ISP hacked OPNSense Router

Started by peterwkc, November 27, 2024, 09:23:29 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5
User actions
December 30, 2024, 02:00:20 PM #45
Quote from: peterwkc on November 27, 2024, 09:23:29 AMMost probably my ISP has hacked my router. (Dont' argue this). 



LOL, no, just no, your isp didnt hack nothing.
And then to say we cant argue that, are you kidding me? If nothing is opened to wan side, not even your ISP can hack the opnsense box.
December 31, 2024, 01:20:44 AM #46
Quote from: thecrankygamer on December 30, 2024, 02:00:20 PM
Quote from: peterwkc on November 27, 2024, 09:23:29 AMMost probably my ISP has hacked my router. (Dont' argue this). 



LOL, no, just no, your isp didnt hack nothing.
And then to say we cant argue that, are you kidding me? If nothing is opened to wan side, not even your ISP can hack the opnsense box.

I think you didn't see my screenshot that i shared. It's full of block packet in the firewall log.
December 31, 2024, 01:30:49 AM #47
So? Your firewall is connected to the Internet. So bad actors will scan it 24x7. And the OPNsense firewall will by default block all of these attempts. The log showing all of these blocked packets is proof that the firewall is working. Not the other way round.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 02, 2025, 08:53:59 AM #48
Quote from: Patrick M. Hausen on December 31, 2024, 01:30:49 AMSo? Your firewall is connected to the Internet. So bad actors will scan it 24x7. And the OPNsense firewall will by default block all of these attempts. The log showing all of these blocked packets is proof that the firewall is working. Not the other way round.

Yes, My firewall connected to Internet. Today, the firewall reboot twice times by itself. I don't know whether my firewall was hacked. Moreover, on the day before yesterday, My PC cannot ping the default gateway ip address. So, I suspected LAN PC was hacked. My others PC which did not connect to Internet able to ping. So, this is strange to me.
January 02, 2025, 11:14:16 AM #49
Sporadic reboots are caused mostly due to crashes, not hacks. Your PC not pinging the GW or not having network access are examples of issues on your network or the GW usually. Or the host itself had an issue if it was isolated to just one device. This doesn't exclude that you can have an infected device via a Virus, but that's not hacking that's a virus.

Once again, if you didn't open ports towards internet, didn't allowed SSH & HTTP/s GUI management, there is no way you could be hacked from internet.

Your mindset is totally wrong on this.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
January 02, 2025, 11:19:37 AM #50
Quote from: peterwkc on January 02, 2025, 08:53:59 AM
Quote from: Patrick M. Hausen on December 31, 2024, 01:30:49 AMSo? Your firewall is connected to the Internet. So bad actors will scan it 24x7. And the OPNsense firewall will by default block all of these attempts. The log showing all of these blocked packets is proof that the firewall is working. Not the other way round.

Yes, My firewall connected to Internet. Today, the firewall reboot twice times by itself. I don't know whether my firewall was hacked. Moreover, on the day before yesterday, My PC cannot ping the default gateway ip address. So, I suspected LAN PC was hacked. My others PC which did not connect to Internet able to ping. So, this is strange to me.

if i was haxor id want your pc and router to stay ONLINE.   not reboot, as id lose access to trying to steal all of your porn collection
this entire thread is nonsense
January 03, 2025, 08:05:13 AM #51 Last Edit: January 03, 2025, 08:29:35 AM by peterwkc
Quote from: DEC670airp414user on January 02, 2025, 11:19:37 AM
Quote from: peterwkc on January 02, 2025, 08:53:59 AM
Quote from: Patrick M. Hausen on December 31, 2024, 01:30:49 AMSo? Your firewall is connected to the Internet. So bad actors will scan it 24x7. And the OPNsense firewall will by default block all of these attempts. The log showing all of these blocked packets is proof that the firewall is working. Not the other way round.

Yes, My firewall connected to Internet. Today, the firewall reboot twice times by itself. I don't know whether my firewall was hacked. Moreover, on the day before yesterday, My PC cannot ping the default gateway ip address. So, I suspected LAN PC was hacked. My others PC which did not connect to Internet able to ping. So, this is strange to me.

if i was haxor id want your pc and router to stay ONLINE.   not reboot, as id lose access to trying to steal all of your porn collection
this entire thread is nonsense

I can share video about my block packet to you to proof that the hacker had tried to connect to WAN.  I got enemy that why my ISP want to spoil me. By the way, thanks for your effort to reply this thread.
January 03, 2025, 08:17:53 AM #52
Blocked packets are proof that your firewall is working. Every system connected to the Internet is scanned by automatic bots 24x7. There's nothing one can do about that but use a firewall that blocks these attempts as OPNsense does by default.

Blocked == not hacked == good.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 03, 2025, 09:34:29 AM #53
@peterwkc, please advise straight answers to the following:
  • Are your firewall rules all in the default state?
  • If not, please provide any and all NAT or port forwarding (or other) rules you have created, edited, or removed.

As noted early in this thread, we can not exclude an infection on your internal machines, arriving through phishing or downloading dodgy software. We can tell you what, if any, exposures you may have on your firewall.

