Netgate shared root with ISP? ¯\_(❞⦈)_/¯
-
@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
login on ttyv0 as root
https://docs.netgate.com/pfsense/en/latest/monitoring/troubleshooting-login-on-console-as-root-log-messages.html
-
@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
https://docs.netgate.com/pfsense/en/latest/monitoring/troubleshooting-login-on-console-as-root-log-messages.html
Thanks for the link to the document.
As stated in the document, if console logins are already enabled, then this means someone logged into the console.Let give Netgate the benefit of doubt. But I still do hope that Netgate spokesperson's will answer my main question.
-
Of course not!
As already stated you can change the root password anyway, and I assume you have done.
I also assume you have not opened anything on your WAN anyone could login from?
And the physical console is not publicly accessible?
Let's see your logs so we check what's happening.
Steve
-
@stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
Of course not!
As already stated you can change the root password anyway, and I assume you have done.
I also assume you have not opened anything on your WAN anyone could login from?
And the physical console is not publicly accessible?
Let's see your logs so we check what's happening.
Steve
Because of those messages I have changed PfSense root password and reset PfSense many times, but somehow they always manage to open a superuser’s backdoor and bypass the password protection. After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).
My wan firewall rule is set to default (empty), Lan is not accessible from Opt and Opt ports are for devices to connect to internet (only 80, 443). All IPv6 are disabled and I use pfBlockerNG and Snort.For security reasons, I cannot post my logs here. ISP hires an irresponsible outsourcing IT company that opens the door to hackers to carry out attacks. And you can find those hackers in this forum too. Usually they aim for administrators or moderators functions. Their common traits and characteristics are bullying, intimidation, harassment, lying and belittling people (calling people delusional). Right mr. Peeters?
-
@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
@stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
Of course not!
As already stated you can change the root password anyway, and I assume you have done.
I also assume you have not opened anything on your WAN anyone could login from?
And the physical console is not publicly accessible?
Let's see your logs so we check what's happening.
Steve
Because of those messages I have changed PfSense root password and reset PfSense many times, but somehow they always manage to open a superuser’s backdoor and bypass the password protection. After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).
My wan firewall rule is set to default (empty), Lan is not accessible from Opt and Opt ports are for devices to connect to internet (only 80, 443). All IPv6 are disabled and I use pfBlockerNG and Snort.For security reasons, I cannot post my logs here. ISP hires an irresponsible outsourcing IT company that opens the door to hackers to carry out attacks. And you can find those hackers in this forum too. Usually they aim for administrators or moderators functions. Their common traits and characteristics are bullying, intimidation, harassment, lying and belittling people (calling people delusional). Right mr. Peeters?
Crap or get off the pot
post the logs and change the IP addresses if you are that worried. -
So the logs you are seeing are like, for example?:
Aug 16 12:14:22 syslogd kernel boot file is /boot/kernel/kernel Aug 16 12:14:22 kernel done. Aug 16 12:14:23 php-fpm 343 /rc.start_packages: Restarting/Starting all packages. Aug 16 12:14:24 login login on ttyv0 as root Aug 16 12:15:34 check_reload_status rc.newwanip starting igb0 Aug 16 12:15:35 php-fpm 343 /rc.newwanip: rc.newwanip: Info: starting on igb0.That is expected and not an indication some bad actor is connected to your firewall as that link shows.
Steve
-
I don't know - if your first thought after seeing some log entries you don't understand is that what is pretty much the most well known and used opensource firewall distro on the planet is that they have colluded with the man to allow back doors into their project.. And for that matter if doing such a thing, too stupid or lazy to even not log said entries..
Hmmmm,
I think maybe its time to lay off the paranoia inducing recreational drugs ;)
But maybe that's just me ;) hehehehe
I also don't think they faked the moon landing... Or believe that our Reptilian overlords pull the strings, etc. So maybe not really the best one to ask ;)
-
@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).
Well that's complete nonsense, and doesn't happen with a NORMAL install of pfsense. And when I say normal, I mean, you didn't turn off the top 2 deny rules for the WAN interface:
- Block private networks
- Block bogon networks
Show us a screenshot of your WAN rules, and mask out any sensitive information.
