Seems that hacker is inserting a foreign DNS into my computer, how to remove it?

Firewalldude89

@johnpoz Yes, I cannot log in to console

johnpoz

@Netgate1100guy you mean you can not access the pfsense web gui at what address? What IP does pfsense have?

Is this 192.168.1.x network from your above output pfsense lan network?

Can you ping pfsense IPv4 address? or do you mean you can not ssh to pfsense - for you to ssh to pfsense you would of had to enable ssh..

Firewalldude89

@johnpoz I cannot log in to the admin console to configure firewall by using web

johnpoz

@Netgate1100guy and can you ping pfsense IP, it would default to 192.168.1.1.. Do you get any page, and your login is just failing?

Are you trying to access it via the actual IP or using some fqdn in your browser?

I think there was threads about where web page was not available after update to 2.7? Is this a clean install, did you upgrade from some previous pfsense version? Did it ever work?

Firewalldude89

@johnpoz via the actual IP.
Think there was a very recent upgrade.

johnpoz

@Netgate1100guy dude why does it feel like am I needing to pull teeth here?

Do you get a blank page? Does it show you a login but login not working - or seems to stall after login?

Can you ping pfsense IP? Had you enabled ssh, can you ssh to it? Can you console in, ie use console cable? Can you ping some public IP? say 8.8.8.8 from your PC, is internet actually still working.

How does the pfsense web gui won't load via IP address have anything to do with some hacker inserting dns?

michmoor

@johnpoz you have the patience of a saint

JKnott

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

There is often a secondary IPv6 address, which seems to be from hacker. Can Link Local IPv6 work
or what else?

????

Where are you seeing the link local address? Every IPv6 capable device has one. However, given they're not routeable, they'd be pretty much useless for an attacker.

Firewalldude89

@johnpoz It shows me a login page but it stalls.

michmoor

@Netgate1100guy turn off the firewall and keep it off for 9 days. That should solve it. Come back and let us know if that works.
Also, as a last resort try turning off the cable modem just in case. You should be clear from the hacker after that. Worked for me

johnpoz

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

It shows me a login page but it stalls.

Stalls? If pfsense has no working dns then yes the login page can be very slow.. From what you posted before - pfsense has only an actual IP on 1 interface - so hard to image that it would have working dns.. So yeah the login is prob going to be very slow.

rcoleman-netgate

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

@johnpoz It shows me a login page but it stalls.

Connect via the console.

Tell your 1100 to reboot.

Attempt a GUI login again.

Does the console report any errors?

However as @johnpoz notes if your WAN isn't connected or your DNS upstream isn't working pages can take some time to load. Also loading the initial dashboard from the LAN also can take time to load but other pages afterwards are quick to load.

Try loading a subpage after logging in from your URL history. This is how I bypass the 30-second wait.

rcoleman-netgate

@michmoor said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

You should be clear from the hacker after that. Worked for me

Not helpful...

michmoor

@rcoleman-netgate There is seeking help and then there is trolling. We crossed that boundary several posts ago. If there is no attempt by the OP to seek assistance then how is my attempt at helping any different than others? Plus they stopped responding.

rcoleman-netgate

@michmoor said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

We crossed that boundary several posts ago.

Then you can walk away and turn off notifications on the post.

michmoor

@rcoleman-netgate thats a great option.

Firewalldude89

Hi all, I can now log into admin site on web and it is better now.
Link Local for IPv6 seems to be great and can make a hacker intrusion much less likely.

A few simple questions:

On Suricata and Snort, should I enable interface for both LAN and WAN or just one of them,
which of them? Because I have often blocked myself actually and maybe thats because of interface enabled
for both LAND and WAN..

I have accepted that SSL Inspection or Interception is not that necessary or ideal for blocking a hacker,
seems that fine tuned Snort and Suricata settings are far more important.
SSL Inspection is used for only clients connected to the LAN network, but not for anyone from the outside,
incoming from the web? Is SSL Inspection useless for stopping hackers?

What other packages are important for blocking hackers? How can I for example block DoS and DDoS attacks?

rcoleman-netgate

@Firewalldude89 said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

On Suricata and Snort, should I enable interface for both LAN and WAN or just one of them,
which of them? Because I have often blocked myself actually and maybe thats because of interface enabled
for both LAND and WAN..

Best to post this type of question in the IDS/IPS section.

Gertjan

@Firewalldude89 said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

How can I for example block DoS and DDoS attacks?

On your side ? Nothing to do, the default hidden WAN firewall rules is the one rule that will do it all : it blocks all and everything.
The only traffic that passes = comes in - is traffic initiated from behind the firewall, like for example a LAN based device.

But, as we can compare this to the good old phone network : can you stop some one (or even the entire planet) to call you ?
No, of course not.
If many, like thousands, try to connect to your WAN, they will all find themselves before a closed door. They will manage to do just one thing : your down stream 'pipe' is full with these access requests. So, no more data comes in - the pipe is full, and no more data gets out, as the pipe is full.
And that's what a DOS or DDOS is all about : stopping your Internet access.
And yes, it's known that the firewall just 'give up' (goes 'down').

The only thing you can do against DOS/DDOS is : be good friends with your ISP, so they can block traffic for you, way upstream.
Next best solution : the little boys solution : who has the biggest pipe ? Like : if your WAN upstream / downstream is 100 Gbits / sec then a 'miserable' (still consequent) 10 Gbit sec DOS/DDOS won't even ne noticed by you.

michmoor

@Gertjan said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

Like : if your WAN upstream / downstream is 100 Gbits / sec then a 'miserable' (still consequent) 10 Gbit sec DOS/DDOS won't even ne noticed by you.

The only caveat i would add is that the resource utilization of the firewall will be impacted. As far as I am aware there are no built in protections to protect the firewall(pfSense) itself from resource exhaustion if a ddos attack occurs.
Typically there are "Zone Protection" features in other products that limit the amount SYNs or UDPs that are allowed.
Otherwise inter-vlan traffic on the firewall will be impacted because of a ddos on the WAN.