pfsense keeping securelevel=3 after reboot.

techguy24

Hello guys,

I am pretty new to the pfsense firewall however I was told I need to learn it for a cyber security competition coming up. Basically, you have a network you need to defend.

Last year, I was told that they were able to completely disable the firewall rules by raising the securelevel to lvl 3 and by adding a script to continuously raise the securelevel in case we rebooted. I have been trying to replicate this attack so I know where to look and how to defend against it. I have managed to raise the securelevel to 3 by using the sysctl kern.securelevel=3 command. However, I am not sure how to keep it raised to 3. I have tried changing the sysctl.conf file and the rc.conf file in the /etc/defaults/rc.conf. I switched kern_securelevel_enable to YES and kern_securelevel=3. Note: the rc.conf file in etc/rc.conf says it does not perform a function. So I guess my question is: how do I keep the securelevel raised to 3 after reboot?

Thanks for taking the time to read that

heper

you might want to ask the more important question here; how did they gain root access on the pfsense-console ?

jimp

pfSense does not use all of FreeBSD's rc system, so rc.conf is not going to do anything at all.

You might try putting it in /boot/loader.conf.local or adding it under System > Advanced, System Tunables tab.

If someone had enough access to set that in the first place, the firewall is already compromised though.

techguy24

I discovered that I had to add sysctl to the sysctl.conf file. So I was putting down "kern.securelevel=3" instead of "sysctl kern.securelevel=3". It is a stupid mistake but again I'm new to this. Thanks for the help, I was able to find loader.conf but not loader.conf.local is that the same thing?

As for how they got root access: honestly, I think they get a head start to use the default credentials before we get our hands on the computers so that might be why they have root access so quickly.

jimp

Nothing you do after the box has been compromised would be able to secure it. Wipe/reload and secure it before it's put back on a network accessible to attackers.

jimp

And you can create loader.conf.local if it doens't exist (it won't exist by default)

JeGr

@jmatz88 said in pfsense keeping securelevel=3 after reboot.:

I think they get a head start to use the default credentials before we get our hands on the computers so that might be why they have root access so quickly.

Then that defeats the purpose of the competition, doesn't it? If you say your aim is to "defend your network", then you should be the one that get's access. No one worth their pay would install a firewall with access to the WAN/insecure network granted and default credentials still in place (even 2.4.4 gives now very big warnings about that). If they get a head start to "attack" a device with default credentials that is no competition to defend but a cleanup job - and the most secure way would be to kill the box (re-install) and bring it back if it is secured - and doesn't have WAN access at all to the web UI. ;)

Just 0.02$ because that sounded more like a kobayashi-maru as a "competition" :)