As noted more than once by Patrick, the logs you have provided show normal and effective operation of the firewall. You have also not yet described any "hacker" behaviour which would be logical for a real external intruder. If your ISP did not like you, they could more simply randomly drop your connection. It is again hugely improbable.

We may be able to help with clear answers about configuration. Remember, your fears about TinyPilot proved unfounded once you had looked into and understood it better.
Deciso DEC697
+crowdsec +wireguard
January 03, 2025, 02:00:40 PM #54
Quote from: peterwkc on January 03, 2025, 08:05:13 AMI can share video about my block packet to you to proof that the hacker had tried to connect to WAN.  I got enemy that why my ISP want to spoil me. By the way, thanks for your effort to reply this thread.


NO, just NO, this is normal.
Everybody sees this or had in a point of time seen it. Doesn't matter what FW/Router you use, Open source, Off the shelf or Enterprise. If you use a device on the edge > Internet, this is what is in today's manners expected to be seen.

Quote from: Patrick M. Hausen on January 03, 2025, 08:17:53 AMBlocked packets are proof that your firewall is working. Every system connected to the Internet is scanned by automatic bots 24x7. There's nothing one can do about that but use a firewall that blocks these attempts as OPNsense does by default.

Blocked == not hacked == good.

Exactly, couldn't say it myself better.

OP, the only proof you state or post, is so far proofing that all is well working and blocked Ingress towards your WAN.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
January 03, 2025, 11:37:18 PM #55
Some of the blocked sources were on crowdsec's radar. It means that these sources are known as being owned by bad actors on a global scale...
You're not the only target. EVERYBODY is. If you have a public IPv4, you will see unsolicited requests.
It's the sad reality of today's internet. That's why you have a firewall at the edge of your network.

There have been plenty of reports of compromised consumer routers (e.g. TP-link) but you're using a commercial grade router...
With OPN set to reject all incoming traffic on WAN, I'd be more worried about malware or compromised poorly maintained devices.
January 06, 2025, 12:47:50 PM #56 Last Edit: January 06, 2025, 12:55:52 PM by peterwkc
Quote from: passeri on January 03, 2025, 09:34:29 AM@peterwkc, please advise straight answers to the following:
  • Are your firewall rules all in the default state?
  • If not, please provide any and all NAT or port forwarding (or other) rules you have created, edited, or removed.

As noted early in this thread, we can not exclude an infection on your internal machines, arriving through phishing or downloading dodgy software. We can tell you what, if any, exposures you may have on your firewall.

As noted more than once by Patrick, the logs you have provided show normal and effective operation of the firewall. You have also not yet described any "hacker" behaviour which would be logical for a real external intruder. If your ISP did not like you, they could more simply randomly drop your connection. It is again hugely improbable.

We may be able to help with clear answers about configuration. Remember, your fears about TinyPilot proved unfounded once you had looked into and understood it better.

I have added one rule block in wan and have several firewall aliases like crowdsec. Opt1 block to lan. No sshd no open port. Opt1 WiFi provide based on mac address.

I worried they use malware to get access to my system.

My firewall reboot this morning again. I don't know whether this is crash or have backdoor script
January 06, 2025, 01:10:13 PM #57
> My firewall reboot this morning again. I don't know whether this is crash or have backdoor script
I'll repeat again. WAN will block everything not solicited from the inside by default. You can of course add blocking aliases but they are mostly unnecessary if they initiate from the outside. If the connection is a response to a request from say a compromised lan device ie. you download some dodgy application infected with malware, then the firewall alias block will be of little use.

Another reboot? Most likely a hardware problem. Look in the logs of the system. The message buffer is wiped on reboot but the previous log will be saved to /var/log/ . Look for the dmesg files.
January 06, 2025, 01:39:40 PM #58
Quote from: peterwkc on November 27, 2024, 09:23:29 AMDear all, I had installed opnsense quite long time ago but recently my LAN cannot browse internet. Most probably my ISP has hacked my router. (Dont' argue this). 

Im looking method to harden my OPNSense router. Please suggest. Thanks.

Harden OPNSense Methods:
1. Disable SSH services
2. Disable root user in web gui option
3. WiFI based on MAC Address only
4. Installed Suricata IPS
5. Disable boot into single user mode to prevent hacker change password
6. How to enable sudo?

Hire a professional, you are not making much sense and show a lack of objectivity without providing sensible evidence.

January 06, 2025, 03:18:03 PM #59
Quote from: Patrick M. Hausen on November 28, 2024, 01:23:34 PM
Quote from: Seimus on November 28, 2024, 01:12:52 PM
QuoteI have also been running (and still do) Crowdsec which I like a lot. If only they had a hobbyist license tier for e.g. 100€ per year. Now it's free edition with quite some limitations or something around 90€ per month - prohibitive, unfortunately.

Thanks for the kind words.

Just to be clear, the IDS, IPS, WAF, and all rulesets and scenarios have absolutely no limitations.
The only limited features are in the SaaS and the ones for corporations (auto-enrolment, alert context, AI-driven list, etc.) and the ones that are costly for us (like storing 1Y of incident history).

You even get a large and frequently updated blocklist in the free tier.
Premium, AI and Platinum blocklists are our paid products indeed.
Print
Go Up Pages 1 2 3 4 5
User actions