Hacker got into my network? Strange access to my Google account?
-
"If there's not a crises to take advantage of, create one."
Like the Internet Of Things. Nothing will go wrong there. Hackers have got it too easy.
Tell Mom I say hi. ;) -
So let me get this right, someone got into your wifi, and you use a 60 character psk? And they also happened to sniff your google password? So they also did a MITM on you since when has google send passwords in the clear?? You can not access gmail without using https..
As mentioned your firewall rules are completely pointless there.. WTF does snort have to do with getting on your wifi network?? Why do you not look in your dhcp log if you think some windows machine got on your wifi and accessed your gmail? Or did they also setup a static IP?
As to not able to access your AP from your lan.. Does it have a grateway set? Maybe a old soho router used as AP by connecting it via lan port don't even have way to set a gateway on lan.
What is the point of your wifi segment there? Seems like its any any.. Might as well be on your lan.. If your going to wear a your tinfoil hat a bit tight, atleast make an effort.. Setting up eap-tls is pretty simple these days with the free radius clickity clickity install you can do on pfsense. And a easy to use CA right there to create your certs for you, etc.
So you lock down your devices to use that wifi network, and still isolate it from your normal network Then have a guest wifi that is completely isolated from all your other networks. This way your guest are not even on the same wifi as your devices like your ipad and phones, so they going to have a hard time seeing any traffic they might be sending, etc.
-
Whoa!! You guys are incredible!
OK so let me get this straight: Im not a networking guy although I grasp the basics… MY firewall is ill-configured (useless) and I need better protection with FreeRADIUS and OpenLDAP. Correct?
Also, to answer a few questions:
-the AP is NOT configured with static IP
-AFAIK OPT1 (LAN) and OPT2 (SEG) are not "bridged" or interconnected in any way. They independently run their own DHCP server and as a matter of fact, I tried to make OPT2 as independent as possible from LAN.**First thing first: Configure the firewall to be effective and not useless! **
I have moved pfblocker's rules to a floating set as suggested. This helps clarity. Then I reconfigured my interfaces (LAN and SEG) with the basic rules as documented in https://doc.pfsense.org/index.php/Example_basic_configuration
I am just wondering about the Default Deny Type rules… I thought by default when traffic did not match a specific rule, it was blocked. So if I have a set of rules allowing LAN clients to go out, do I need to add a "block all" type of rule at the bottom of the ruleset? (see attached screenshot for my current ruleset for LAN, I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely).
The other question is regarding connectivity between clients. I run several services on my LAN, each with different ports. For example, SSH daemons are running on custom ports. Do I need to create a rule to explicitly allow (pass) traffic from all LAN clients to the host where the service is running? For example lets assume SSHd is running on port 24 on server1. Do I need to create a LAN rule like this:
Source=LAN net / Port * / Destination=server1 / Port 24 ???
After my firewall is properly configured, I will move on to the original problem and setup the additional security measures.
Thanks!
-
I use Google's two factor authentication on my phone. Even works offline aka It doesn't send you codes.
-
The Default Deny Rule will block everything that is not covered by the rules above it. The important thing is you will be able to Log everything it blocks. Example: You just installed a new program and it cannot update or is being blocked. You simply check your firewall logs and see that particular machine trying to get out by a certain protocol and port at the same time you were hitting the update on the program. Now you know exactly what rule is needed for that program. Simple, Yes!
That rule is for logging purposes and piece of mind that indeed everything else will explicitly be blocked.
As for your screenshot you should put destination instead of "Lan Address" to "This Firewall" and maybe setup your Managment Ports and Machines into an "Alias List" and block all other machines to the firewall management. Same for the DNS to "This Firewall".
Remember for machines connected to a common switch they can talk to each other without a rule being needed.
Best way is try it and if it works then no rule needed. The name of the game is the fewer rules the better.
The plus to all the work is the knowledge you will gain in knowing everything that is running on your network.
