Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Under attack, anything I should do?

    Scheduled Pinned Locked Moved General pfSense Questions
    68 Posts 19 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @johnpoz
      last edited by

      @johnpoz last question as i dont want to hijack this thread.

      How do you know what IP block falls under what country?
      So for example, i want to accept all routes from a country like Saint Thomas (Virgin Islands). I would go into pfBlocker and using ASN - search for Saint Thomas - which comes back as AS32907. As of today, this doesn't work because of the issue with bgpview.
      But if i do GeoIP, STTHOMAS, doesn't even come up. It does fall under US but how would i know that?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      johnpozJ dennypageD 2 Replies Last reply Reply Quote 0
      • T
        tgl @revengineer
        last edited by

        @revengineer said in Under attack, anything I should do?:

        Having used pfSense for a long time, and having monitored my firewall logs, I can tell that the current activity is unusual. I am well accustomed to many opportunistic hits from various IPs htting various ports. But certain block of IPs trying to access a single common port is new. Hence my inquiry.

        Actually, I'm also seeing a recent change in behavior. The number of failed login attempts on my sshd port used to be quite low --- there were 32 attempts during August, for instance. So far this month (a bit less than 5 full days):

        $ sudo grep 'Invalid user' /var/log/secure | wc
          40152  481848 3454355
        

        Somebody's amped up the level quite a lot. Digging a little deeper, the connections are coming from a whole lot of places, though I did identify a couple of Korean and Chinese netblocks that seemed disproportionately represented (and are now blocked). The usernames are just random, looking more like a dictionary attack than anything targeted.

        Not sure what to make of this. I don't believe I'm being specifically targeted, and they're wasting their time anyway because my server will only accept certificate-based logins. But somebody's gotten really enthusiastic about brute-force ssh breakins.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Mmm, you should definitely consider limiting the source on the rule allowing that IMO.

          P 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @michmoor
            last edited by

            @michmoor said in Under attack, anything I should do?:

            STTHOMAS, doesn't even come up. It does fall under US but how would i know that?

            How would you know that st thomas is a US territory? Isn't that something they teach in elementary school still. Basic geography? Why would anyone think to use an ASN for a country or region.. ASNs are assigned to companies or entities - not countries normally.

            Its also in the name, I mean when someone says Saint Thomas, there is always that , U.S. Virgin Islands isn't there? Just like I would assume everyone knows that ST. Barts and ST. Martin and lets not forget Martinique are all french, etc.

            I mean I think the US has something over 25K different ASNs - I think they are like 10x the next highest..

            I mean I guess some small country might just have 1 ASN, where the gov controls the internet in that country? But they should also be listed in the geo IP db..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • dennypageD
              dennypage @michmoor
              last edited by

              @michmoor said in Under attack, anything I should do?:

              So for example, i want to accept all routes from a country like Saint Thomas (Virgin Islands).

              Saint Thomas isn't classified as a country. It's part of the United States Virgin Islands. There is a standard country code for that, which is "VI".

              1 Reply Last reply Reply Quote 1
              • P
                Patch @stephenw10
                last edited by

                @stephenw10 said in Under attack, anything I should do?:

                Mmm, you should definitely consider limiting the source on the rule allowing that IMO.

                yep

                @Patch said in Under attack, anything I should do?:

                use an IP alias in pfsense for this which includes the address of my laptop while I'm on the road (via a dynamic domain name client on my laptop).

                1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @johnpoz
                  last edited by

                  @johnpoz STT was an example. Calm down....

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator @dennypage
                    last edited by

                    @dennypage said in Under attack, anything I should do?:

                    Does your public IP respond to ICMP pings? If so, figure out how to disable in your ISP kit and/or pfSense

                    @dennypage said in Under attack, anything I should do?:

                    While many people suppress ICMP echo for IPv4, attempting to imitate a black hole, suppressing echo responses really has no impact on security. Also of note is that suppression of echo response is specifically prohibited with IPv6.

                    Thank you! This. The whole stick about being invisible or somehow stealth by not answering ICMP is so completely bullshit I don' even know how that got so famous in the first place! TTL and other measures can easily show if there's another hop on the line that is playing dead. Hell even ISPs on dialup lines often have the first hop not responding to anything and you know it's there. Allowing ICMP echo reply is no bad thing or makes you a target. Playing sneaky and stealthy makes you one. Comparable to the nonsense of hiding a WiFi SSID that also adds a whole lot of other problems for other WiFis.

                    @Bob-Dig said in Under attack, anything I should do?:

                    Already forgotten that it is OpenVPN behind Port 443? ๐Ÿ˜‰

                    Seems so ๐Ÿ˜„ With that little traffic it should be no problem to re-open the port. I'd throw in to use pfBlockerNG, add the PRI1-3 or even PRI1-5 lists and the "SCANNER" list and silent block drop them on WAN in front of the allow rule for the VPN. That should eliminate quite a bit of that noise one sees on ports like 443/tcp. That will shut up nonsense hosts, scanners like censys or Shodan and stuff so it won't ring the bell that often.

