ISP hacked OPNSense Router

[peterwkc]

Dear all, I had installed opnsense quite long time ago but recently my LAN cannot browse internet. Most probably my ISP has hacked my router. (Dont' argue this). 

Im looking method to harden my OPNSense router. Please suggest. Thanks.

Harden OPNSense Methods:
1. Disable SSH services
2. Disable root user in web gui option
3. WiFI based on MAC Address only
4. Installed Suricata IPS
5. Disable boot into single user mode to prevent hacker change password
6. How to enable sudo?

[Patrick M. Hausen]

Most probably my ISP has hacked my router. (Dont' argue this). 

Ridiculous assumption but you do you.

1. Disable SSH services

Disabled by default.

2. Disable root user in web gui option

You need at least one user with full administrative access. As long as you have that, of course you can disable the root login.

3. WiFI based on MAC Address only

Must be implemented at your access point and I fail to see how this would protect against threats from the outside like your ISP.

4. Installed Suricata IPS

No idea, I do not believe in IPS.

5. Disable boot into single user mode to prevent hacker change password

Needs physcial access to the box. If that is the case the "hacker" can always boot from an external boot medium.
Best encrypt your hard disk - I told you how to do that in your other thread.

Downside: OPNsense won't boot after an update or a power failure unless you enter the GELI password at the console.

6. How to enable sudo?

System > Settings > Administration > Authentication > Sudo

HTH,
Patrick

[meyergru]

Basically, IFF that happened, then it was one of these problems, in descending order of likelihood:

1. You exposed SSH and/or the web UI to WAN and your password was easily guessable. If you must do this at all, you should enable 2FA to prevent it or protect access by a VPN.

2. One of your SSH keys could be accessed by the ISP, e.g. because you also stored it on a hosted server there or in an unencrypted backup.

3. OpnSense has a vulnerability in the web UI that can be used to bypass the usual authentication.

I am not arguing that your box was not hacked, but either way:

a. I would doubt that it was your ISP that did it.
b. Your proposed measures would do little to nothing to prevent that from happening in the future.


P.S.: Point b. from above includes full-broadsided attacks on an unknown enemy like this. Once your OpnSense runs, it must be fully decoded, so disk encryption won't help, either.

You should first try to gather intelligence about if, how, who and what was attacked to find effective measures against it. Excuse me for using this german proverb, but do not fall for: "Operative Hektik ersetzt geistige Windstille".

[bimbar]

First, if you think some device of yours has been penetrated by an attacker, reinstall it cleanly.

[chemlud]

,,,: "Operative Hektik ersetzt geistige Windstille".

Operative Hektik verdeckt geistige Windstille. ;-)

[fakebizprez]

4. Installed Suricata IPS

No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.

[peterwkc]

I found article to hardened OPNsense box.

https://www.zenarmor.com/docs/network-security-tutorials/opnsense-security-and-hardening-best-practice-guide#:~:text=Hardening%20the%20firewall%20entails%20putting,are%20all%20part%20of%20this.

[Patrick M. Hausen]

I found article to hardened OPNsense box.

Most of these are just a matter of course or won't help with your suspected case.

For example SSH is disabled in a default installation of OPNsense.

To repeat myself: even if you grossly neglect password best practices and do not change the root password for the UI, a newly installed OPNsense cannot be "hacked" over the Internet.

There is no attack surface! None! No services reachable on WAN, all ports blocked. Period.

If your OPNsense was hacked then because you knowingly and intentionally configured *something* that opened it up. And most so called "hacks" are just password guesses.

So did you open your Firewall to the Internet or did you not? That's the question that needs to be answered. Not to blame you but to decide what to change in the future.

Unless you do an assessment of what exactly happend, all the measures you are swapping around in various threads will not help. Reminds me of the user "someone" who claimed he needed to reinstall their OPNsense every couple of days because the moment he hooked it up to the Internet it got "hacked". Ridiculous, really.

[bimbar]

4. Installed Suricata IPS

No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.

