ISP hacked OPNSense Router

Started by peterwkc, November 27, 2024, 09:23:29 AM

Previous topic - Next topic
November 27, 2024, 09:23:29 AM Last Edit: November 27, 2024, 09:34:30 AM by peterwkc
Dear all, I had installed opnsense quite long time ago but recently my LAN cannot browse internet. Most probably my ISP has hacked my router. (Dont' argue this). 

Im looking method to harden my OPNSense router. Please suggest. Thanks.

Harden OPNSense Methods:
1. Disable SSH services
2. Disable root user in web gui option
3. WiFI based on MAC Address only
4. Installed Suricata IPS
5. Disable boot into single user mode to prevent hacker change password
6. How to enable sudo?

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
Most probably my ISP has hacked my router. (Dont' argue this). 

Ridiculous assumption but you do you.

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
1. Disable SSH services

Disabled by default.

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
2. Disable root user in web gui option

You need at least one user with full administrative access. As long as you have that, of course you can disable the root login.

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
3. WiFI based on MAC Address only

Must be implemented at your access point and I fail to see how this would protect against threats from the outside like your ISP.

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
4. Installed Suricata IPS

No idea, I do not believe in IPS.

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
5. Disable boot into single user mode to prevent hacker change password

Needs physcial access to the box. If that is the case the "hacker" can always boot from an external boot medium.
Best encrypt your hard disk - I told you how to do that in your other thread.

Downside: OPNsense won't boot after an update or a power failure unless you enter the GELI password at the console.

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
6. How to enable sudo?

System > Settings > Administration > Authentication > Sudo

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

November 27, 2024, 10:33:09 AM #2 Last Edit: November 27, 2024, 11:10:34 AM by meyergru
Basically, IFF that happened, then it was one of these problems, in descending order of likelihood:

1. You exposed SSH and/or the web UI to WAN and your password was easily guessable. If you must do this at all, you should enable 2FA to prevent it or protect access by a VPN.

2. One of your SSH keys could be accessed by the ISP, e.g. because you also stored it on a hosted server there or in an unencrypted backup.

3. OpnSense has a vulnerability in the web UI that can be used to bypass the usual authentication.

I am not arguing that your box was not hacked, but either way:

a. I would doubt that it was your ISP that did it.
b. Your proposed measures would do little to nothing to prevent that from happening in the future.


P.S.: Point b. from above includes full-broadsided attacks on an unknown enemy like this. Once your OpnSense runs, it must be fully decoded, so disk encryption won't help, either.

You should first try to gather intelligence about if, how, who and what was attacked to find effective measures against it. Excuse me for using this german proverb, but do not fall for: "Operative Hektik ersetzt geistige Windstille".
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

First, if you think some device of yours has been penetrated by an attacker, reinstall it cleanly.

Quote from: meyergru on November 27, 2024, 10:33:09 AM
,,,: "Operative Hektik ersetzt geistige Windstille".

Operative Hektik verdeckt geistige Windstille. ;-)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....

Quote from: peterwkc on November 27, 2024, 09:23:29 AM
4. Installed Suricata IPS
Quote
No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.
Founder of a freight brokerage and software development company....aspiring sysadmin at heart.


Quote from: peterwkc on November 28, 2024, 12:08:18 AM
I found article to hardened OPNsense box.

Most of these are just a matter of course or won't help with your suspected case.

For example SSH is disabled in a default installation of OPNsense.

To repeat myself: even if you grossly neglect password best practices and do not change the root password for the UI, a newly installed OPNsense cannot be "hacked" over the Internet.

There is no attack surface! None! No services reachable on WAN, all ports blocked. Period.

If your OPNsense was hacked then because you knowingly and intentionally configured *something* that opened it up. And most so called "hacks" are just password guesses.

So did you open your Firewall to the Internet or did you not? That's the question that needs to be answered. Not to blame you but to decide what to change in the future.

Unless you do an assessment of what exactly happend, all the measures you are swapping around in various threads will not help. Reminds me of the user "someone" who claimed he needed to reinstall their OPNsense every couple of days because the moment he hooked it up to the Internet it got "hacked". Ridiculous, really.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: fakebizprez on November 27, 2024, 04:40:57 PM
Quote from: peterwkc on November 27, 2024, 09:23:29 AM
4. Installed Suricata IPS
Quote
No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.

This is well worth discussing, but maybe in a different thread. I, btw, also don't believe in most of the things IPS is supposed to do.

November 28, 2024, 12:36:46 PM #9 Last Edit: November 28, 2024, 01:07:05 PM by Patrick M. Hausen
Quote from: fakebizprez on November 27, 2024, 04:40:57 PM
Quote from: Patrick M. Hausen on November 27, 2024, 09:49:04 AM
No idea, I do not believe in IPS.

Expand on this please...

