Messages

31

Intrusion Detection and Prevention / Integration with Mail, Joomla, Wordpress security

« on: April 02, 2018, 02:52:32 pm »

Hi,

I host hundreds of Wordpress, Joomla and other web sites behind OPNSense firewall. Beside those, I also have few MAIL servers here.
Now, some of web sites have good security measures via plug-ins, which detect brute-force attacks, some web sites use public black lists of compromised IP addresses to prevent access from...while other web sites do not have any of those.

My idea is to somehow connect those best security mechanisms of Wordpress, Joomla and others and then use "I don't know which mechanism" to block those  attackers at OPNSense entry level, so I would prevent those hackers to attack ANY of my web sites and to access to ANY of mail servers, which are behind my OPNSense.

Any ideas?

32

17.7 Legacy Series / Reverse traffic problem

« on: December 29, 2017, 12:14:55 am »

Hi,

does anybody have a clue about my specific problem.
It's about DNS (or any other traffic), where packets origin from within LAN, then go to WAN adapter and return back into LAN for destination - it seems those are rejected.

For example, I have 3 DNS servers:
- DNS 1 is on LAN, behind OpnSense
- DNS 2 is on LAN, behind OpnSense
- DNS 3 is on different WAN subnet
I have ALL DNS servers configured to sync to each other PUBLIC WAN IP address.
- Syncing inbetween DNS1 or DNS2 and DNS3 (and vice versa) is OK.
- But between DNS1 and DNS2 does not happen. I must configure manually DNS1 and DNS2 to sync using LAN IP addresses, not WAN...then sync is OK.

I guess OPNSense blocks the DNS traffic on port 53, if it originates from LAN and is setined via WAN back to LAN.

Any idea, what rule must I add to allow such traffic? (for DNS 53 port only)

33

17.1 Legacy Series / How to handle IPS properly

« on: June 27, 2017, 11:46:42 pm »

Hi,

I am looking at IPS rules and I am a bit confused. I do not expect IPS being plug-n-play solution, and I know you need to watch the logs and alerts for weeks and months to select proper rules.
But still...this seems an enormous project!

Correct me if I am wrong:
- first, you need to ENABLE IPS and download rules
- they are all in ALERT only mode
- then you need to watch ALERT logs
- ...and click on EACH SUSPICIOUS log entry, switch rule from Alert to Drop, and click APPLY
- now I've got 1 of gozillion rules in real action

- then also many rules have direction $HOME_NET any -> $EXTERNAL_NET... I do not need those, because I protect only incoming traffic. But I can only see the rule direction when I click on rule, then click on description link. That's time consuming, very time consuming.

Do I really need to go through all IPS alert entries, one by one, day by day and click on each rule action from Alert to Drop? Aren't there any preconfigured set of rules for, say, "webhosting" or "home user" or such?

34

17.1 Legacy Series / Protect websites from brute force password guessing

« on: June 27, 2017, 10:10:13 pm »

Hi,

I use OPNSense as main firewall for my webhosting servers. NOT for browsing, as behind OPNSesne there's only a bunch of servers, hosting web sites, like Wordpress, Joomla, Magento and others.
Among 300+ websites there's a dozen of my own sites and I can see hundreds of Brute Force attacks and vulnerability scans from all over the world. I can fight and protect by installing some Wordpress or Joomla security plugins, but I would like to mitigate attacks before they reach website engine - I'd like to configure some protection on OPNSense firewall for incoming attacks.

I do have most of IPS rules active, but here's problem no.1:
If I put rule on ALERT, I need to know exact source IP to find the alert in IPS log. I cannot search for, say "1.2.3.*" or "brute force". Is there some other way to see IPS alerts?

Now problem no.2:
Is there some better plugin or protection method to fight against brute force, password guessing and other attacks at firewall level, without impacting performance too much?

35

17.1 Legacy Series / Re: Outbound NAT not working?

« on: June 02, 2017, 12:54:56 am »

Yesssssssss! Update to 17.1.8 solved the problem! 
So to bind specific LAN outbound/egress traffic to specific WAN Virtual IP, simply use Outbound NAT and specify "Translated IP" as WAN Virtual IP.

