"
hm.. as i had a backup i decided to reinstall zenarmor and elasticsearch.
no luck with that. DB does not start and system behaves very unstable.
no luck with that. DB does not start and system behaves very unstable.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#17
Zenarmor (Sensei) / Re: Elastic search won't start on 22.1
January 28, 2022, 07:59:44 AM
Morning,
with my update to 22.1 the elasticsearch does not start.
"Error occured during elasticsearch start process"
installed and reinstalled
elasticsearch5 5.6.16_8 72.9MiB SunnyValley APACHE20
os-sensei 1.10.1 120MiB SunnyValley BSD2CLAUSE
os-sunnyvalley 1.2_1 652B OPNsense BSD2CLAUSE
any tip for me?
with my update to 22.1 the elasticsearch does not start.
"Error occured during elasticsearch start process"
installed and reinstalled
elasticsearch5 5.6.16_8 72.9MiB SunnyValley APACHE20
os-sensei 1.10.1 120MiB SunnyValley BSD2CLAUSE
os-sunnyvalley 1.2_1 652B OPNsense BSD2CLAUSE
any tip for me?
#18
General Discussion / Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
January 27, 2022, 09:59:47 AM
OK, but i am confused.
You wrote ET Open - so i went install plugins and installed ET open as well.
I had ET Telemetry with a token.
But there i can't find ET open/emerging-policy. There is a ET open/emerging-inappropriate.
And i got an ET telemetry/emerging-policy but this does not seem to carry the ssh detection.
Installed as plugin
os-etpro-telemetry 1.6_1 50.3KiB OPNsense ET Pro Telemetry Edition -> with token
os-intrusion-detection-content-et-open 1.0.1 1.53KiB OPNsense IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
You wrote ET Open - so i went install plugins and installed ET open as well.
I had ET Telemetry with a token.
But there i can't find ET open/emerging-policy. There is a ET open/emerging-inappropriate.
And i got an ET telemetry/emerging-policy but this does not seem to carry the ssh detection.
Installed as plugin
os-etpro-telemetry 1.6_1 50.3KiB OPNsense ET Pro Telemetry Edition -> with token
os-intrusion-detection-content-et-open 1.0.1 1.53KiB OPNsense IDS Proofpoint ET open ruleset complementary subset for ET Pro Telemetry edition
#19
General Discussion / Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
January 27, 2022, 09:43:26 AM
Morning Seed,
thanks for your help. Much appreciated.
Yes and i did activate/enable it and downloaded the data.
But when i check on rules tab for ssh or sid 2001982 i cannot find it.
I think i did the right actions.
Any clue?
cheers Armin
thanks for your help. Much appreciated.
Yes and i did activate/enable it and downloaded the data.
But when i check on rules tab for ssh or sid 2001982 i cannot find it.
I think i did the right actions.
Any clue?
cheers Armin
#20
General Discussion / Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
January 26, 2022, 10:07:01 PM
hm..
just checked and re-downloaded ET telemetry/emerging-policy
But was not able to find "ET POLICY SSHv2 Client KEX Detected on Unusual Port" / SID 2001982.
Running OPNsense 21.7.7-amd64
Any idea?
Would be good if i could block that somehow.
thanks
armin
just checked and re-downloaded ET telemetry/emerging-policy
But was not able to find "ET POLICY SSHv2 Client KEX Detected on Unusual Port" / SID 2001982.
Running OPNsense 21.7.7-amd64
Any idea?
Would be good if i could block that somehow.
thanks
armin
#21
General Discussion / Re: Recommendation .- Prevent SSH Tunnel through Port 443/80
January 26, 2022, 09:44:40 PM
Thank you Seed!
Would that mean that Suricata would need to run on the internal interfaces?
There i do run Zenarmor right now.
cheers A
Would that mean that Suricata would need to run on the internal interfaces?
There i do run Zenarmor right now.
cheers A
#22
General Discussion / Recommendation .- Prevent SSH Tunnel through Port 443/80
January 26, 2022, 03:12:49 PM
Hello,
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.
Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'
Now i would be able to connect to the outside world using a Web port.
Is there a way to prevent that on the firewall?
- IDS
- Proxy
Thank you for your input!
best wishes Armin
i would like to ask for recommendations on blocking SSH to the outside tunneled through port 443 or 80.
As these ports are common and usually open.
Info:
Edit '/etc/ssh/sshd_config' file
Use following configuration for port:
Port 22
Port 443
Restart ssh using 'service sshd restart'
Now i would be able to connect to the outside world using a Web port.
