Messages

Hi Jan,

I don't believe it does. I haven't seen anything in the documentation, or the web GUI for either OpnSense, or pfSense. Generally conflict detection is available for DHCP servers, but not on by default:

https://doc.pfsense.org/index.php/DHCP_Server

There is a line in this file:
/var/dhcpd/etc/dhvpd.conf

update-conflict-detection false

https://forum.opnsense.org/index.php?topic=850.0

You may be able to set that to 'true' to turn it on?

In some countries, an IP address is PII which means it is probably illegal to use such a service because you send an IP address to an external server without consent.

I am not an attorney, and this isn't legal advice. That said I doubt current case law would uphold a judgment against submitting an IP address by itself for the purpose of 'IP reputation' checking or similar. An IP address isn't classified as PII by itself in any case. All the more so, if that IP just connected to you dozens of times on the same port, indicating more intent than just a simple port scan.

It is no different than the drop / edrop lists, just with more intelligence, and faster updating. The point being for a user connecting to a service that is otherwise allowed to be checked before allowing access.

'The law' tends to be overly vague, so that enforcement can proceed, and there is less chance for someone to 'get away with' something. That said the law should serve man. Men should not fear the law:

https://nmap.org/book/legal-issues.html

"These laws are meant to ban the distribution, use, and even possession of "hacking tools". For example, the UK amendment to the Computer Misuse Act makes it illegal to "supply or offer to supply [a program], believing that it is likely to be used to commit, or to assist in the commission of [a Computer Misuse Act violation]""

What's a 'hacking tool', netcat, hping? To me they're security tools. How does a court test that you believed something? It's overly arcane, and basically useless.

I'm not looking for someone else to maintain this for me. I am opening a discussion about how to include these features as plugins. I don't know enough about programming to do this without community input.

It's hardly 'useless'. For my own network, and for clients, why would I want someone connecting over a VPN that isn't part of their network, or over a Tor relay? No client would ever connect from such an address, so it would be good to block them all out of the gate.

I have contributed Tor relays in the past, will do so in the future, however it is a lightweight defense in depth strategy to prevent those IPs from touching DMZ servers anyway; there is no reason to allow it. For SMBs, and home offices you would basically never need to connect from 'those IPs'.

Symancrap has nothing but errors for me across a dozen years. More often than not that software has been disabled by malware, than actually prevented an infection. This includes a few different Symantec, and Norton engines. If you have ever installed their server component that was java dependent you would find that more often than not, after a random few weeks to months, more than 2/3 of the time the server itself would fail to start with a 'Java -1' error, and was basically never fixable without re-installing. After documenting the fifth fix for that worthless engine I swore off their software.

Mcafee, and his bag of orange powder had generally worse issues. My first experience with it was on a laptop with 256 MB of RAM, that Mcrapee happily consumed some ~500 MB of. It had consistently worse detection ratios than Crapmantec.

I have a long memory, when organizations like these display such apathy, arrogance, or indifference regarding their project management, or code quality, I don't do business with them anymore. Put another way, if they can't protect themselves, how can they protect the infrastructure?

I am certain those two vendors have improved their products, but even if they were free, they aren't worth using. After many years, both products finally become useable, and could install themselves in under 15 minutes. What other programming gremlins remain? Their codebase was huge! Symantec specifically was still shipping with TDI drivers even after it was deprecated. Those caused performance issues, as well as the occasional blue screen. I was surprised to read the Stuxnet dossier by Symantec, which was very well done. It made me realize that Symantec does actually employ talented people, who are allowed to fix problems. It shows a sick corporate culture, which is prevalent throughout the U.S.; Greed, apathy, and arrogance. It is a cancer. Here is a list of processes that Stuxnet would check for (some which it could actually infect):

