How to scan pfsense server itself for virus, etc.
-
How to scan pfsense server itself for virus, etc.
I would like to scan it if server it is infected or not.
-
Hi Techbee,
That's a very good question… but I am assuming that it should not be possible to actually get infected?? could be wrong but that's like saying could my immune system get infected? (not a doctor and could also be wrong).
I'm pretty sure PFsense would have been developed in a way that it should be able to get infected by viruses, then again it is a machine and it does have ports but shouldn't it be self safe so that it shouldn't get infected?
why do you ask though? do you suspect something happened to your device?
I think the worst that could happen is it getting hacked and dislocated basically, de-configured maybe.
I don't have the answer to your question but just thought i'd reply because it's a really good question.
-
Wow really.. What code did you execute on pfsense that would be in question? Not many linux/bsd type viruses out there.. Sure you could of gotten compromised and someone put on some sort of rootkit or something.. You leave ssh open to the internet with some P@55w0rd! on it?
If you have any concerns that your firewall has been compromised in anyway - nuke it from orbit! Its the only way to be sure..
-
There are no known viruses for FreeBSD in the wild, I'm confident enough to make that claim based on my long experience with it. There are few rootkits and such that could in theory be usable against a pfSense installation but pfSense mitigates them pretty much by not having additional unprivileged local users by default, it's a single user system (you, the admin as the sole user) unless you specifically add more local user accounts. If you have any sense you don't allow access to the webgui from untrusted networks, same with SSH access which should be also using key only logins so that doesn't leave any attack surface for a rootkit.
-
@kpa:
There are few rootkits and such…
A rootkit is only an attack vector, not a virus itself, right? It could be used to install a virus/trojan/whathaveyou.
-
If you want to argue semantics a rootkit is not even a attack vector, its normally a toolset used to hide the presence or activity of another application - say a virus or malware, etc. Could be used to provide someone backdoor to something via this other application, etc.
If he left his firewall open to say a bruteforce attack against his ssh service, this could be used to install a rootkit, etc.
If he left some service open to pfsense like ssh or the webgui - its not impossible to think that this could be used to leverage the installation of unwanted software on the machine where a rootkit could be used to make sure that software stays hidden, etc.
-
Well, I asked because in my suricata log, it detected trojan on my pfsense wan towards outside internet. Correct me if i am wrong, but seems to me that a trojan in my pfsense wan is communicating outside the internet.
-
"it detected trojan on my pfsense wan towards outside internet"
You do understand that all your clients send traffic out your wan ;) Its way more likely that one of the clients behind pfsense is sending the traffic - or its a false alarm completely.
How about some actual details and we can help look into what is causing the alert. What is the actual sig hit in suicata? And your saying its not seeing this same hit on your lan side? What is the details - where is it going, what is in the packet?
-
Yes I do understand that.
But it crossed my mind, what if the cache objects of squid contained malware or any posibility that the malware were in the network and infected the pfsense server since it is part of the network as well. something like those. so I wonder if I can schedule cleaning on the server as well.
-
Yes I do understand that.
But it crossed my mind, what if the cache objects of squid contained malware or any posibility that the malware were in the network and infected the pfsense server since it is part of the network as well. something like those. so I wonder if I can schedule cleaning on the server as well.
I dont remember the exact sig but its not appearing in my lan logs, it is going outside to some ip address.
-
How the heck you think the proxy would suddenly start running the cached objects in an execution context? If such thing was possible nobody would trust that proxy software because it would be too dangerous to use. You have to try a lot harder if you want to convince anyone here that such infection is even remotely possible on pfSense.
-
kpa, firstly, I am not trying to convince. It was only my idea.
the fact is, my concern is the subject of this thread.
so, if i got an answer to my question, the topic ends. its not even a case if infection in server is possible or not. but my only after is the answer to the question.
-
At a high level, you'd have to figure out how to install an antivirus product on a highly customized version of FreeBSD (PFsense).
There are some commercial titles on this list -> https://www.freebsd.org/commercial/software.html
On the free side, all I can think of is CLAMAV off the top of my head.
-
"infected the pfsense server since it is part of the network as well."
Via what service?? What virus/worm are you aware of that can infect freebsd via what service? Pfsense only listens on a couple ports. Say ntp, ssh, http(s) what other applications are running and listening on the network that some sort of worm could exploit and infect freebsd?
If you are seeing some sort of flag from your ips that something is bad - then investigate where its coming from. You have not shown this traffic is coming from pfsense itself, nor have you even validated that its not some false positive..
I agree you should investigate such traffic - but jumping to think that something infected pfsense vs looking to what else it might be is jumping the gun a bit..
