Messages

You can also use 'passepartout' with openvpn from the app store. passepartout is like the wireguard client, lets you specify to connect when on mobile data, or on a specific WIFI apn. Also allows keep alive etc - very easy to configure and with openvpn you can set desired cipher and encryption algorithm. If wireguard is not appropriate, you can have the same setup with openvpn+passepartout as you do with wireguard.

I see your point, but that is something IDS/IPS is for (in fact it works exactly like AV and blocks not only known malicious IPs, but also IPs which are trying to exploit certain well and less well known vulnreabilities, something that IP blocking does not do.)

If you insist on having IP block list and are hosting your servers on LINUX, you can install Fail2ban which does exactly that, blocks IPs which try too many times to login, you just have to configure it right, in fact I think there is a way to install Fail2Ban on OpnSense itself.

Indeed this is also true however I found that with only IDS (Suricata) and Fail2ban which I was already using too little was being caught and quite a bit was slipping through. I tried many things to improve it but ultimately what I was finding is that the bots/automated attacks used seperate IP's to scan your network, then used this information to target what they found with different IP's based on what their results found. This meant that the setup with fail2ban and IDS was only 80% or so effective, in some cases less. As I want 99% effectiveness this was not acceptable to me and this method of blocklist as an additional layer is the only thing I have so far that is getting me close to the 99% I desire. The other 1% I am able to review the logs manually each day (as there are not thousands of IP's passing in the logs anymore - ie they are not flooded with attacks) and assess easily in a matter of minutes. Keeping the logs mostly clear in this way makes this task quite manageable. 

This is true. However its not about completely preventing 100% of attacks, as that would always be impossible regardless of what you employ. More, it works like an AV product, we dont expect all viruses to be stopped 100% of the time by an av product but it does lower your attack profile and thus your risk is mitigated by some %. The more things you do, and the more differing methods you have employed, the smaller your attack surface. In practice I notice it reduces brute force attacks by 95% or so, which is better than not employing such a solution in addition to your other hardening methods. Thats just my opinion.

I am interest ed in working with you. Please tell me what you need

Hi Mike,

Thank you for your reply.
The address is a blocklist for incoming traffic to block malicious IP's from probing any services you have behind your firewall.

For example, if you ran an FTP server, and require it accessible from anywhere, but want to add an additional layer of protection by blocking known malicious IP's then this would be appropriate for you.

The instructions are here: https://github.com/pallebone/StrictBlockPAllebone

In short you would be adding an alias on your server that includes these 4 blocklists:

https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset

Then you would add a rule to block incoming traffic from these IP's in the alias you created (the list is not suitable for egress traffic as i believe firehol includes private IP addresses in their ip blocklist for some strange reason so dont block traffic outbound from firewall - only inbound from internet to the firewall if that makes sense).

You can then ensure that you are logging traffic blocked by the rule, and permitted traffic so you can get a rough idea how much traffic accessing services behind your firewall is passed and how much is blocked. Ideally you should see most malicious IP's blocked while valid IP's that legitimately want to use your services behind your firewall are not blocked.

You can assess the service and let me know if it helps, or if you dont like it then that feedback is fine also.

Let me know if you require any further info.

Kind regards
Pete

I have been working on a blocklist of malicious IPs that I detect by having services/ports open to VM's that can be destroyed and rebuilt if/when compromised. This allows me to capture IP's that attack these servers and I make a blocklist from this information I collect.

I would like to know of anyone would be able to help by assessing the usefulness of the list, and if it assists in reducing the amount of Malicious IP's trying to connect to services you may be currently forced to have open for whatever reason but protected by fail2ban or some other service that is not foolproof and would like an additional layer of prevention.

The list is here: https://github.com/pallebone/StrictBlockPAllebone

Thanks in advance if anyone would like to help test and provide any feedback :)

P

Please can someone tell me how to check how many entries are currently being used so I can check if I need to increase the number of entries?

Is this impossible to do in the current version?

Hi there,

I have added a lot of entries and would like to check how close I am to the limit defined under Firewall Maximum Table Entries in firewall-settings.

How can I check what the current value in use is to compare it to the maximum value allowed set?

Kind regards
Peter

Sure, System : Settings : Logging .. there just double the size for logging.
With 20.7 you can also switch to text logging where there is always one file per day and you set the time how long to keep them.

Can you clarify? In live log I can only select up to 5000 entries. What must I change here?

Hi there,

I am finding the log of only 5000 entries a little restrictive. Is there any inbuilt way inside of OPNSense to increase it slightly more, say 10000 (double) as that would be really helpful in some circumstances when reviewing some of the logs. 5000 seems a tad on the small side when capturing traffic thats all.

P

You tick the  Source / Invert  box to create a ! (ie NOT this IP listed).

Hmm, that is disappointing. Thanks for clarifying.

When using Intrusion Detection, what rules are processed first?

I have normal Firewall rules I would like processed before IDS is processed. Is this the default, or if not, how can I ensure my own rules are processed prior to IDS rules being processed?

Kind regards
Pete

I just want to follow this in case someone gets it working.

Hi there,

I would like to create a rule that detects if an ip attempts to make a connection to the firewall on a certain port, and add that IP into a block rule. Is this possible to do? Eg: Ip 1.1.1.1 connect to firewall on port 4000. Firewall sees this in logs and adds it into a block rule that denys any traffic for 1.1.1.1 which also now prevents that IP from connecting to any nat rules that are open for other services on the network.

Kind regards
P