[SOLVED] ISP hacked OPNSense Router

[Patrick M. Hausen]

I cannot attach screenshot due to size restriction but i want tell you all that i have 100% block packet in overview.

Of course you have. WAN by default blocks everything in. If something messed with your PC or your TV you possibly caught some malware. A firewall does not protect you from that. A firewall is a network security device. One does not need to "hack your OPNsense" for your PC to get compromised.

I would start investigating what really happened to your devices.

[peterwkc]

I cannot attach screenshot due to size restriction but i want tell you all that i have 100% block packet in overview.

Of course you have. WAN by default blocks everything in. If something messed with your PC or your TV you possibly caught some malware. A firewall does not protect you from that. A firewall is a network security device. One does not need to "hack your OPNsense" for your PC to get compromised.

I would start investigating what really happened to your devices.

I don't have idea how to protect it. By the way, What is the log tell me?

LAN      2024-12-17T15:58:23   192.168.1.102:49770   165.154.1.118:10001   tcp   Default deny / state violation rule

[Patrick M. Hausen]

I don't have idea how to protect it. By the way, What is the log tell me?

LAN      2024-12-17T15:58:23   192.168.1.102:49770   165.154.1.118:10001   tcp   Default deny / state violation rule

The internal system with IP address 192.168.1.102 sent a TCP packet to the Internet system with IP address 165.154.1.118 (somewhere in Hong Kong, probably) that did not belong to an established connection so the firewall dropped it.

[peterwkc]

What are the crowdsec block lists you guys talking in this thread??

For the time being, I move my android TV box to opt1 n block the opt1 to lan net

What r the rules need to create for this purpose?

[peterwkc]

As promised, here is the screenshot.

[shored]

Most probably my ISP has hacked my router. (Dont' argue this). 

🤦

I used to know someone who'd make the same sort of absurd claims. He had to reinstall frequently because he kept getting hacked and he was absolutely sure it was *his ISP* doing it. "Don't tell me I'm wrong", he'd exclaim. It turned out he was freaking out and blocking inbound related/established packets, blocking himself from a working internet connection.

Acting without understanding why can be dangerous.

[peterwkc]

Recently my OPNSense reboot randomly. Possible of KVM over IP hack? Is it a hardware based remote access.

How to block/disable this?

[Patrick M. Hausen]

Random reboots are in almost all cases a hardware problem. Check power supply first. Connect a serial console and look what happens when it reboots. Stuff like that.

[FredsterNL]

Excuse me for using this german proverb, but do not fall for: "Operative Hektik ersetzt geistige Windstille".

Great proverb, I gotta remember than one :)

[peterwkc]

I discover an article which is Tinypilot where it is a hardware based remote access system which use KVM over IP.

My LAN got mess up where i could not access the gateway anymore. Ping shows drop packet loss. Then, I go reset my opnsense box. After reset my opnsense box, it  reboot after 30 minutes. I believe the hacker has put some backdoor in it n reboot the machine. 

https://homenetworkguy.com/review/remote-system-administration-with-tinypilot-voyager/

[passeri]

If Tinypilot or PiKVM were being used to access your router then I would suggest you walk up to your router and pull out the HDMI and USB cables connecting the physical KVM box which you would see sitting there. Even if it existed, it would need separate access to your network to reach the KVM. It is not magic.

[peterwkc]

If Tinypilot or PiKVM were being used to access your router then I would suggest you walk up to your router and pull out the HDMI and USB cables connecting the physical KVM box which you would see sitting there. Even if it existed, it would need separate access to your network to reach the KVM. It is not magic.

I understand what you mentioned this technology is not magic. Can you explain how this technology works in term of connectivity?

[passeri]

Sure. PikVM, Tinypilot, are small boxes which physically connect to a target machine using a cable for keyboard (USB) and for the display (usually HDMI). That is, it is physically adjacent and connected to the target machine (your router if it applied to you). It also has a network connection, usually ethernet, to an existing network to which the user already has access using HTTP/HTTPS.

The user of the KVM can be remote, if they have remote network access, but the physical box must be on the site of the target machine.

I use a PiKVM to install 'nix machines, including Opnsense on random hardware, and sometimes to use Linux from my normal Mac desktop or a portable without encumbrance of additional keyboard, mouse or screen.

[peterwkc]

Sure. PikVM, Tinypilot, are small boxes which physically connect to a target machine using a cable for keyboard (USB) and for the display (usually HDMI). That is, it is physically adjacent and connected to the target machine (your router if it applied to you). It also has a network connection, usually ethernet, to an existing network to which the user already has access using HTTP/HTTPS.

The user of the KVM can be remote, if they have remote network access, but the physical box must be on the site of the target machine.

I use a PiKVM to install 'nix machines, including Opnsense on random hardware, and sometimes to use Linux from my normal Mac desktop or a portable without encumbrance of additional keyboard, mouse or screen.

Thanks for your clear explanation. AFAIK, It will need tinypilot on my end in order for my ISP to remote access my machine.

[passeri]

That is right. It is what I meant by my "It's not magic" comment, that if you see no physical box attached, then nothing is happening by that means.