Default Permit: a Dumb idea
-
On the topic of learning through pfSense and the kind of activity your WAN side ports see, try running these two custom rules in Suricata or Snort (change drop to alert or run as IDS if you just want to see for fun).
drop tcp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, TCP"; classtype:network-scan; sid:9000; rev:1;) drop udp !$MY_NET any -> any !$MY_PORT (msg:"The Golden Rule, UDP"; classtype:network-scan; sid:9001; rev:1;)
Where $MY_NET and $MY_PORT are variables you'll need to specify as necessary for your own network in /usr/local/pkg/suricata/suricata_yaml_template.inc under the "vars:" section.
It will just show you that every network out there is getting scanned all the time, scanning for vulnerabilities is often not discriminatory, just a dragnet.
As a sidenote, whitelisting your LAN won't do a thing about probes on your WAN, but it is interesting in terms of general security on pfSense.
-
"or prevent a bot from reaching a C&C server."
I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.
-
"or prevent a bot from reaching a C&C server."
I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.
I know not a damn thing about this stuff but I had always wondered about this exactly. It seems like if you were writing malware and trying to avoid detection (not to mention blocking) it would be a lot less suspicious (and surrounded by a lot more static) to have your malware phone home on port 80 (or something along those lines) than 23 or something less common?
-
You assume bot writers have anything that resembles intelligence. There will be smart ones, but there are more dumb ones.ย :D
-
"or prevent a bot from reaching a C&C server."
I honestly do not agree with such an argument at all.. If your going to want your bot to talk to your CC why would you not just use a common port like 80/443 so its traffic for one is hidden with all the normal traffic and on a port that would be open almost everything.
I know not a damn thing about this stuff but I had always wondered about this exactly. It seems like if you were writing malware and trying to avoid detection (not to mention blocking) it would be a lot less suspicious (and surrounded by a lot more static) to have your malware phone home on port 80 (or something along those lines) than 23 or something less common?
Guys, the idea is to increase your odds of finding said offender. That is enough for me to do it. Keep the haystack as small as you can.
-
You assume bot writers have anything that resembles intelligence. There will be smart ones, but there are more dumb ones.ย :D
Haha, good to know!
@webtyro:
Guys, the idea is to increase your odds of finding said offender. That is enough for me to do it. Keep the haystack as small as you can.
You certainly don't need to convince me, my LAN is already whitelisted for whatever reason. But I do like hearing all this feedback from you guys on the topic!
-
For more references:
- Port trends: https://isc.sans.edu/trends.html
- Port activity graphs: https://isc.sans.edu/port.html
-
I honestly do not agree with such an argument at all.
Same here.
-
Evidence disagrees with your disagreement. Check the data in the links I just posted.
-
pfSense out of the box: Works for 99.99% of traffic
pfSense with uPNP enabled: Works for 99.999999% of trafficIf you find the default block permissions are a "bad idea", you're somewhere between the 0.01% and the 0.000001%. You're a special snowflake. For the rest of us people, it works just fine and it makes us safer.