• umxagent, Tiny Personal Firewall
• cfgintpr, Tiny Personal Firewall
• umxldra, Tiny Personal Firewall
• amon, Tiny Activity Monitor
• UmxCfg, Tiny Personal Firewall
• UmxPol, Tiny Personal Firewall
• UmxTray, Tiny Personal Firewall
• vsmon, ZoneAlarm Personal Firewall
• zapro, ZoneAlarm Personal Firewall
• zlclient, ZoneAlarm Personal Firewall
• tds-3,TDS3 Trojan Defense Suite
• avp, Kaspersky
• avpcc, Kaspersky
• avpm, Kaspersky
• kavpf, Kaspersky
• kavi, Kaspersky
• safensec,SafenSoft
• snsmcon, SafenSoft
• filemon, Sysinternals Filemon
• regmon, Sysinternals Filemon
• FrameworkService, McAfee
• UpdaterUI, McAfee
• shstat, McAfee
• naPrdMgr, McAfee
• rapapp.exe, Blackice Firewall
• blackice.exe, Blackice Firewall
• blackd.exe, Blackice Firewall
• rcfgsvc.exe
• pfwcfgsurrogate.exe, Tiny Personal Firewall
• pfwadmin.exe, Tiny Personal Firewall
• persfw.exe, Kerio Personal Firewall
• agentw.exe, Kerio Personal Firewall
• agenta.exe, Kerio Personal Firewall
• msascui.exe, Windows Defender
• msmpeng.exe, Windows Defender
• fssm32.exe, F-Secure
• fsgk32st.exe, F-Secure
• fsdfwd.exe, F-Secure
• fsaw.exe, F-Secure
• fsavgui.exe, F-Secure
• fsav32.exe, F-Secure
• fsav.exe, F-Secure
• fsma32.exe, F-Secure
• fsm32.exe, F-Secure
• fsgk32.exe, F-Secure

If the code isn't stable, reliable, and fast, there is no reason to run it. If the code itself is an attack vector there is a very good reason to not run it. The engines may be able to detect non-Polymorphic malware, but I wouldn't run either of those two vendors, or trendmicro on a endpoint that I cared about. Too slow, too error prone, and generally I would be called in to clean up what those 'security solutions' should have caught in the first place. Webroot, Panda, Eset, Kaspersky, Avira, Giant Anti-Spyware, MalwareBytes, the newer versions of Bitdefender, and a few others are worth the expense.

I have a VoIP phone that someone was trying to port scan (at least) the other day. It has a few SIP test accounts on it. One of the providers apparently got hacked. The first round of scans came over a VPN tunnel in Germany. So I Geo Blocked the world 'United States (not)'. A few hours later they started again from a U.S. IP.

I was looking for a way to automatically lookup if an IP is a known VPN tunnel, or TOR Relay. I came across GetIPIntel, which accurately classified all the IPs I threw at it. For now I just disabled inbound calls from that provider. This would be a fantastic option along the lines of GeoIP / SpamHaus Drop / eDrop (which are already configured).

He provides some php code for this:
https://github.com/blackdotsh/getIPIntel

I like the multi scanner AV approach that VirusTotal provides. There is apparently an ICAP server for this here:
https://github.com/sooshie/VirusTotal-ICAP

I don't personally trust Symantec, or Mcafee (lots of problems with their software over the years). Kaspersky apparently doesn't know which skus support ICAP (Storage Server?)

I reached out to VirusTotal to ask them if it would violate their ToS for home use, and of the possibility of using their commercial version 'VirusTotal Intelligence', though I don't know what that would cost. I'll update this if I hear back from them. It's possible these guys are a worth a shot as well:
https://www.opswat.com/solutions/prevent-malicious-downloads-proxy-servers-icap

Update:
I heard back from Virustotal, asking about using the icap server listed above, they just said that I needed the public API key (by signing up for a free account), so I'm guessing that it doesn't violate the ToS. I haven't heard back regarding pricing yet for their business / intelligence subscription.

Here is a 'setup' link for Metadefender:
https://www.opswat.com/blog/scan-network-traffic-using-proxy-server-metadefender-proxy

It should try to verify the signature of every Certificate Authority in the chain, up to the root. I don't know how you would configure the Root Certificate as a 'trusted certifying authority', as that phrase makes me think of windows. I would assume that BSD has to have a store of trusted Root Certificates somewhere. I haven't seen a GUI option for it though.

I recently tried loading 17.1.x a few different ways, since none of them worked:

Rufus, Physdiskwrite, unetbootin (personal favorite)

Yumi

At the very bottom of the list under 'STEP 2: Select a distribution to put on...'

'Try unlisted iso (GRUB from RAM)'

This one loaded the whole image into a virtual cd-rom drive in RAM. It still failed with the same 'error 19' as the other methods, though.