The Default Deny rules make IPv4+6* and not just IPv4 with TCP, block all protocols. -
"I added a default deny type rule but deactivated it for now since"
You do understand that every interface has a not shown default deny… As to your lan and seg interface being isolated.. Yeah from broadcast traffic that was it.. They both had any any rules on them.. So what is the point of locking down your LAN?? You worried they are going to come into your how and plug into your network and then get on your wifi network??
What is your wifi segment rules?
-
"You do understand that every interface has a not shown default deny"
I think he mentioned that above and the rule is to be able to show and hide the log traffic as needed from that webpage. Helps to seperate the wheat from the chaff when hunting down infections.
"They both had any any rules on them.."
In the screenshot they were disabled but not yet removed, he is getting there eventually.Another good practice is a Default Deny to the LAN Address just "BELOW" your inner network rules before you start the rules for Outbound traffic to the web.
So you eventually have your inner network rules above and seperated from the Outbound rules with that Default Deny to Lan Address and at the bottom below the Outbound you have the Default Deny to ALL.
You still need to figure out your Segregation of machines from trusted and untrusted and wireless access and Guests if any. -
"I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely)."
He is not talking about logging.. This makes no mention of creating a rule to log and turning off default logging..
His any any rules from before when he was talking about his wifi being isolated - not with those original rules it wasn't, with any any all he had going was 2 different broadcast domains nothing more..
Who is taking book that his is all just BS plain and simple.. Some windows machine got on his wifi, somehow sniff/gleaned his gmail password… And then did what logged in a couple of times? Who is taking action that it was just one of his own devices?? He then changed it to 60+ character psk, and still happened? Come on really???
There is locking down your networks because its the right thing to do, and their is just plain I smoked too much dope paranoia ;)
-
"I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely)."
He is not talking about logging.. This makes no mention of creating a rule to log and turning off default logging..
His any any rules from before when he was talking about his wifi being isolated - not with those original rules it wasn't, with any any all he had going was 2 different broadcast domains nothing more..
Who is taking book that his is all just BS plain and simple.. Some windows machine got on his wifi, somehow sniff/gleaned his gmail password… And then did what logged in a couple of times? Who is taking action that it was just one of his own devices?? He then changed it to 60+ character psk, and still happened? Come on really???
There is locking down your networks because its the right thing to do, and their is just plain I smoked too much dope paranoia ;)
Ahhh the good old days, never mind. I here you, just trying to lead this horse to the water. We both know it is not up to us if they drink.
-
. The important thing is you will be able to Log everything it blocks
I had a good feeling this was the case. I guess for housekeeping I will keep them on both LAN interfaces so I have logs should something happens..
You do understand that every interface has a not shown default deny..
I was not sure about this one. I figured there was a default block rule by observing the FW logs, but the rule not being showed, I was not sure…
Yeah from broadcast traffic that was it.. They both had any any rules on them.. So what is the point of locking down your LAN?? You worried they are going to come into your how and plug into your network and then get on your wifi network??
The point of LAN is for my well known machines and smart TV, appliances, etc. I have a ruleset and snort rules for those machines. For the other machines (wifi, cells, laptops) that are not totally under my control, I'd rather have them segregated on a different interface so troubleshooting can be done, and more granular control is achieved. I am not sure why this is so complicated. If I could, I'd just copy LAN and rename it SEG and be done with it!!!!
Attached are screenshots of my CURRENT setup. I observe major problems with this config and I am not sure why….
1. I cannot access one of the clients on SEG. I cannot ping it and I cannot SSH to it. Its completely isolated from LAN it seems... Strange thing though, I can finally access my idiotic AP on SEG (webpage and all)... So why the AP and not the client? (BTW to have the AP work on SEG, I had to configure it for static IP in its firmware)....
2. With the rulesets posted in attachment, clients on SEG have no internet connectivity although the rulesets are identical between LAN and SEG. Of course LAN clients have internet connectivity because I couldnt write this... ;) The only way to allow internet connectivity for clients on SEG, is to add a "Allow all" rule at the top of SEG's ruleset (it is disabled on the screenshot). So why do I need such a rule on SEG and not on LAN??? Is there somnething obscure on how pfsense treats non LAN interfaces? Kinda the deny all rule being there but hidden?