36

17.1 Legacy Series / Re: Direct outbound traffic through different WAN IP aliases

« on: May 29, 2017, 07:57:09 pm »

Need to bump this, as properly setting up the outgoing WAN IP is essential for my mail server functionality.

37

General Discussion / [SOLVED] Outbound binding to specific WAN IP

« on: May 28, 2017, 01:45:27 am »

Hi,

I've asked this question elsewhere, so hoping maybe I get answer here.

What's the proper method to specify, for example LAN server with IP xy to use outbound masquerade using WAN IP xz? I have multiple WAN IP addresses and I want each local server to use it's own public IP (not all going out via the same IP...especially I want to specify outbound WAN IP for mail server).
I have 17.1.6 and I've tried OUTBOUND NAT using Virtual WAN IP, but no joy.Tried also with floating NAT rule, direction out, use different Wan IP as a gateway...but this does not pass traffic to real Wan gateway, instead traffic is stuck at WAN port.

I know this is one of hte basic functions, but how to approach?
...or is maybe 17.1.x buggy?

### EDIT ###
It was obviously a bug in FreeBSD kernel, as update to 17.1.8 solved the problem instantly:
https://forum.opnsense.org/index.php?topic=5229.msg21189#msg21189

38

17.1 Legacy Series / [SOLVED] Outbound NAT not working?

« on: May 23, 2017, 01:39:17 am »

Hi,

I have been struggling with setting up OUTBOUND traffic binding to different WAN IP aliases.
I own /28 subnet of Public IP addresses, which are all configured as VIRTUAL IPs on WAN adapter.

Now, I want to configure which LAN server or LAN subnet will use specific WAN IP alias for outgoing traffic. But without success. I've tried a lot, no results:
- Tried with OUTBOUND NAT, but no joy
- Created additional GATEWAYS for each WAN IP
- Created FLOATING firewall rule to use one of those gateways for OUT traffic....but no success
- followed some of this document, but no joy either: https://docs.opnsense.org/manual/how-tos/multiwan.html?highlight=multi%20wan#step-4-policy-based-routing

Any idea what am I missing?

39

17.1 Legacy Series / Setup Passive FTP server behind OPNSense

« on: May 21, 2017, 11:05:53 pm »

Hi,

I am trying to setup most secure Passive FTP server setup behind OPNSense. For the moment I have WORKING temporary solution:

On OPNSense I have NAT Port forwarded:
- port 21 from WAN to LAN FTP server IP
- passive ports range 10000-11000 from WAN to LAN FTP server IP
This works fine.

...BUT I do not want passive port range 10000-11000 to be statically opened from WAN to LAN.
So, as I understand, OPNSense/PFSense can use a kind of "FTP Helper" which intercepts FTP server response, in which FTP server instructs FTP client which passive port to use for data connection.
Communication goes like this:
1.) FTP client initiates connection on port 21
2.) In case of Explicit FTP over TLS, both then switch to TLS, exchanging certificates
3.) Then FTP client asks FTP server for PASV PORT
4.) Server answers and includes WAN IP address and PASV PORT on which FTP client should send/receive data
And this answer is here also recognized by OPNSense, which opens the requested data port for the client only.
5.) FTP client then sends and receives data on this data port and given WAN IP (not necessarily the same WAN IP as initial FTP connection was started on)

Now, within my FTP server I see the settings for:
- PASV port range
- and PASV WAN IP to be responded

But how/where to setup this on OPNSense?

40

17.1 Legacy Series / Re: [SOLVED]Cannot get NAT rules to work

« on: May 19, 2017, 10:43:01 pm »

SOLUTION / EXPLANATION
I found out that NAT return packages are not just thrown back to WAN origin, but are rather forwarded to WAN Gateway. As I was testing from "internal simulated WAN", return packages were not sent back to my PC, but rather to WAN gateway. That's why it did not work!
As soon as I connected my service PC outside to internet, so that I was not only behind OPNSense, but also behind WAN gateway, all works like a charm

Explaining scheme:
Internet --> WAN Gateway --> Wan Interface --> OPNSense NAT rules --> LAN interface --> LAN network
x.x.x.x   --> 192.168.8.1   --> 192.168.8.10 --> ......................... --> 10.10.10.1    --> 10.10.10.0/24

So, when I was in 192.168.8.0/24 network, NAT did not work for me, as return packages were not sent to my PC on IP 192.168.8.50, but rather to Gateway IP 192.168.8.1
I had to move my PC back to INTERNET, so I was behind WAN gatewy to receive return packages.