-
ttyv0is the physical video console. Nobody can login to that remotely. It can only be accessed via keyboard and monitor. Similarly,ttyu0is a serial (uart) console and cannot be logged into remotely, only via local serial connection.Seeing a login on
ttyv0just means the menu redrew itself. If you see it a lot, something is probably corrupted on your filesystem leading to a problem with the tty itself.Nobody has shared root access with your ISP or anyone else. There are no backdoors.
-
@stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
So the logs you are seeing are like, for example?:
Aug 16 12:14:22 syslogd kernel boot file is /boot/kernel/kernel Aug 16 12:14:22 kernel done. Aug 16 12:14:23 php-fpm 343 /rc.start_packages: Restarting/Starting all packages. Aug 16 12:14:24 login login on ttyv0 as root Aug 16 12:15:34 check_reload_status rc.newwanip starting igb0 Aug 16 12:15:35 php-fpm 343 /rc.newwanip: rc.newwanip: Info: starting on igb0.That is expected and not an indication some bad actor is connected to your firewall as that link shows.
Steve
Thanks Steve, but that is not what I see. Your log indicated services restarting because wan dhcp lease renewal process.
Ok, let just say there are no bad actors.Would you please explain to me the Unexplained Phenomena, like why I see my floating firewall rules being changed, some were edited and some deleted (e.g. AmazonAWS IP Range) with log messages: "Syncing firewall, Reloading filter"?
-
When logging in to the GUI, you'll see this :
Logging in using a ssh client :
The IP's "192.168.1.120" and "2001:470:1f13:5c0:2::84" are both the ones from my LAN network.
Let's say : it's an inside job. It's me using a device on my LAN.Btw : great : your ISP is helping you administrating your pfSense ?!!
What are your WAN firewall rules ? Or did you install a KVM module for them so they can remotely using a keyboard / VGA ? ( @jimp : people often omit to mention the most incredible details about their installation ) They have a OpenVPN access for remote administration ?For me, it just an inside job. Or the (one of) the other you(s).
-
@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
I see my floating firewall rules being changed, some were edited and some deleted
And what does your config history show.. example
-
@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
Would you please explain to me the Unexplained Phenomena, like why I see my floating firewall rules being changed, some were edited and some deleted (e.g. AmazonAWS IP Range) with log messages: "Syncing firewall, Reloading filter"?
Maybe you have something like pfBlockerNG which is automatically managing your rules? It does exactly those kinds of things.
-
I was thinking the same thing... While pfblocker is a great package, I am not a fan of anything that auto manipulates rules.. I use it really as just fancy aliases management - I have it create the aliases, and then I use those in my rules as I want.
But I would have to assume any changes to rules would be listed in the configuration history, but since I don't have pfblocker manipulating my rules, not sure how that would look in the log?
-
What I know and experienced, pfBlockerNG only prioritizes their rules in floating rules order, but it never deleted any custom rules.
If you do not believe me, try to install pfBlockerNG, make custom rules to block AmazonAWS (hackers virtual machines) and then do a cron update.
Here is AmazonAWS’s IP range: AWS IP address ranges -
And did you bother to look in your config history... Anything that changes the config should be listed there..
-
@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
And did you bother to look in your config history... Anything that changes the config should be listed there..
Config history says "Edited a firewall alias, made unkown change" However I did not login to SSH or GUI at that specific time.
It does not matter anymore because even after factory reset, everytime the hackers knew how to bypass the password protection.
I still give Netgate the benefit of doubt. Maybe there are some bugs or loopholes (e.g. superuser's backdoor) in PfSense version 2.4.5-p1.I really wish that I can hardening PfSense with Firejail and Apparmor.
-
@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
"Edited a firewall alias, made unkown change"
And what did it say did that that unknown change.. Post a screenshot of your config history showing these changes..
OMG - I've been hacker3d
-
@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:
And what did it say did that that unknown change.. Post a screenshot of your config history showing these changes..
OMG - I've been hacker3d
Gotcha!
-
@stephenw10 Would you please tell Dev to fix these loophole (superuser's backdoor) and bug (openvpn over tcp) on the next PfSense version.
Thank you.
