Can't access 3100 appliance
-
@NollipfSense Thanks for the suggestion. That is a "hot" word. It does appear that someone did get into our network as they connected to the computer used to do our shipping and they shut down several VM machines. It looks like they booted themselves out when they shut down the machine they were using to access our network. The point is.. they got past the firewall somehow and when we went to look at the firewall we found the password appears to have been changed so we think we were indeed "hacked".
-
@bmeeks said in Can't access 3100 appliance - hacked:
@cdsJerry said in Can't access 3100 appliance - hacked:
@stephenw10 And these are all fixed IPs and no changes to any of them during this time.
Are you 100% sure, though, that another transient device is not getting connected to the network and then later removed, and this transient device happens to have the same IP address as your pfSense box? The symptoms you describe have the hallmarks of a duplicate IP address on the local network. This transient device could be a wireless device or a wired device (someone's laptop maybe).
There is no wireless access to any fixed IPs or device that has dhcp to any fixed IPs. The only way to access those IPs would be to connect to the managed switch, or the pfSense appliance itself. In our tiny company I'm the only one with access to those pieces of equipment. I didn't make any changes except I swapped out our old pfSense for the appliance while I rebuilt the appliance. The old pfsense and the appliance are not on the same WAN IP so there shouldn't have been a conflict there. And both devices were never both connected at the same time for that matter.
It's still working OK. I've had it open all day today and no glitches in spite of no changes.
-
@cdsJerry What you described seems more internal...like a disgruntled employee who knew the network administrator's password and paid back...shame on the network administrator indeed!
-
@NollipfSense There are only two of us and I'm the only one with access. I use secure passwords and have never shared those passwords with anyone. I use a password manager (Dashlane) to keep track of them because I use comlex passwords that are never used in more than one place. My one employee has zero access to pfsense.
-
@cdsJerry At least, you know it was the shipping computer that was used; however, it still puzzling because a complex password is not easy to change on a firewall, much lest a robust firewall such as pfSense. So, do you know what IP address was used, the time and date and the ISP the IP address came from? Is your password manager configured to change the password after a period elapsed? Do you have any idea why you were targeted?
I have never used a password manager on a firewall. I still think you should remove "hacked" until you're absolutely sure with a preponderance of substantiable evidence.
-
@NollipfSense I do not know what IP address was used. The shipping computer is connected to the LAN and has no WAN IP. It's behind pfsense and behind another router. I can only guess at the time based on when I noticed an attempt to log into our FTP server (from the shipping computer). They may have been inside for a while before that of course.
The password manager doesn't change the password on pfsense, nor is it connected to it. Dashlane is simply an encrypted password management program that creates and stores secure passwords. Google it, it's really handy. To change the PW on pfsense I'd still need to log into it via the GUI. Dashlane just allows me to use longer more secure passwords without trying to remember them all.
I have no idea why I'd be targeted. Our domain name gets a lot of hits but we're a small company. There are no financial fortunes here to discover. But a hacker wouldn't know that until he gets in.
And I did remove "hacked" from the subject already based on your first suggestion.
-
@cdsJerry said in Can't access 3100 appliance:
And I did remove "hacked" from the subject already based on your first suggestion.
Cool...I didn't notice as I was at the bottom of the thread...thank you!
I got to say though the shipping computer with no WAN IP made me scratch my head...so, what the router in front of it but behind the pfSense box do?
-
@NollipfSense My pfsense is in pass through mode. It doesn't issue IPS etc. It just makes sure the traffic coming in is "clean" and controls what ports are open etc. The WAN IPs all pass through it to their destinations which then control the traffic from that point forward.
-
Given that someone was able to shutdown VMs and that your firewall is in pass thoughmode with public IPs internally, is it possible 'they' created a new VM on the same IP as pfSense? Or altered the IP of existing VM?
Steve
-
@stephenw10 There weren't any new VMs. We only have a few running so it would have been easy to spot. And the VMs aren't on the same WAN IP as pfsense. They pass through pfsense but you can't access pfsense from them as they are not the WAN assigned to pfsense. Pfsense is the only thing using that IP. The VM host uses a LAN IP for it's access. It is connected to the WAN in order to pass those WAN addresses over to the virtual NIC cards in the VMs but none of those WAN IPs are assigned to the NIC on the host (Proxmox). None of the IPs on the VMs have been altered.
-
@cdsJerry said in Can't access 3100 appliance:
@NollipfSense My pfsense is in pass through mode. It doesn't issue IPS etc. It just makes sure the traffic coming in is "clean" and controls what ports are open etc. The WAN IPs all pass through it to their destinations which then control the traffic from that point forward.
Okay, I remember reading your response earlier where you mentioned the above. I don't know what to say...
-
I'm assuming you've gone back through the pfSense logs and there are no reports of: 'xxxxxx is using my IP!' ?
Because it really looks like that might have happened from everything you describe.
Steve
-
@stephenw10 The short answer would be no we didn't. I didn't see anything that jumped out at me when I was looking in the logs but I didn't know what I was looking for. In pass-through mode would that error even show up?
When we couldn't get the password to reset and we couldn't get into pfSense via the GUI we ended up re-loading the entire thing from a backup just to make sure that none of the rules or aliases had been altered, so everything was reset at that point to try and secure the network again.
-
pfSense will log that if it sees some other device using it's IP so broadcast messages from that IP or something else responding to ARP. I would see that traffic in a bridged setup still.
Steve
-
@stephenw10 I don't see anything like that in the logs. And it's still working fine today. Nothing on the network has changed but it's all operating as expected for several days now.
-
Hmm, well that's a public IP so it could have been some issue at your provider. They mistakenly issued your IP to another client perhaps and have now corrected that. Hard to say at this point.
-
It definitely looks like your configuration is more complex, so maybe this is not very useful to you.
But I'll toss it out there.One of the practices I've developed is to assign virtual IPs to my router.
I worked a fair bit in telecom before as a developer, and I just developed this as habit in our test labs.
I've kept it going in my home setups.
For example, my sg-3100 has 192.168.1.1, 192.168.1.2...The reason I do this is in case a device I plug in to the network default to a certain conflicting IP. This way, I can still access the router and see what's happening.
-
@yaminb In my case there's no potential for an IP conflict because there's no DHCP on any WAN IP. The pfSense has a WAN but everything else is just passed along. The routers are all downstream and would hand out DHCP to any device plugged into their networks. I only have a dozen WAN IPs so it's not hard to track those in the switch, and nothing would ever be connected directly to the ISP other than those dozen, and even those are post-pfSense.