This is well worth discussing, but maybe in a different thread. I, btw, also don't believe in most of the things IPS is supposed to do.

[Patrick M. Hausen]

No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.

1. Trying to exaustively "enumerate badness" is bound to fail.

The rulesets of current IDS/IPS systems are ridiculously large and generate a ton of false positives. They place a high administrative burden on the operator in the form of tailoring the rules.

As system that is always "flashing red" but operators "know what can be ignored" is useless. Any monitoring system must be "green" in the normal operational state and any "red flag" must be an event that demands action - and can be acted upon in the first place! That means there is a documented way to turn the system back to the "green" state.

Anything else is security theatre and leads to more confusion than it helps.


2. It's never a one-stop solution.

People tend to think that all they need to do is "enable intrusion prevention" and then someone else will prevent intrusions for them. This is not the case for the reasons listed under 1.

From the same reasoning probably we see people trying to activate Suricata and Zenarmor on the same device (because two IPS are better than one, right?) and face technical problems like in this thread - here's a nice comment by Ad about architectural issues:

https://forum.opnsense.org/index.php?topic=9741.msg64178#msg64178

The way IDS/IPS works it is highly unlikely it will ever be able to inspect a PPPoE data stream for example. Also both products have a different focus. So why would you run both (at all) and if it does make sense for you, why both on WAN (doesn't work!)?

So if you still decide to run them at all, separate your publicly reachable servers from your client systems that are merely "facetubing". Use Suricata for the servers (on the server/DMZ interface) and Zenarmor for the clients (on the LAN interface).


3. Traffic is encrypted nowadays.

Most interesting Traffic is encrypted in some form of TLS/SSL. And generations of cryptographers and protocol specialists have been working hard to make TLS secure against man-in-the-middle attacks.

A TLS encrypted session is an authenticated secure private channel between e.g. your browser and the web site of your bank.

If you insist on messing with that so the holy IDS can perform its "magic", you will actually

- weaken the security of these connections
- force all devices to trust your private CA leading to a very interesting attack vector against your entire infrastructure
- make all applications that use certificate pinning fail, so you need to curate extensive white lists

TLS is designed not to be inspected. What's so hard to understand about that? Just don't.


4. But but but ... I must do $something to improve "security".

So:

- separate systems of different trust.
- implement firewall policies with least privielege principle - give the system access to only what they absolutely need.
- implement a log file and/or reputation based system like fail2ban, Crowdsec, ...
- implement AdGuard Home or some other DNS based block & report mechanism.
- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).
- but don't worry about trash arriving at your front door (WAN) that is blocked by the firewall, anyway - blocked is blocked, an IPS does not block better or more effectively or anything than the default "deny all" rule.


Kind regards,
Patrick


EDIT: here's a paper worth reading that discusses the pros and cons of TLS interception:

https://jhalderm.com/pub/papers/interception-ndss17.pdf

[chemlud]

Yepp, IPS is not "fire and forget" but I like to get a feeling for what is going on the various levels-of-trust LANs. Warnings/blockings by Suricata give a feeling if some client tries e.g. to resolve fishy domains or contact known malware IPs.

Problems normally originate from the LAN side and IPS should be active on LAN, not WAN, correct.

[Seimus]

I think the most common misconceptions about IPS systems are about TLS and the "Plug & Play". A lot of time we can see people just complain that is not "just working" or speculate about TLS inspection...


@Patrick

- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).

Which from these you use may you/care you share some experience or insights?

Regards,
S.

[Patrick M. Hausen]

- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).

Which from these you use may you/care you share some experience or insights?

I run Observium, I did a weekend long deep dive into pfELK but could not get it to work on FreeBSD. Seems rather mature on Linux. Currently investigating NtopNG off-firewall, i.e. I don't want to run it on OPNsense but send netflow data to a dedicated NtopNG jail instead.

I have also been running (and still do) Crowdsec which I like a lot. If only they had a hobbyist license tier for e.g. 100€ per year. Now it's free edition with quite some limitations or something around 90€ per month - prohibitive, unfortunately.