                    @revengineer said in Under attack, anything I should do?:

                    Having used pfSense for a long time, and having monitored my firewall logs, I can tell that the current activity is unusual. I am well accustomed to many opportunistic hits from various IPs htting various ports. But certain block of IPs trying to access a single common port is new. Hence my inquiry.

                    You should take into consideration that with the whole shebang of AI bullshit out there, the amount of bots and crawlers has gone awry. Working for a company that besides firewalls and network stuff does hosting for a big chunk of our business, we see things like facebooks crawlers, claudebot from openAI and stuff spiking at an all time high and running wild on webservers of our customers. That got large enough we block whole IP ranges now to stop them from crawling as quite a number of them are ignoring stuff like robots.txt to reign in their crawling behavior.

                    So if you're running on a dynamic IP it's not impossible that this IP was somehow known for a web service beforehand or that some crawlers and bots simply don't care and try to exploit it. Also there were a number of HTTPS/webservice exploits again, so scanner/exploit kits searching for targets in a kind of "wave-like" surge in traffic isn't that unusual. It happens. That's why I'd add pfB IP blocks in front of the VPN rule and be done with it. OpenVPN itself is quite capable of ignoring those BS connection attempts :)

                    @revengineer said in Under attack, anything I should do?:

                    I have not stated that I am suffering a DDOS attack. I agree that 5/s is low, and my connections are in no way affected.

                    Yeah absolutely. Didn't read it as DDOS, but your wrote "under attack" while most of is wouldn't count 5/s on any service as even an attack ourselves but of course YMMV.

                    @revengineer said in Under attack, anything I should do?:

                    but I am not sure what the attacker is trying to accomplish.

                    It doesn't have to be attackers at all! As stated before, there are numerous scanner services like censys, Shodan etc. that will also spike in traffic when new CVEs or exploits are released and they kick off their search for vulnerable systems.

                    @provels said in Under attack, anything I should do?:

                    FWIW, I run my OpenVPN on a rando high port and NAT it. But is many moons since I traveled anywhere that offered WiFi over anything more sophisticated than a Netgear router. LOL

                    Wanted to add to that comment a general recommendation: just run OpenVPN on localhost and udp/tcp 1194 for basic setup. Then add port forwards with an alias and a small set of ports and redirect them to localhost/1194 for either udp/tcp. Done.
                    You now have the same fallback strategy implemented like the "bigwig" VPNs that spam your ad channels everywhere, like PIA, Nord, etc. They all run on a number of IPs but with various different ports for fallback reasons for when the default 1194/udp/tcp won't work.

                    Normally those are like:

                    • UDP: 1194, 80, 4569, 5060, 51820
                    • TCP: 1194, 443, 8443, 7770

                    Those are quite common for Nord or Proton and other VPN providers to use as alt ports and even in some restrictive hotel environments and with shitty portals I normally get through to home with them.
                    Otherwise when not wanting to open any port at all, using a VPN with an intermediate (run by yourself or from the VPN provider) like tailscale (or self hosted headscale) or sth. would be another possibility.

                    Cheers :)

                    Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    GertjanG 1 Reply Last reply Reply Quote 2
                    • Bob.DigB
                      Bob.Dig LAYER 8
                      last edited by

                      ASN in pfBlocker still has problems most of the time. But if you have working lists already, you are good.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @dennypage
                        last edited by

                        @dennypage said in Under attack, anything I should do?:

                        Information available here.

                        And where in pfblocker would I put this token? I am not seeing it in any of the pfblocker settings, I have my maxmind token setup..

                        But if reading that right, that really has little to do with pulling the info from an ASN for your table of IPs.. But more of to do with pulling this info in real time for asn reporting?

                        asnreporting.jpg

                        Am I not understanding this correctly? When using ASN in an alias, why should you need to pull this info more than say every 24 hours, they sure are not updating this info on the hour every hour, etc.. Says right in that thread that they only update every 24 hours anyway. And to be honest there normally is not a lot of changes to IPs listed in an ASN...

                        Per that thread there is also info to 10 downloads a day.. I don't see how that would be an issue.. That is a lot of downloads of the db per day for how they should it should be used.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        Bob.DigB dennypageD 2 Replies Last reply Reply Quote 0
                        • Bob.DigB
                          Bob.Dig LAYER 8 @johnpoz
                          last edited by

                          @johnpoz The real info is here.

                          johnpozJ 1 Reply Last reply Reply Quote 2
                          • JKnottJ
                            JKnott @AndyRH
                            last edited by

                            @AndyRH said in Under attack, anything I should do?:

                            Hotels likely do not block 1194 which is OpenVPN and frequently used by business travelers.

