Connections from OPNsense 25.1 to port 22 on LAN

Started by alex_62450, March 11, 2025, 01:42:29 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 14, 2025, 01:57:03 PM #15
Well, in the present case, that automation would be trigger an alert when OPNsense probes LAN on port 22. Is there a way to do so please ?

This type of events continue to happen, and I wonder if some services on OPNsense could automatically start TCP port probes, as in addition to port 22, the OPNsense box contacts port 80.

I also noticed an enormous amount of IDS alerts on WAN, which I am going to mention in another post.
March 14, 2025, 02:39:26 PM #16
I fail to understand. OPN does not probe. It is a routing firewall when in standard setup, so it receives traffic and routes it, like a border police. Allows or rejects the passing between two networks. Only traffic initiating from itself is any specific setting or service enabled by the user.
Therefore you are probably more interested in knowing what is the traffic that is going to LAN on port 22. Where is it coming from, and is it allowed.
By default SSH traffic from WAN to LAN will be blocked. So if it is coming in, someone has created a rule on the firewall to allow it. So if it is allowed, you probably don't want to be alerted every time. But if you are, then that's a conversation to have.
So back to the very start. Have you identified the originating traffic?
March 14, 2025, 04:18:40 PM #17
Many thanks again for your follow up, much appreciated !

QuoteHave you identified the originating traffic?

Not yet but I don't see something on WAN that could match. That's why I was asking if OPNsense can "probe", that might not be the right word but what I mean is to find out if there are some services/processes running in OPNsense or in one of its services (eg IPS or Ntop) that may be, for valid reasons, making this kind of attempts. But, it keeps happening and I can't find what it could be :-/

QuoteBy default SSH traffic from WAN to LAN will be blocked. So if it is coming in, someone has created a rule on the firewall to allow it. So if it is allowed, you probably don't want to be alerted every time. But if you are, then that's a conversation to have.

As far as I get it, these specific connection attempts are allowed by automatic rules which, if I am correct, a user can not modify. Attaching the subset of automatic rules that cover among other DHCP, SSH and HTTPS. Could it help to check if these automated rules are ok ?

I would also wonder if that is really a SSH packet or a TCP packet sent to port 22, and will get a look at the IDS alerts that were flooded by an abnormal high number of events a few days ago.
March 14, 2025, 06:41:02 PM #18
probe is the right word, I get what you are saying but no, OPN as in the OS does not.
These rules are the default ones to be able to manage it so is not that https://docs.opnsense.org/manual/firewall_settings.html#disable-anti-lockout

Do you have any port forwards on WAN ?
March 15, 2025, 12:19:33 PM #19
I don't think it can be port forwarding.

In the screenshot of the first post you say that the source IP is the IP of the firewall itself. That means that the traffic has to come from OPNsense. Port forwarding does not change the source address of the packet, only the destination.
March 15, 2025, 01:09:44 PM #20 Last Edit: March 15, 2025, 01:12:21 PM by alex_62450
Hi there,

Well, I haven't configured port forwarding between LAN and WAN but managed to see something : I previously mentioned that the unexpected TCP packets from OPNsense hit port 22 and also 80. In a few cases, it happened in the following sequence : port 22, port 80 and port 22 again.

I could see a similar connection going to WAN but now I managed to see that the same sequence happens on the WAN side : connections from OPNsense to the ISP box on port 22, then 80 and port 22 again. Also got traces of that in /var/log/filter.

A "block all" rule has been added, so these packets are not left out anymore, but still I would like to learn what it may be. Any thoughts please to dig into the root cause or source of this ?
March 17, 2025, 12:36:58 PM #21
Just a quick update : in addition to what's in this thread, I noticed that the IPS was most probably not functional on some days, which was unnoticed for some days as the "df" command doesn't seem to work fine (or maybe very differently than on Linux?)

https://forum.opnsense.org/index.php?topic=46382.0

So any thoughts please to dig into the root cause or potential sources of this thread would be really welcome :-/

Many thanks
Print
Go Up Pages 1 2
User actions