Is there a way to prevent that on the firewall?
- IDS
- Proxy
Thank you for your input!
best wishes Armin
#23
21.7 Legacy Series / Re: NAT - i am clueless
November 09, 2021, 10:30:06 PM
further checks with packet capture show me some weird behavior.
Outbound NAT seem to work as the address gets translated. But then loads of SACK and retransmits happen.
22 31.113844 192.168.10.103 192.168.10.102 TCP 74 [TCP Retransmission] 58930 → 502 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2035562142 TSecr=0 WS=128
"22:27:17.433500 02:9a:d4:01:5d:01 > 14:42:fc:ea:83:c8, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24639, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.103.60811 > 192.168.10.102.502: Flags, cksum 0x8bc8 (correct), seq 186586557, win 64240, options [mss 1460,sackOK,TS val 2037162334 ecr 0,nop,wscale 7], length 0
192.168.10.103.30523 > 192.168.10.102.502: Flags, cksum 0xc501 (correct), seq 785917789, win 64240, options [mss 1460,sackOK,TS val 2037164316 ecr 0,nop,wscale 7], length 0
192.168.10.103.30523 > 192.168.10.102.502: Flags, cksum 0xc0ff (correct), seq 785917789, win 64240, options [mss 1460,sackOK,TS val 2037165342 ecr 0,nop,wscale 7], length 0
192.168.10.103.44844 > 192.168.10.102.502: Flags, cksum 0xa9a3 (correct), seq 3558103502, win 64240, options [mss 1460,sackOK,TS val 2037167323 ecr 0,nop,wscale 7], length 0
192.168.10.103.44844 > 192.168.10.102.502: Flags, cksum 0xa5a0 (correct), seq 3558103502, win 64240, options [mss 1460,sackOK,TS val 2037168350 ecr 0,nop,wscale 7], length 0
192.168.10.103.22878 > 192.168.10.102.502: Flags, cksum 0x91cb (correct), seq 503280075, win 64240, options [mss 1460,sackOK,TS val 2037170330 ecr 0,nop,wscale 7], length 0
192.168.10.103.22878 > 192.168.10.102.502: Flags, cksum 0x8dc7 (correct), seq 503280075, win 64240, options [mss 1460,sackOK,TS val 2037171358 ecr 0,nop,wscale 7], length 0
192.168.10.103.6957 > 192.168.10.102.502: Flags, cksum 0x0d7a (correct), seq 1079445047, win 64240, options [mss 1460,sackOK,TS val 2037173337 ecr 0,nop,wscale 7], length 0"
Outbound NAT seem to work as the address gets translated. But then loads of SACK and retransmits happen.
22 31.113844 192.168.10.103 192.168.10.102 TCP 74 [TCP Retransmission] 58930 → 502 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2035562142 TSecr=0 WS=128
"22:27:17.433500 02:9a:d4:01:5d:01 > 14:42:fc:ea:83:c8, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24639, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.103.60811 > 192.168.10.102.502: Flags
192.168.10.103.30523 > 192.168.10.102.502: Flags
192.168.10.103.30523 > 192.168.10.102.502: Flags
192.168.10.103.44844 > 192.168.10.102.502: Flags
192.168.10.103.44844 > 192.168.10.102.502: Flags
192.168.10.103.22878 > 192.168.10.102.502: Flags
192.168.10.103.22878 > 192.168.10.102.502: Flags
192.168.10.103.6957 > 192.168.10.102.502: Flags
#24
21.7 Legacy Series / NAT - i am clueless
November 09, 2021, 09:11:57 PM
Evening,
i am struggeling with one of my severs.
Scenario:
DMZ - Server 192.168.10.102 / Port TCP 502
LAN - Server 192.168.1.100 / *
Alias Host - 192.168.10.103
The DMZ Server only accepts connections from the DMZ subnet.
The LAN Server should poll some details from the DMZ Server.
NAT is needed to translate the LAN Server IP to an IP on the DMZ subnet so it will be accepted.
LAN DMZ
192.168.1.100------|------------OPNSense---------|--------------192.168.10.102
GW LAN GW DMZ
192.168.1.1 192.168.10.1
Traffic
192.168.1.100 ---> translated to 192.168.10.103------------> 192.168.10.103
i tried outbound NAT but was not able to set it up (yet). Really buggers me....
LAN has Access to DMZ on the Firewall Ruleset
DMZ to DMZ has also access.
I can see it on the lig log as well.
Would you please enlighten me so i can get rid of this burden?
thank you
armin
i am struggeling with one of my severs.