Not because I want to debate, but I think you're brilliant, and I've been going back & forth on the decision to implement this in our network.

1. Trying to exaustively "enumerate badness" is bound to fail.

The rulesets of current IDS/IPS systems are ridiculously large and generate a ton of false positives. They place a high administrative burden on the operator in the form of tailoring the rules.

As system that is always "flashing red" but operators "know what can be ignored" is useless. Any monitoring system must be "green" in the normal operational state and any "red flag" must be an event that demands action - and can be acted upon in the first place! That means there is a documented way to turn the system back to the "green" state.

Anything else is security theatre and leads to more confusion than it helps.


2. It's never a one-stop solution.

People tend to think that all they need to do is "enable intrusion prevention" and then someone else will prevent intrusions for them. This is not the case for the reasons listed under 1.

From the same reasoning probably we see people trying to activate Suricata and Zenarmor on the same device (because two IPS are better than one, right?) and face technical problems like in this thread - here's a nice comment by Ad about architectural issues:

https://forum.opnsense.org/index.php?topic=9741.msg64178#msg64178

The way IDS/IPS works it is highly unlikely it will ever be able to inspect a PPPoE data stream for example. Also both products have a different focus. So why would you run both (at all) and if it does make sense for you, why both on WAN (doesn't work!)?

So if you still decide to run them at all, separate your publicly reachable servers from your client systems that are merely "facetubing". Use Suricata for the servers (on the server/DMZ interface) and Zenarmor for the clients (on the LAN interface).


3. Traffic is encrypted nowadays.

Most interesting Traffic is encrypted in some form of TLS/SSL. And generations of cryptographers and protocol specialists have been working hard to make TLS secure against man-in-the-middle attacks.

A TLS encrypted session is an authenticated secure private channel between e.g. your browser and the web site of your bank.

If you insist on messing with that so the holy IDS can perform its "magic", you will actually

- weaken the security of these connections
- force all devices to trust your private CA leading to a very interesting attack vector against your entire infrastructure
- make all applications that use certificate pinning fail, so you need to curate extensive white lists

TLS is designed not to be inspected. What's so hard to understand about that? Just don't.


4. But but but ... I must do $something to improve "security".

So:

- separate systems of different trust.
- implement firewall policies with least privielege principle - give the system access to only what they absolutely need.
- implement a log file and/or reputation based system like fail2ban, Crowdsec, ...
- implement AdGuard Home or some other DNS based block & report mechanism.
- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).
- but don't worry about trash arriving at your front door (WAN) that is blocked by the firewall, anyway - blocked is blocked, an IPS does not block better or more effectively or anything than the default "deny all" rule.


Kind regards,
Patrick


EDIT: here's a paper worth reading that discusses the pros and cons of TLS interception:

https://jhalderm.com/pub/papers/interception-ndss17.pdf
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Yepp, IPS is not "fire and forget" but I like to get a feeling for what is going on the various levels-of-trust LANs. Warnings/blockings by Suricata give a feeling if some client tries e.g. to resolve fishy domains or contact known malware IPs.

Problems normally originate from the LAN side and IPS should be active on LAN, not WAN, correct.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....

I think the most common misconceptions about IPS systems are about TLS and the "Plug & Play". A lot of time we can see people just complain that is not "just working" or speculate about TLS inspection...


@Patrick

Quote- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).

Which from these you use may you/care you share some experience or insights?

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD

Quote from: Seimus on November 28, 2024, 01:12:52 PM
Quote- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).

Which from these you use may you/care you share some experience or insights?

I run Observium, I did a weekend long deep dive into pfELK but could not get it to work on FreeBSD. Seems rather mature on Linux. Currently investigating NtopNG off-firewall, i.e. I don't want to run it on OPNsense but send netflow data to a dedicated NtopNG jail instead.

I have also been running (and still do) Crowdsec which I like a lot. If only they had a hobbyist license tier for e.g. 100€ per year. Now it's free edition with quite some limitations or something around 90€ per month - prohibitive, unfortunately.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: chemlud on November 28, 2024, 12:56:42 PM
Yepp, IPS is not "fire and forget" but I like to get a feeling for what is going on the various levels-of-trust LANs. Warnings/blockings by Suricata give a feeling if some client tries e.g. to resolve fishy domains or contact known malware IPs.

Problems normally originate from the LAN side and IPS should be active on LAN, not WAN, correct.

You can get that by dynamic IP blocklists (firehol, crowdsec) and DNS blocking.

The assertion that opnsense was hacked caught my attention.  :o

I should add to the previous suggestions to test before deploying, meaning at least connect it to you lan and run nmap to check for open ports, make sure no default and/or weak passwords are in use, and use key authentication instead of passwords.

There is a lot that can be done, but the default installation is pretty safe, provided that the default passwords are changed/updated during the setup.

Good luck with your new setup, check the forums or ask for more specific questions if you get stuck on something.