                            While I haven't had a problem using OpenVPN from a hotel, once I moved my local subnet away from what hotel's often use, I know some places such as my local community centre & library block it. If I come across a place that blocks my VPN, I just connect by tetherning to my cell phone.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @Bob.Dig
                              last edited by johnpoz

                              @Bob-Dig thanks... So yeah something is not right.. I just added a test alias with cisco asn AS109, and get nothing, just the placehold added to the file..

                              But from a look of the prefixes listed https://bgpview.io/asn/109#prefixes-v4

                              There should be plenty of prefixes in the table.

                              Where would you put in this token you can get, I got my token.. And just from the gui I can download a db.. And in that db I find prefixes for that AS109 I used for my test..

                              So why can this not be done in pfblocker?

                              download.jpg

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              Bob.DigB 1 Reply Last reply Reply Quote 0
                              • Bob.DigB
                                Bob.Dig LAYER 8 @johnpoz
                                last edited by Bob.Dig

                                @johnpoz @BBcan177 said in pfblockerNG ASN bgpview trouble:

                                The current code in pfB contains a User Agent Header which is being blocked en masse by them.

                                But I don't know anything about a token. Just using the patch again, which alters the User Agent Header worked for me. ๐Ÿ˜

                                BBcan177B J johnpozJ 3 Replies Last reply Reply Quote 0
                                • BBcan177B
                                  BBcan177 Moderator @Bob.Dig
                                  last edited by BBcan177

                                  I have a PR pending approval to switch to IPInfo for ASN data.

                                  But in the short term, you could change the agent string to something else to avoid BGPview blocking you. They don't want to support open source and I can't even get them to update their API usage policy.

                                  pfBlockerNG code
                                  FILE: /usr/local/pkg/pfblockerng.sh

                                  LINE 761

                                  "Experience is something you don't get until just after you need it."

                                  Website: http://pfBlockerNG.com
                                  Twitter: @BBcan177ย  #pfBlockerNG
                                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                  1 Reply Last reply Reply Quote 2
                                  • J
                                    jrey @Bob.Dig
                                    last edited by

                                    @Bob-Dig

                                    Patience - the fix is coming as mentioned in the thread you referenced. (and now here) It is looking really good at this point and good riddance to bpgview.

                                    watch the -devel branch for the update. No ETA, but soon-ish as @BBcan177 mentions above the PR is pending.

                                    PS: you won't need the patch, and it won't apply so after the update releases at which time you can delete it.

                                    1 Reply Last reply Reply Quote 1
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator @Bob.Dig
                                      last edited by johnpoz

                                      @Bob-Dig said in Under attack, anything I should do?:

                                      Just using the patch again

                                      what patch is this? I don't see anything related in the patches? From what @BBcan177 mentioned, sounds like would just manually edit that file. Is there some patch to auto do that?

                                      edit
                                      Oh your talking about the patch shown in this thread

                                      https://www.reddit.com/r/pfBlockerNG/comments/1ey2sza/update_on_asn_issues_with_bgpviewio/

                                      edit2:
                                      well I tried editing the ua string, and still not loading that as109 I setup as test.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      J 2 Replies Last reply Reply Quote 0
                                      • J
                                        jrey @johnpoz
                                        last edited by

                                        @johnpoz

                                        I had provided the fix as a "patch" file well over a year ago - the last time bgpview did this actually.
                                        Original version of the patch I created should be on this forum somewhere - I never provided it to reddit

                                        • it changed a couple of other things as well.
                                          Like not providing your device's NDI to bgp (they don't need it, and I viewed it as an issue) especially in light of the fact that Netgate gives you the option to not even send it to them in the URL and they have made such a "fuss" about NDI and registration being a problem why send it where it is not required.

                                        I'm no longer providing the patch directly with various reasons mentioned in the other thread. and now with new version that doesn't need it

                                        if your downloads are not working.
                                        a) Just wait for the release,
                                        b) find the patch,
                                        c) or change the line as referenced.

                                        I recommend a) for good reason at this point

                                        Screen Shot 2024-09-06 at 9.18.06 AM.png

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • J
                                          jrey @johnpoz
                                          last edited by

                                          @johnpoz said in Under attack, anything I should do?:

                                          well I tried editing the ua string, and still not loading that as109 I setup as test.

                                          let me try this for you - standby

                                          Bob.DigB 1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator @jrey
                                            last edited by

                                            @jrey said in Under attack, anything I should do?:

                                            c) or change the line as referenced.

                                            I did change the line.. does it need a specific format or something?

                                            ua="pfSense/pfBlockerNG cURL download agent-"

                                            to

                                            ua="different-"

                                            And that doesn't seem to be working.. My current aliases that have table entries, they might be a bit out of date it seems.. I can for sure just wait til the new version comes out, etc. and already have my ipinfo token ;)

                                            But now just curious to get it working if all you would have to do is change the ua..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            J BBcan177B 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.