Why are specific IP addresses ignored by OPNsense firewall?

[HankM]

This isn't the first time this has happened.

107.170.237.26 is blocked by Internet Defense. I caught this same IP address a week ago, trying to hack my mail server., so I added it to my own block list.

Yesterday the same IP tried again to hack my mail server
Accepted POP3 connection with: 107.170.237.26
19:11:05 1CF *** NEW PHYS. CONNECTION, Tbl Entry=0, Socket=82
19:11:05 1CF POP3 command: MGLNDD_xxx.xxx.xxx.xxx_110
19:11:06 1CF POP3 session ended: 107.170.237.26
19:11:06 1CF *** PHYSICAL PORT DISCONNECTED, Tbl Entry=0, Socket=82

Not just this one attempt TEN TIMES.

This IP belongs to stretchoid, who have close to 2,000 of these so-called 'research scanners' all running world-wide on Digital Ocean.

Don't come with the BS that this is 'ethical hacking' to make the world a better place. To be an ethical hacker YOU NEED PERMISSION.

If I go around houses checking the front and back doors of every house, what do you think Mr Plod is going to say when I tell him "it's only for research."?

My question is:
Is this a BUG in OPNSense or is it a deliberate back door for the US Alphabet agencies.

Oh and before you tell me, I haven't entered it properly, I have checked it.

Enter an IP address to show in which aliases it is used.
107.170.237.26
internet_defence
stretchoid_drop (my own block list)

This is NOT the first stretchoid IP address that has succeeded in bypassing OPNsense. The two previous ocassions I thought maybe it was me. IT ISN'T.

[cookiemonster]

What is "Internet Defense" and how does it relate to OPNSense?

[RamSense]

Enter an IP address to show in which aliases it is used.
107.170.237.26
internet_defence
stretchoid_drop (my own block list)

I think he has made a firewall rule as his own “blocklist”

[cookiemonster]

Right, makes a bit of sense now. Thanks Ram.

[HankM]

Internet_defence is supposed to be a list of threats which you can use in OPNsense to block threats. (https://internetdefensesystems.com/list/badips.bydate.part01.txt)

Many of the IP addresses in there appear in the firewall (as the info I sent) but many of them (especially scanners) DON'T GET BLOCKED. This is why I created my own blocklist. This means that OPNSense is reading the list, but why are some being bypassed?

My own blocklist works. I have over 5,000 bad actors in it and with the exception of the three I mentioned from stretchoid, once they are in my blocklist I never see them again, so there is NO reason why (so far) three IP's from stretchoid are bypassing the firewall.

I don't have the other two I never wrote them down as I though maybe I had messed up. I'm sure they'll be back. These scanners are using  a massive amount of bandwidth and they are at it 24 x 7. Since I started blocking them the speed of all our computers have improved dramatically.

I've caught as many as TEN scanners all hacking away at my servers simultaneously.

To list the ones I have and the number of scanners:

Alphastrike - 10
Binary Edge Ninja - 128
Internet Census - 198
Leakix - 51
Netsystems research - 139
Onyphe - 51
Rapid 7 - 108
SecurityIP - 59
Shadow Server - 190
Shodan - 81
Stretchoid - 1828

Most of these lists also contain subnets from /28 to /24 so the actual number is far higher than those above. That's a total of >2844 scanners trying to hack your computers and servers, and wasting the bandwidth 24 x 7

All these lists are available on the web if you go search for them.

Now if YOU are happy with some asshole checking all the doors and windows of your house and taking inventory of all your belongings, 24 x 7, good for you. I'm NOT.

IMO it's pretty obvious who uses stretchoid and it definitely is NOT benign.

[cookiemonster]

Ok so it is an ip blocklist, got it.
Do you want to share your blocking setup that is using it so that someone can advise on what to check?
Presumably on wan as list in alias as source? Show the rule please.

[HankM]

I already feel I'm wasting my time. If I have 5,000 IP addresses in my block list and 4,999 of them work. WTF are you asking me to show you the rule?

I didn't ask for HELP. I wanted to know WHY.

IS OPNSense deliberately allowing IPs to penetrate their firewall by request/demand of the US government? THAT is my question.

To satisfy YOUR question, I downloaded the (readily available - if you take the trouble to search for them) lists and entered EVERY one into the firewall BY HAND and YES they are all there and YES they all work except the three I've spotted so far.

Can you now find something else to divert away from giving a straight answer to my question?

If it isn't deliberate THERE's A BUG

[cookiemonster]

Wow. Ok. That was my last post on your thread.

[franco]

Mod note: I've restricted HankM's ability to post here for 24 hours. Perhaps that helps with calming this down.

[RamSense]

Agree to the tone of voice.
But the key question about 1 to 3 ip’s being able to pass through is interesting enough to test(?)
Hey speaks about one block rule with thousands of ip’s and those 3 escape it?

How to replicate?
 

[franco]

Either through logging the rule, adding a single rule to see if it matches, finding another rule that takes precedence for whatever reason.

You could also use match and packet counters to see if these rules are hit correctly (inspect button).

Most of the time a rule not matching is because another rule is matching instead. That is if the traffic reaches the firewall in the first place.

TBF, any sane firewall troubleshooting would go through these steps before making a hot debate on the Internet about an alleged bug. Maybe it's one but if you haven't confirmed if that's the case it's not good because then it also cannot be reproduced.


Cheers,
Franco

[RamSense]

TBF, any sane firewall troubleshooting would go through these steps before making a hot debate on the Internet about an alleged bug. Maybe it's one but if you haven't confirmed if that's the case it's not good because then it also cannot be reproduced.

Thnx and I totally agree.

[HankM]

OK, clever guys, so riddle me this:-
I have a very simple installation. All traffic is allowed except for the IPAddresess on blocklists which are:
hacker_drop
stretchoid_drop
shodan_drop
misc_scanners_drop
int_census.drop

There are now fancy rules so I don't see how such a comment as troubleshoot is relevant.

SO PLEASE explain as this IS reproducible. You can try it yourself.

Create a blocklist stretchoid_drop and if you like you can create all the others, but make sure you put stretchoids addresses in stretchoid.
Go to Firewall --> Diagnostics -->Aliases and check that all the above are populated.

Now reboot OPNSense.

Go to Firewall --> Diagnostics -->Aliases and check that all the above are populated.

hacker_drop FINE
shodan_drop FINE
misc_scanners_drop FINE
int_census.drop FINE

Stretchoid_drop is BLANK every IP address is GONE.

Now YOU troubleshoot THAT!

[Patrick M. Hausen]

Create a blocklist stretchoid_drop and if you like you can create all the others, but make sure you put stretchoids addresses in stretchoid.

Where do I get these addresses?

[HankM]

https://github.com/SilvrrGIT/IP-Lists/blob/master/stretchoid
https://gitlab.com/ohisee/block-shodan-stretchoid-census

There are plenty others, seek and thou shalt find.