OPNSense Get Hacked

[nicholaswkc]

Dear all forumers, I been hacked by hackers where they connect to my home 2.4G wifi and embedded backdoor like .bat file (for simple connect to host) or macro enabled file into my word/excel file. 
I know it may sound ridicilously but it's true.

How to get rid of this situation.Any solution to it?
I installed Avast antivurs or MalwareBytes?

Any software that monitor my connection tot he outside world (Wireshark or better)?

[Patrick M. Hausen]

And how exactly is it your OPNsense that was hacked?

Solution: reinstall all affected systems. Make sure to apply all software updates. Don't use unsupported systems like e.g. Windows 10.

[nicholaswkc]

Hacked through 2.4G(WPA2) wifi and leave .bat file and embedded bat script into word file. I had discontinued of Win10 due to security reason.

Even my portable HD had backdoor in it. I just install clean on everything and siable USB storage also.

All my country mobile data is exposed to hackerable.

[Patrick M. Hausen]

Solution: change WiFi password, reinstall all affected systems. Make sure to apply all software updates. Don't use unsupported systems like e.g. Windows 10.

[meyergru]

1. What was hacked seems to be your Windows 11 PC, not OpnSense. Why? Because it does not even make sense to install a .bat file there. Which hacker in his right mind would try to install a payload for a Windows PC on a FreeBSD box?

2. How do you know what the way of intrusion was? "Hacked through 2.4G wifi" can mean anything. I would argue that you surfed the wrong websites and the infection was via a browser exploit.

Nothing of this is inherently linked to OpnSense, so the thread title is misleading. Unless, of course, you expect OpnSense to protect your end devices from OSI layer 8 problems... ;-)

[nicholaswkc]

1. What was hacked seems to be your Windows 11 PC, not OpnSense. Why? Because it does not even make sense to install a .bat file there. Which hacker in his right mind would try to install a payload for a Windows PC on a FreeBSD box?

2. How do you know what the way of intrusion was? "Hacked through 2.4G wifi" can mean anything. I would argue that you surfed the wrong websites and the infection was via a browser exploit.

Nothing of this is inherently linked to OpnSense, so the thread title is misleading. Unless, of course, you expect OpnSense to protect your end devices from OSI layer 8 problems... ;-)

1. All my countries Linux based system cannot browse website unless using VPN.
2. WIFI hacking is quite easily once you master it. They force you to disconnect and connect then the get the plain authentication.

My solution to this disable WIFI completely in my house network.

[nicholaswkc]

Can the OPNSense affected also if hacker got access to LAN?

[passeri]

That depends on your security setup for Opnsense. HTTP or HTTPS access? From which [v]LANs? Quality of pass word or phrase? 2FA? SSH access? Password or passkey for that? Much of that is discussed here.

You can also run a security audit.

[jonny5]

Can the OPNSense affected also if hacker got access to LAN?

Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.

From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!

[nicholaswkc]

Can the OPNSense affected also if hacker got access to LAN?

Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.

From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!

I have MAC filtering enabled. NO SSH and open ports. How to create VLAN or subnetting?

[falken]

Can the OPNSense affected also if hacker got access to LAN?

Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.

From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!

I have MAC filtering enabled. NO SSH and open ports. How to create VLAN or subnetting?

That's a little more involved than a forum post (IMO anyway).  I would suggest reading through google, or maybe even asking an AI model for starting steps.
It is absolutely a wifi and configuration issue though.  OPNsense wont automatically protect you if someone can connect to your wifi, join your main LAN, and then communicate directly with the rest of your LAN devices on the same LAN/VLAN/subnet.  The MAC address filtering won't help much, as if it is happening in the way you described they can just spoof the MAC address they got from session they sniffed anyway.

Also, move to WPA3 if able. I understand you likely have legacy devices that do not support it though, so its not as easy as said.
See if you can enable PMF (Protected Management Frames): Enable 802.11w or Protected Management Frames (PMF) in your router settings to prevent attackers from deauthenticating your devices to force a re-handshake.  While not full proof, it does lower the attack vector.  Once again though, everything you have may not support it, so you will need to see what if anything breaks.

Edit: realistically, if that is the attack method, you have an extremely weak wifi password as well.  Upgrade to  a nice long random password.

[jonny5]

Can the OPNSense affected also if hacker got access to LAN?

Internal Firewall rules with separate zones/interfaces for Wifi/Client/DMZ/Core/etc. Would advise using VLANs if you can, otherwise subneting with /24s is a good idea.

From what I've read, you might also want to turn on MAC-Address filters on your WAPs and/or OPNSense's DHCP, good luck!

I have MAC filtering enabled. NO SSH and open ports. How to create VLAN or subnetting?

VLANs:
https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html
https://www.youtube.com/watch?v=9hJyWaQ2x28

Subnetting, well, that is its own thing. Behind your WAN, is your LAN, and you can have multiple interfaces that feed various parts of your network. Generally your router is the point where the different legs interconnect, and you can subnet within a /16 several /24 cidrs.

192.168.0.0/16 = "usable": 192.168.0.1 - 192.168.255.254

192.168.34.0/24 = "usable": 192.168.34.1 - 192.168.34.254

Depending on how familiar you are with this, yes, you will have to assign a gateway IP to the interface you are creating for a subnet - still considered a "usable" IP.

There are subnet calculators out there, or you can make your own in Excel - it all breaks down to binary math and for the "length" of the CIDR is how much of the binary IP value the IP has as neighbors.

/24 = 255.255.255.0 and for the 192.168.34.56 it means that any other IP with a 192.168.34.XXX is a neighbor, and this works like a mask or filter.
In binary:
11111111.11111111.11111111.00000000 masked onto 11000000.10101000.00100010.00111000 and then 11000000.10101000.00100010.00000001 through 11000000.10101000.00100010.11111110 is your neighbor

It is strongly advised to not try to network at smaller than a /24, but if you are filtering/making a group for a process, you can segment much smaller, just know that at a VLAN/Interface actual network group you will want to use /24 for IPv4 and likely /64 for IPv6. If you are lucky you can get a /56 IPv6 from your ISP and you can use /64s out of it for the various interfaces.

Since a VLAN is a "device" you can make a VLAN and have it have its own subnet, you do not need N ethernet/fiber cards to have N subnets (N = Integer number).

Read the docs, make sure you setup your firewall rules to allow devices within an Interface "In", and what the get to "In" to (any == local and WAN).

Would also advise, unless you have found "the hack", it can be often best to interpret an anomaly/issue as a mis-configuration.

[notspam]

You should correct the thread title.
The actual title is not the real situation.
There is no way readable you described in the past with a hack concerning opnsense.
So be so serious and change the title to whatever, i was hacked or so.

[stanps]

You should correct the thread title.
The actual title is not the real situation.
There is no way readable you described in the past with a hack concerning opnsense.
So be so serious and change the title to whatever, i was hacked or so.

THIS!