ISP hacked OPNSense Router

Started by peterwkc, November 27, 2024, 09:23:29 AM

Previous topic - Next topic
Quote from: Patrick M. Hausen on November 28, 2024, 01:23:34 PM
Quote from: Seimus on November 28, 2024, 01:12:52 PM
Quote- do monitor what is happening around your network, use an NMS like Observium, NtopNG, some Elastic based solution like pfELK - "The number of times an uninteresting thing occurs is an interesting thing." (Marcus Ranum, IIRC, on firewall-wizards).

Which from these you use may you/care you share some experience or insights?

I run Observium, I did a weekend long deep dive into pfELK but could not get it to work on FreeBSD. Seems rather mature on Linux. Currently investigating NtopNG off-firewall, i.e. I don't want to run it on OPNsense but send netflow data to a dedicated NtopNG jail instead.

I have also been running (and still do) Crowdsec which I like a lot. If only they had a hobbyist license tier for e.g. 100€ per year. Now it's free edition with quite some limitations or something around 90€ per month - prohibitive, unfortunately.

Being new to crowdsec, would there be any recommended settings to change outside the box of installing the plugin and "enabling" it or are defaults safe/legit for home user with basic setup? I went to the config site with all the options and being I know nothing of it, I would have 0 idea of what to change or add or modify.

Quote from: fbeye on November 28, 2024, 07:32:30 PM
Being new to crowdsec, would there be any recommended settings to change outside the box of installing the plugin and "enabling" it or are defaults safe/legit for home user with basic setup? I went to the config site with all the options and being I know nothing of it, I would have 0 idea of what to change or add or modify.

cscli is your friend. You probably want to whitelist all RFC 1918 networks. To do that:
cscli parsers install crowdsecurity/whitelists

If you want to not only parse OPNsense pf logs and UI login attempts (if your UI is reachable from WAN at all) but e.g. Caddy access logfiles you can add the matching collection:
cscli collections install crowdsecurity/caddy

Then add a file named "/usr/local/etc/crowdsec/acquis.d/caddy.yaml":
filenames:
  - /var/log/caddy/access/*.log

force_inotify: true
poll_without_inotify: true

labels:
  type: caddy


You get the idea. There are lots of collections for different scenarios depending on what you use for inbound service - NginX, HAproxy, Caddy, ...

You can find them at https://app.crowdsec.net/hub/collections

In the Crowdsec web console you can subscribe to up to three free blocklists in addition to your own locally generated "decisions" as they call it. I use:

- Firehol cruzit.com list
- Firehol greensnow.co list
- Firehol cybercrime tracker list

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Thank you. Wow there is a lot there! [good] overwhelming but very interesting.

Hello

Registered with crowdsec and so on, verified my device. You mentioned 3 free decisions.. when I go to the decisions tab on the www it has 0 currently loaded with 0 to choose from, only button is subscribe premium.which I have no problem with, just didn't wanna miss something.

The only one of these I really use would be email server for incoming and I also run NGINX NPM on a VM on my lan, I wonder would the NGINX collection download be beneficial to the particular instance of me running NGINX, or is it only for onboard [opnsense] NGINX?

3 free blocklists ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Ahh yes I see that now.

Final question I guess for now is, as far as let's say NGINX and postfix and Dovecot, all stuff I am running on VM's, will the collections refer/monitor those services deeper down the lan or is it only for the opnsense itself hosting these? Where is it scanning from, the ports in relevance to the services as WAN level?

November 29, 2024, 06:08:49 PM #21 Last Edit: November 29, 2024, 06:11:13 PM by Patrick M. Hausen
Crowdsec uses a three-tier architecture. You have collectors that, well, collect events. They send the events to a security engine, which records events and makes decisions based on scenarios that are organized in collections. Finally the engine instructs a bouncer to block certain traffic based on a decision.

So what you would need in your case is a distributed setup. You need on each of your machines a collector with the right collection for your service (NginX, Dovecot, ...) that sends the events to the engine running on OPNsense. OPNsense will then use the single bouncer on the firewall to block the attacker with pf.

Distributed setup is well documented by Crowdsec but a bit tricky - I stopped using it after consolidating all my ingress on the OPNsense itself.

If you want to go that route we can talk a little bit more details but not right now.

The "tricky" part is that the cscli commands to add another collector will happily overwrite the authentication info for all collectors that already exist including the local host if you are not extra careful. That's a bit unfortunate.

Think about running all your ingress through e.g. HAproxy on OPNsense - then you can just feed the HAproxy logs to Crowdsec.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

November 29, 2024, 06:19:17 PM #22 Last Edit: November 29, 2024, 08:15:10 PM by fbeye
Oh wow. Yeah I'll have to look into this and see if it is something I am capable of doing.
OPNsense is 172.16.2.1 but my Dovecot/Postfix is 192.168.1.180 and my NGINX is 192.168.2.181. I'll have to see all about what I am gonna do here.  Lots of information, ty

Now that I think about it, not even sure how I would even incorporate my email server through HA. For now seems I will hold off.