I had seen someone mention disabling ACPI, so I did that via the OpnSense boot menu, which just resulted in a different error.

The images were written from a Win 8 x64 host. I haven't had issues writing images for Linux, or ESXi.

I finally was able to install the image using Zalman's Virtual Optical drive. You basically just load on ISO under the '_ISO' folder, and select either 'Dual' (both HDD, and CD-ROM over an internal usb hub), or 'Optical'. It works great, but I would love to the get the grub installer method working.

I do have a couple of spare PCs available I can test other boot methods on, if you guys have any ideas about fixing the 'error 19' or the invalid GPT partition table. Someone mentioned plugging the disk into Windows 10 fixing it (as apparently the file system was off by one block, and didn't write the GPT recovery header) Windows 8 didn't write this 2nd header for me, so it still failed with the GPT error. I tried 4 different brands of flash drives; they all behaved the same way.

There was another mention of using the Serial image version since it's MBR, but I am disabling the serial ports as they are DMA, so potentially an attack vector.

Services > Intrusion Detection > 'User Defined' (Tab) >

GeoIP/Country
×United States (not)

GeoIP/Direction
Source   
Action
Drop

This will drop all traffic from every country other than the U.S. There is still plenty of 'bad' traffic here though, and people elsewhere can also use Tor, a VPN, or a 'zombie' (compromised) host.

In order to run Suricata IDS / IPS along with the basic firewall I would go with a gen 3 i5 or better, at least a dual core, 3 Ghz+, and at least 4 GB of RAM.

Make it quad core if you want to do VPN near that speed, add more RAM (8-16 GB) if you want to run the Proxy (SQUID).

The biggest thing for just the firewall would be a multi port Intel NIC 2x, or 4x should do if you want to have more than just LAN / WAN separation. You can 'multiply' ports using VLANs, but those are less secure then a dedicated interface, and more complicated to setup, or remember.

If you want to keep ESXi, at least get something with multiple network ports. For troubleshooting make sure that you have all available 'cores' assigned. The terms are confusing, but basically if it is a dual core i5, ESXi will likely show 4 'Logical Processors', due to 'hyper-threading' doubling the core count. For testing, just assign all of them to the OpnSense VM. You can 'over commit' them by giving a 2nd VM 4 Logical Processors as well. There will only be 'resource contention' when one of them wants to use the whole chip.

As was mentioned, you can try the sata port for the DVD drive (black cable on the side of the drive:

http://cdn1.alphr.com/sites/alphr/files/styles/16x9_860/public/images/dir_370/it_photo_185134.jpg?itok=ncdEIp2A

There is another sata port (dark blue) that is above the memory sockets for 'CPU 1' here:

http://g02.a.alicdn.com/kf/HTB1YlyXKFXXXXcfXVXXq6xXFXXXG/072XWF-Motherboard-For-PowerEdge-R420.jpg

I would set these to ATA mode, if AHCI is still slow. ATA is 'simpler' command set.

Alternatively if you want a mirror I would get 2x Lenovo 24 GB SSDs on ebay (about $12 each), and this:

https://www.newegg.com/Product/Product.aspx?Item=N82E16816124095&ignorebbr=1&nm_mc=KNC-GoogleAdwords-PC&cm_mmc=KNC-GoogleAdwords-PC-_-pla-_-Hard+Drive+Controllers+%2F+RAID+Cards-_-N82E16816124095&gclid=CKjdq4j-49ICFYONswodCbgM4w&gclsrc=aw.ds

I haven't tried this combo with BSD / xsense yet, but Dell's controllers have issues with certain versions of other OS's in past experience (they used to have issues just with ESX for instance).

Typically I leave out the retransmission, and SSL rules, as they tend to throw many false positives.

Aho-Corasick is an 'older', and more compatible algorithm. It will basically run on any platform. I have a few older Atoms, and Turions running it just fine. The Intel developers claimed about 1/12th the memory usage for hyperscan, and that it is about 5 times faster for multi pattern matching (single pattern matching was no improvement):

https://suricon.net/wp-content/uploads/2016/11/SuriCon2016_GeoffLangdale.pdf

It requires a processor with SSE3 at a minimum, with AVX, AVX2, and AVX-512 offering better performance with each successive iteration.