Scenario:
DMZ - Server 192.168.10.102 / Port TCP 502
LAN - Server 192.168.1.100 / *
Alias Host - 192.168.10.103
The DMZ Server only accepts connections from the DMZ subnet.
The LAN Server should poll some details from the DMZ Server.
NAT is needed to translate the LAN Server IP to an IP on the DMZ subnet so it will be accepted.
LAN DMZ
192.168.1.100------|------------OPNSense---------|--------------192.168.10.102
GW LAN GW DMZ
192.168.1.1 192.168.10.1
Traffic
192.168.1.100 ---> translated to 192.168.10.103------------> 192.168.10.103
i tried outbound NAT but was not able to set it up (yet). Really buggers me....
LAN has Access to DMZ on the Firewall Ruleset
DMZ to DMZ has also access.
I can see it on the lig log as well.
Would you please enlighten me so i can get rid of this burden?
thank you
armin
#25
21.1 Legacy Series / Re: Port Alias List/Table
June 24, 2021, 06:53:57 AM
Maybe the API would do the job for you. You can install the addon on the firmware plugins.
os-firewall
https://docs.opnsense.org/development/api/core/firewall.html
Then you could setup a call which would update your Alias Port list.
os-firewall
https://docs.opnsense.org/development/api/core/firewall.html
Then you could setup a call which would update your Alias Port list.
#26
21.1 Legacy Series / Re: Unbound DNS Blacklist doesn't work
June 19, 2021, 03:16:36 PM
It does work for me i had trouble with the correct syntax for whitelisted domains.
Use this http://www.regexlab.com/wild2regex
Example:
Pattern with wildcard: *.microsoftonline.com
Regex export: (?:(?!\.microsoftonline\.com)(?:.|\n))*\.microsoftonline\.com
Options i left default.
Paste this output domain by domain into the whitelist field.
Use this http://www.regexlab.com/wild2regex
Example:
Pattern with wildcard: *.microsoftonline.com
Regex export: (?:(?!\.microsoftonline\.com)(?:.|\n))*\.microsoftonline\.com
Options i left default.
Paste this output domain by domain into the whitelist field.
#27
21.1 Legacy Series / Re: Unbound DoT not working
June 19, 2021, 03:14:26 PM
Hi
i used this guide which make it work for me.
Log Level 2 will show #853 connections (DoT)
for DNSBL whitelisting i used http://www.regexlab.com/wild2regex to create the whitelist entries.
So you can enable blocklists and exclude pages you still want.
Did not configure anything on the WAN side related to Firewalls.
Locally i forward my pot 53 to localhost.
i used this guide which make it work for me.
Log Level 2 will show #853 connections (DoT)
for DNSBL whitelisting i used http://www.regexlab.com/wild2regex to create the whitelist entries.
So you can enable blocklists and exclude pages you still want.
Did not configure anything on the WAN side related to Firewalls.
Locally i forward my pot 53 to localhost.
#28
21.1 Legacy Series / Re: 21.1.7 - DNSCrypt stopped logging
June 18, 2021, 09:35:22 PM
Yes it does work per se.. Just the logs are empty which makes it pretty heavy to troubleshoot failing connections.
can this fix from vedalek been applied?
if so where exactly?
thanks!
armin
can this fix from vedalek been applied?
if so where exactly?
thanks!
armin
#29
21.1 Legacy Series / Re: 21.1.7: Updates tab is hanging
June 17, 2021, 08:10:37 AM
had to clear cache as well.
Used this as it will only clear cache for specific sites.
https://pitdesigns.com/how-to-clear-chrome-cache-for-specific-website-only-3-steps/
Used this as it will only clear cache for specific sites.
https://pitdesigns.com/how-to-clear-chrome-cache-for-specific-website-only-3-steps/
#30
21.1 Legacy Series / 21.1.7 - DNSCrypt stopped logging
June 17, 2021, 08:06:09 AM
Morning,
after upgrading to 21.1.7 DNS Crypt server stopped logging.
dnscrypt-proxy2 2.0.45
Log / Queries
Log / NX
both logs are emtpy.
Restart
Log flushing
Service restart
No success..
Would you have me any recommendations?
thanks a lot!
cheers armin
after upgrading to 21.1.7 DNS Crypt server stopped logging.
dnscrypt-proxy2 2.0.45
Log / Queries
Log / NX
both logs are emtpy.
Restart
Log flushing
Service restart
No success..
Would you have me any recommendations?
thanks a lot!
cheers armin
