Snort Passlist for Cpanel access
-
Since I have implemented Snort's Portscan detection (this pass Wednesday night), I could not connect to my web hosting cPanel…I think the traffic is been dropped. So, I followed the instructions to create a Snort passlist: https://doc.pfsense.org/index.php/Snort_passlist
I created an alias under IP with my web hosting provider's IP address and even created a firewall rule just in case...still no luck. A traceroute shows a halt at the twelfth hop...no alert has been generated either. What when wrong? Even when I disable Portscan, I still cannot login cPanel...sadly!
![Screen Shot 2018-03-11 at 7.32.31 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-11 at 7.32.31 AM.png)
![Screen Shot 2018-03-11 at 7.32.31 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-11 at 7.32.31 AM.png_thumb)
![Screen Shot 2018-03-11 at 9.20.42 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-11 at 9.20.42 AM.png)
![Screen Shot 2018-03-11 at 9.20.42 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-11 at 9.20.42 AM.png_thumb)
![Screen Shot 2018-03-11 at 9.22.18 AM.png](/public/imported_attachments/1/Screen Shot 2018-03-11 at 9.22.18 AM.png)
![Screen Shot 2018-03-11 at 9.22.18 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-11 at 9.22.18 AM.png_thumb) -
If you are seeing no alert, then Snort is not likely to be the cause of the "no connection" problem. Snort won't block without logging a corresponding alert on the ALERTS tab. Now if you don't have the "Clear Blocked Hosts" interval set to some reasonable value (I recommend one hour), then a block implemented even days ago could still be in place so long as the firewall has not been rebooted. Rebooting the firewall will always clear all blocks implemented by Snort.
You should be sure the "Clear Blocked Hosts" interval on the GLOBAL SETTINGS tab is set for something sort of short like 1 hour. You can also manually clear blocks at any time by using the button on the BLOCKED tab. Again, though, Snort will print an alert for every block it implements. If blocked hosts are not being cleared on a resonable interval, and you get lots of alerts that cause the alert log to get rotated frequently, then the ALERTS tab may not be showing the older alerts that caused the long-lived block. That's because the ALERTS tab shows only the alerts from the currently active log. It does not show older alerts from alert log files that have been rotated. Some people get a false sense of security by thinking it is a good idea to set the "Clear Blocked Hosts" interval to NEVER. I disagree with that. If Snort blocked the traffic once, it will block again later, so why worry about persisting the old block? If will reset anyway if you ever reboot the firewall.
Bill
-
Are you going through a web proxy by an chance? I had a very similar problem recently with a Cpanel page not coming up. When I bypassed my proxy, it came right up. I too first suspected my IPS, but that was not it. Can you temporarily bypass or disable the IPS to verify that's not the issue?
-
If you are seeing no alert, then Snort is not likely to be the cause of the "no connection" problem. Snort won't block without logging a corresponding alert on the ALERTS tab. Now if you don't have the "Clear Blocked Hosts" interval set to some reasonable value (I recommend one hour), then a block implemented even days ago could still be in place so long as the firewall has not been rebooted. Rebooting the firewall will always clear all blocks implemented by Snort.
You should be sure the "Clear Blocked Hosts" interval on the GLOBAL SETTINGS tab is set for something sort of short like 1 hour. You can also manually clear blocks at any time by using the button on the BLOCKED tab. Again, though, Snort will print an alert for every block it implements. If blocked hosts are not being cleared on a resonable interval, and you get lots of alerts that cause the alert log to get rotated frequently, then the ALERTS tab may not be showing the older alerts that caused the long-lived block. That's because the ALERTS tab shows only the alerts from the currently active log. It does not show older alerts from alert log files that have been rotated. Some people get a false sense of security by thinking it is a good idea to set the "Clear Blocked Hosts" interval to NEVER. I disagree with that. If Snort blocked the traffic once, it will block again later, so why worry about persisting the old block? If will reset anyway if you ever reboot the firewall.
Bill
Thank you Bill…that was my conclusion on Sunday night also and decided to set up Suricata and PFBlockerNG with the same pass list. Still, I cannot connect with cPanel, which should be in my established safe state. I am stunned as to what's going on.
I must say however, that it's problems such as this that forces one to learn more instead of merely installing PFSense and a few packages.
-
@Raffi.:
Are you going through a web proxy by an chance? I had a very similar problem recently with a Cpanel page not coming up. When I bypassed my proxy, it came right up. I too first suspected my IPS, but that was not it. Can you temporarily bypass or disable the IPS to verify that's not the issue?
Thank you Raffi for chiming in…no; however, I am using transparent proxy! Just tried bypassing proxy...no luck!
![Screen Shot 2018-03-13 at 2.39.13 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-13 at 2.39.13 PM.png)
![Screen Shot 2018-03-13 at 2.39.13 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-13 at 2.39.13 PM.png_thumb) -
Is it possible that alias is not doing what you want or it is not completely bypassed? I was able to get my client to bypass the proxy completely in a less sophisticated way (mine is not transparent though). I couldn't use the bypass destination field as you did. I'm not sure know how to completely bypass a transparent proxy without disabling it. You confirmed that same page is loading up fine if you access it from anywhere other than your pfSense network? Via a different browser? Or after clearing browser cache, history, etc.
Also, I assume you already tried manually clearing all blocked hosts from Snort and then accessing it again?