I'm at my wits end

Started by opnsenseuser8473, June 26, 2025, 10:56:01 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 26, 2025, 10:56:01 PM Last Edit: June 26, 2025, 11:47:41 PM by opnsenseuser8473
So im new to opnsense. I set up my system it works fine for a few day. Until it doesnt. Everytime i connect it to my modemn. It freeses completely only when i hit the power button to shut down does it work again. Until i plug it back in the modemn. I check the logs and all there is is random queries from python311. Which is weird. The only way to fix it for me is to fresh install. Which works for upwards of 48 hours.
June 26, 2025, 11:09:53 PM #1
If your in IPS mode did you set it to hyperscan(should be), just a thought
June 26, 2025, 11:37:50 PM #2 Last Edit: June 26, 2025, 11:46:21 PM by opnsenseuser8473
Quote from: someone on June 26, 2025, 11:09:53 PMIf your in IPS mode did you set it to hyperscan(should be), just a thought
Yes i did, ive alway had it like that since day 1. And all my hardware is more than required alot more than needed for a bare metal.
June 27, 2025, 05:24:00 PM #3
thoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
July 05, 2025, 01:31:25 AM #4 Last Edit: July 05, 2025, 02:05:57 AM by opnsenseuser8473
Quote from: cookiemonster on June 27, 2025, 05:24:00 PMthoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
Nope it turned out I was being buffer overflowed. I did a host name check and some kids were using google and aws VMS. And there was a bot called buffoverflow.run pinging my network. One kid left his IP in my network or an IP if he used a public ip
July 05, 2025, 01:32:52 AM #5
Quote from: cookiemonster on June 27, 2025, 05:24:00 PMthoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
they are all Intel NICs i225 I did my research on what NICs before hand.
July 05, 2025, 01:46:04 AM #6 Last Edit: July 05, 2025, 02:15:20 AM by opnsenseuser8473
Quote from: opnsenseuser8473 on July 05, 2025, 01:32:52 AM
Quote from: cookiemonster on June 27, 2025, 05:24:00 PMthoughts for starters: unsupported NICs (realtek) without the vendor driver causing hardware disconnections, IPS enabled on unsuitable hardware.
Notice we can't guess correctly your setup.
they are all Intel NICs i225 I did my research on what NICs before hand.

still at my wits end because I put a general inbound connection block and they still managed to negotiate past that.crowd sec had to stop them from port scanning but I look away for an hour and the system is overrun and bloated with bot IP  trying to swap the system at an attempt to distract from the real people. This IP was a Verizon FiOS user there were more but my system is frozen so. All i know is port 22 and 23 was the target
July 05, 2025, 05:47:41 AM #7
As cookiemonster already mentioned: Please provide more details of your setup. There are no open ports on the WAN interface per default, no attack vector there.

Have you opened ports on WAN? Is the ISP modem also a router or does OPNsense get a public IP?

Generally if you log the connection attemps on WAN you will see lots of them. But they are only attemps and nothing you can do about that.
Deciso DEC740
July 05, 2025, 02:28:16 PM #8
To underline what patient0 says, blocking unrequested connections from the outside is the job of the firewall and default settings do that.
Please provide the setup for context of what might be happening so we can help.
Only other thought on this is to check if you have the syncookies active (not enabled by default).
July 06, 2025, 11:14:06 AM #9
Quote from: patient0 on July 05, 2025, 05:47:41 AMAs cookiemonster already mentioned: Please provide more details of your setup. There are no open ports on the WAN interface per default, no attack vector there.

Have you opened ports on WAN? Is the ISP modem also a router or does OPNsense get a public IP?

Generally if you log the connection attemps on WAN you will see lots of them. But they are only attemps and nothing you can do about that.
i7 12900, 16 gig ram, nic I225,and I know that's what's concerning I have no idea how that are managing this.
And nothing unusual and nothing for incoming. Yet I'm being port scanned then flooded
July 06, 2025, 11:38:30 AM #10 Last Edit: July 06, 2025, 11:42:10 AM by opnsenseuser8473
The settings syncookie is always on. But I'm still being port scanned then flooded. After i w8 out the attack or reinstall, i usually have to add an extra block rule, with the bots/ attackers host names and IP. That ussually keeps it at bay for a few days until I see new bot host name and i fail to respond in time
July 06, 2025, 12:11:01 PM #11
You're not really giving any useful information to help you.

Have you some IDS/IPS running on WAN and no open WAN ports, if yes you can stop the IDS/IPS - at least on WAN.

QuoteAfter i w8 out the attack or reinstall, i usually have to add an extra block rule,
How does an attack look like? What does flooding mean for you, how many connection attemps (which will not get past the TCP:Sync). And why would reinstall solve anything? What rules do you have on WAN?
Deciso DEC740
July 06, 2025, 12:18:30 PM #12
You do not tell, but how can you be port scanned (which is normal), but then "flooded" if no ports are open? I must assume you have opened ports like 22 and 23, either willingly or by accident.

There are several lines of defense against that:

1. Check if those ports are open and if you deliberately opened them.
2. If you need SSH access from outside, make sure the machine behind it is configured securely and is up-to-date.
3, If you opened Telnet, you you decommission all of your internet-bound devices immediately.
4. Consider changing the ports to non-standard port numbers, which will reduce the attacks by two orders of magnitude.
5. Use either a whitelist or a blacklist of countries or ASNs you expect valid connections to originate from and change your firewall rules to make use of those.
6. Use crowdsec and/or DNSBL blacklists like Firehol for known attackers.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 06, 2025, 05:23:28 PM #13
Quote from: opnsenseuser8473 on July 06, 2025, 11:38:30 AMThe settings syncookie is always on. But I'm still being port scanned then flooded. After i w8 out the attack or reinstall, i usually have to add an extra block rule, with the bots/ attackers host names and IP. That ussually keeps it at bay for a few days until I see new bot host name and i fail to respond in time
You should try changing to "never" which is the current default.
Quote from: opnsenseuser8473 on July 06, 2025, 11:14:06 AM
Quote from: patient0 on July 05, 2025, 05:47:41 AMAs cookiemonster already mentioned: Please provide more details of your setup. There are no open ports on the WAN interface per default, no attack vector there.

Have you opened ports on WAN? Is the ISP modem also a router or does OPNsense get a public IP?

Generally if you log the connection attemps on WAN you will see lots of them. But they are only attemps and nothing you can do about that.
i7 12900, 16 gig ram, nic I225,and I know that's what's concerning I have no idea how that are managing this.
And nothing unusual and nothing for incoming. Yet I'm being port scanned then flooded
Sorry this is not a setup, that is just the hardware specs. You don't want to tell your setup and want us to keep guessing, sorry, I'm out.
July 06, 2025, 05:39:24 PM #14
Show your firewall rules and if applicable also NAT port forwarding on WAN or nobody will be able to help you.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1 2
User actions