-
According to the LAN rules image you posted clients can…
Access pfSense (LAN Address) on ports 468 and 80.
Access pfSense (LAN Address) on port 53 (DNS).
Access anything on ports 80 (HTTP), 443 (HTTPS), and 993 (IMAP/S).Of course you already know all of that.
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.
Also once a rule is matched and the connection established and placed in the state table then the rules are bypassed for that connection.Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
-
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
I know, like I said in my last post, I put it only for logging purposes.
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.We never spoke about floating rules so far, except for pfblocker's rules where someone suggested to make them floating for uncluttering the LAN and SEG interfaces… Are you suggesting I use a floating rule to allow traffic between the LAN & SEG? Im asking because I screwed up enough so far, before I do something stupid (or stupider...)
Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
So if I understand what you're saying, no need for a rule on a specific interface when communication is betwen 2 clients on the same interface? Analogous to 2 computers connected to a single switch? In that case, should I add a rule to allow traffic between LAN and SEG? -
Wasn't suggesting that you do anything particular. Just wanted to be sure you had the understanding.
-
Another tip for the logging, I know it is available in 2.3 but looks like your on 2.2.6 so you can check around the
Status/System Logs/ Settings and allow another column to show which rule fired the block log.
Anyway I posted a screenshot of my untrusted network rule set over here if it helps.
https://forum.pfsense.org/index.php?topic=109512.0 -
Are you sure it's not one of your smart devices accessing google for TV or Music being reported as a Windows Device with Firefox?
-
Are you sure it's not one of your smart devices accessing google for TV or Music being reported as a Windows Device with Firefox?
Pretty sure ;)
I thik im getting somewhere with the firewall config, but just out of curiosity, I noticed a LOT of traffic to port 8081 when browsing the web. Pages are timing out, etc…. Do I need to add a rule to allow traffic on 8081 on top of the existing rule for port 80 (http)?
Whats the difference between 80 and 8081?
-
@lpallard:
Whats the difference between 80 and 8081?
The difference is 8001, according to the Microsoft Windows 8 calculator.
-
Oh man you beat me too it ;) I was going to say same thing 8001…
8081 is a common proxy port, you talk to a lot of proxies? You do understand there is nothing in your firewall rules that stops someone from access your wifi and logging into your google account right ;)
-
Whats the difference between 80 and 8081?
Good list here.https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Some unwanted uses of port 8081
http://www.speedguide.net/port.php?port=8081
If you are serious about finding infections get more comfortable with Wireshark and try not to open ports willy nilly.
Who wants out and Why? PFSence can capture very easily.
You will gain a more rounded knowledge by doing your own research over the web than asking here. Web search is great for just this purpose. -
Thanks webtyro,
I agree with you, sometimes I should search on google…
For port 8081, I see a lot being blocked on forums (not this one), and on some other websites I visit. FYI, no I dont explicitly connect to proxies. If this happens, its by design not my intentions. For example, apt-get (ubuntu) uses 8081 as well to communicate with its mirrors.
Did you poke a hole in your FW to explicitly allow traffic to go to port 8081? I read the speedguide page you referred me to, and that makes me wonder even more about trust. If you dont have a rule allowing 8081, then it is getting blocked, and most likely it is interfering with your browsing experience.
Thew other thing I noticed, package managers are using all kind of ports. For example, trying to update a Linux mint machine failed because the package mgr was trying to connect to 134.153.48.2:37053. This morning, I saw a similar attempt being blocked but on a different port (48761). This is all over the place! Seems to be random ports every time.. Will I need to manually add a rule (or an alias) to allow services as I go? If so this is gonna be a major PITA and I would understand why people would simply use a default allow all on LAN! Any better way to deal with this?
Im NOT searching for specific instructions or on what exactly to do.. I am more looking forward to a "this is what I'd do" or better "this is what i've done". Nobody's setup is identical and its nearly impossible for someone in texas to guess precisely what someone else's setup is like. General direction is more rewarding to me than specific instructions.
