, but still for past 2 years I see constant warning in ESX GUI: "The configured guest OS (FreeBSD (64-bit)) for this virtual machine does not match the guest that is currently running (FreeBSD 11.1-RELEASE-p18). You should specify the correct guest OS to allow for guest-specific optimizations."

Is there something slightly wrong with my config, or has OpnSense kernel changed in past version?

18.7 Legacy Series / Create DNS override TXT records for ACME-02 LE challenge

« on: January 17, 2019, 12:03:49 am »

Hi,

is it somehow possible to create Unibound DNS override for TXT record? I only see A (AAAA) or MX records override.
Adding custom TXT records locally would be super useful for DNS ACME-02 challenge to generate wildcard LE certificates locally.

Pages: [1] 2 3