November 30, 2024, 09:46:28 AM #23 Last Edit: November 30, 2024, 09:57:28 AM by fastboot
The ISP hacked OPNsense?

I have another assumption. Lately I read on Telegram, that some kind of Aliens escaped Area 51. Those took over the control everywhere. I guess this is more likely.

- They Live -


Thanks, Patrick. The white list maintenance had me on the fence to begin with. I didn't know that ZenArmor is also included in the same category. I had planned on putting it on the LAN and using something like Crowdsec, but now I'm not so sure. My main concern is configuring the best monitoring, alerts, and logging setup. I underestimated the amount of time that would need to be dedicated to that initiative.
Founder of a freight brokerage and software development company....aspiring sysadmin at heart.

Thanks Patrik to lead the discussion the discussion.

My OPNSense box was not reachable to the internet even i did not change anything on the OPNSens machine. I guess this is sign of hacked because my machine was old version (I can't remember the version). Do you really recommend always update to latest version because i saw from forum.opnsense there is many problem and i not dare to update it to avoid technical problem.   

Quote from: peterwkc on December 06, 2024, 09:23:18 AM
My OPNSense box was not reachable to the internet even i did not change anything on the OPNSens machine. I guess this is sign of hacked because my machine was old version (I can't remember the version). Do you really recommend always update to latest version because i saw from forum.opnsense there is many problem and i not dare to update it to avoid technical problem.

I am team "always run supported software". Everywhere. Just wait a day or two after a new release, check the forums, make a ZFS snapshot before updating, so you can roll back. Just keep your systems up to date.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

December 17, 2024, 07:07:22 AM #27 Last Edit: December 17, 2024, 07:11:57 AM by peterwkc
Quote from: Patrick M. Hausen on December 06, 2024, 09:41:34 AM
Quote from: peterwkc on December 06, 2024, 09:23:18 AMMy OPNSense box was not reachable to the internet even i did not change anything on the OPNSens machine. I guess this is sign of hacked because my machine was old version (I can't remember the version). Do you really recommend always update to latest version because i saw from forum.opnsense there is many problem and i not dare to update it to avoid technical problem.

I am team "always run supported software". Everywhere. Just wait a day or two after a new release, check the forums, make a ZFS snapshot before updating, so you can roll back. Just keep your systems up to date.

Yesterday my opnsense box was hacked. Example my android TV box was mess up. My windows pc was some software uninstalled like tinywall

Now I resetup the opnsense with syncopkies enable n firewall optimization aggressive. What else can I do??

I can show the screenshot of my firewall block log if you need it.





December 17, 2024, 07:15:18 AM #28 Last Edit: December 17, 2024, 07:21:41 AM by peterwkc
I cannot attach screenshot due to size restriction but i want tell you all that i have 100% block packet in overview.

December 17, 2024, 07:25:25 AM #29 Last Edit: December 17, 2024, 12:46:44 PM by mimugmail
Quote from: Patrick M. Hausen on November 28, 2024, 08:10:23 PM
Quote from: fbeye on November 28, 2024, 07:32:30 PMBeing new to crowdsec, would there be any recommended settings to change outside the box of installing the plugin and "enabling" it or are defaults safe/legit for home user with basic setup? I went to the config site with all the options and being I know nothing of it, I would have 0 idea of what to change or add or modify.

cscli is your friend. You probably want to whitelist all RFC 1918 networks. To do that:
cscli parsers install crowdsecurity/whitelists
If you want to not only parse OPNsense pf logs and UI login attempts (if your UI is reachable from WAN at all) but e.g. Caddy access logfiles you can add the matching collection:
cscli collections install crowdsecurity/caddy
Then add a file named "/usr/local/etc/crowdsec/acquis.d/caddy.yaml":
filenames:
  - /var/log/caddy/access/*.log

force_inotify: true
poll_without_inotify: true

labels:
  type: caddy

You get the idea. There are lots of collections for different scenarios depending on what you use for inbound service - NginX, HAproxy, Caddy, ...

You can find them at https://app.crowdsec.net/hub/collections

In the Crowdsec web console you can subscribe to up to three free blocklists in addition to your own locally generated "decisions" as they call it. I use:

- Firehol cruzit.com list
- Firehol greensnow.co list
- Firehol cybercrime tracker list

HTH,
Patrick

Greensnow is good, cruzit was last updated in 2023 on Firehol. Thx for the cli-fu in crowdsec, wasnt aware of :)