Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN Attackers handling

    Scheduled Pinned Locked Moved Firewalling
    23 Posts 6 Posters 2.8k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      Bambos @Gertjan
      last edited by

      @gertjan Hello Sir,

      i have realize that pfSense by default has WAN locked down.

      But i'm not using it as a Ho, i'm using it as a So, and also i'm running web services (FTP port forward and and some allowed ports on WAN for VPN's)

      Because the FTP i'm using is simple, most probably they see my traffic through sniffing and try to connect.

      I don't think pfSense lacks something. If i had "enterprise" firewall, the problem will remain.

      So i'm looking for something to detect the sequencial failed retries. pfblockerNG and suricata is something that i also examine.

      1 Reply Last reply Reply Quote 0
      • B Offline
        Bambos @Cool_Corona
        last edited by

        @cool_corona

        how you can block with suricata ? today i had an incident again, from a specific IP brute forcing specific port. How to make autoblock in such cases ? You can see that same source IP was retrying the same port.

        Can this be done with suricata as you mention ?

        92a3f421-fd0a-447c-b8b0-f6d9cebffc74-image.png

        GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
        • GertjanG Offline
          Gertjan @Bambos
          last edited by

          @bambos

          Why did you remove the Source IP list ? You want to protect the attacker ?

          You can never make some device somewhere on the WAN interface stop sending traffic to you. Not in this world.
          That is, if you do not want traffic from

          c5f828fa-b2f5-4e8c-9e40-2220a647433a-image.png
          to arrive on your WAN interface, you have to block it upstream.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          B 1 Reply Last reply Reply Quote 0
          • B Offline
            Bambos @Gertjan
            last edited by

            @gertjan yes Sir i understand what you say, my question is about the pfsense firewall itself. of course priority is correct firewall rules , that i believe are in place. this is the first and most important and we agree.

            What i'm asking is the ways we can derease the amount of those incidents. IF for example a bot or human is bruteforcing vpn key or user password, and hit the correct port (if firewall keep accepting retries - which shouldn't) then this is a security concern. An adaptive add to block for random attacks would be great (like most commercial firewalls doing) - most times paid.

            So:

            1. firewall rules on WAN
            2. pre-block upfront IP's that are known as bad reputation. This can be done with pfblocker for example, Geo IP blocking etc.
            3. adaptive blocking when someone does the attack specified.

            Can you reccomend something as added functionality ? perhaps suricata or pfblocker or other method or package ? ? Thanks for any suggestions.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG Offline
              Gertjan @Bambos
              last edited by

              @bambos said in WAN Attackers handling:

              a bot or human is bruteforcing vpn key

              A human ? Thousands of generations won't be able to do that.
              A bot ? Even with a big uplink, all the mainframes combined of all the 3 letter agencies won't be able to that in this decade.

              VPN : do not only use a user + password. Use also TLS, and you'll be fine.

              pfblocker can block upfront known 'bad' IP addresses. If the IP is listed.
              suricata, if it recognizes ( a rule has to be crated that does this) the VPN connect attempts, might intercept the traffic and have it hit a firewall rule created for the occasion.. Cant' tell you more about it, never used suricata.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @Bambos
                last edited by

                @bambos you sure that is just not out of state traffic?

                acks.jpg

                What is the source of that traffic? You sure you didn't go there, and then the states got reset..

                Seems highly unlikely to be hitting some rando high port from source of 443 as any sort of "attack" or probe..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                B 1 Reply Last reply Reply Quote 0
                • B Offline
                  Bambos @johnpoz
                  last edited by

                  @johnpoz oh i see what you mean, it might be access from my network that requested this kind of traffic, right ?
                  I don't think is possible, because the blue source have scanned my whole /29 block. So most probably is not caused from my Lan. Same as the blue source.
                  So now the green source, made the same thing and include port 21 also.

                  I'm not stating that i'm under attack or something, I'm saying that those kind of patterns are to be suspicious activity from the source. Why not log the source ip, auto-block and publish this ip for others to be informed ?

                  is this something pfblockerNG supposed to do ?
                  Is there any other method to perform this kind of auto-block ?

                  273bf1f8-599c-45b3-b798-96aae658dc42-image.png

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @Bambos
                    last edited by johnpoz

                    @bambos those are ALL SYNs (S)... Those others were ACKS - and from 443.. And all to 1 random high port.. Now even close to the same thing..

                    6379 is redis (common exploitable port), which is common scan for port. 21 (ftp), etc..

                    You don't see that is different then coming from port 443 (https port)..

                    See how the source port is some high port that is all different...

                    Yes you connect to the public internet - your going to see NOISE.. There is NOTHING you could do about that traffic - nothing!! Its all blocked... If you had open ports you were forwarding, and you don't want some china IP able to talk to it, then say limit your open ports to only the countries you want to allow.. I allow for example only IP from US to talk to my plex server port, because all my users are only going to be in the US..

                    What was the IP that was 443 as the source? Now you got me curious..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    B 1 Reply Last reply Reply Quote 0
                    • B Offline
                      Bambos @johnpoz
                      last edited by

                      @johnpoz ok, thanks for your comments.

                      So this means pfblockerNG with Geo IP blocking, right ?

                      185.85.2.202

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @Bambos
                        last edited by johnpoz

                        @bambos that was the IP sending those PA from 443? that is a German IP.

                        Owned by
                        org-name: Myra Security GmbH

                        https://www.myrasecurity.com/en/about-us/

                        Yes you can use pfblocker to create alias that contain the IPs of only the country or countries you want. For example my pfblocker alias I created contains the US IPs, Morroco because I have family member there (she is teaching for a few years there) using my plex.. And it also contains some other IPs that check if my plex is working..

                        pfblocker.jpg

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.