I do not know whether this is a bug or feature, but it's nice to know.

41

17.1 Legacy Series / Re: Cannot get NAT rules to work

« on: May 18, 2017, 11:00:57 pm »

I'we tried the following, but without sucess:
- changed LAN and WAN adapters, rebooted twice
- deleted NAT rules and recreated them
- changed LAN IP subnet to something different, just for test
- tried rule from 80 to 80 and from 81 to 81
No, still does not work. Cannot get any NAT rule to work.

42

17.1 Legacy Series / [SOLVED] Cannot get NAT rules to work

« on: May 17, 2017, 12:09:46 am »

Hi,

I've just installed OPNSense 17.1.4 on VMWare 6.5 host. I used VMXNET3 type NIC adapters on both LAN and WAN sides.
Test setup as router --> OK
Test as Web Proxy --> OK
Pinging from OPNSense WAN and LAN destinations --> OK
Test with or without IPS/IDS --> both OK

Now, fine, excellent!
BUT no... I stuck with NAT rules.
Simple NAT rule on WAN interface, from WAN IP to LAN IP, port 80 (HTTP) no go?!

Interface: WAN
Proto: TCP
Destination: WAN Address (or Wan alias IP)
Destination from: HTTP to: HTTP
Redirect target IP: one of LAN server's IP
Redirect target port: HTTP
Pool option: default
NAT Reflection: Default/Enable/Disable (tried all of them)
Filter Rule association: None/Pass (tried both)

Ok, then I changed OPNSense port from HTTP to HTTPS and to 12345 instead of 443.
But NAT still does not work.

Then I took A LOT OF TIME and tried all possible combinations, FROM Any/Wan/Lan, then NAT Redirect On/Off, Roule Pass/none...also tried from public 81 to local 80.... nothing works!!?
Also tried to change OPNSense WAN IP and added WAN IP ALIAS, then NAT redirect FROM WAN Alias, then I upgraded to 17.1.6 without problems, BUT.... no go, simply NAT does not work whatever I do.

Any idea?

43

17.1 Legacy Series / Interfaces show different IP in Web GUI and in console

« on: May 11, 2017, 10:45:33 pm »

Hi,
I have latest version installed on ESXi 6.5 as virtual machine, seems like working fine...but I am confused with interfaces. First I setup interfaces for test lab, then I changed them to production settings, different IP and DHCP on LAN off.
But it is all confused now - even AFTER reboots and shut down:
- both interfaces show OLD IP adresses if I look through Web GUI
- and both show NEW IP addresses if I look via console (those are correct IPs)
- also DHCP was OFF in web gui, but it was actually not off

For example:
WAN is actually on DHCP leased IP 192.168.211.201 and is showing correct IP in console. I can PING public address space from console.
But from Web GUI I see WAN IP as static, set to 10.10.100.100, which was my old setup from few days ago. I cannot ping the same public address via Web GUI???!!!

Same confusion for LAN interface.

Where is the catch?

*** EDIT ***
Seems like reboot changed the interfaces order, so it got all confused randomly.
Please, disregard this post, as confusion was made by misconfiguration obviously, partly being done via console and partly via web gui.

44

General Discussion / OPNSense for web servers

« on: March 04, 2017, 11:29:24 am »

Hi,

I am new here and I am looking for some answers before I go with OPNSense for my little web servers farm. My web servers host some small-business web sites, say 300 web sites and I would like to go with some better protection, mostly with those features:
- protect against known web server vulnerability attacks
- protect against SQL injection attacks
- against brute force
- XSS and similar hacking techniques

On the other hand, I would like to have data flow as fast as possible.

What do you say?
Would OPNSense do most of the job, or should I look for some other Open Source solution?