WAN Permit Inbound All Traffic
-
In the system general log, I just noticed a number of items such as:
- sshguard 11213 Attack from "165.227.214.163" on service SSH with danger 10
- sshd 68770 Connection closed by 198.108.66.18 port 32546 [preauth]
- sshd 50027 Did not receive identification string from 162.243.141.005 port 33114
- sshd 68710 Received disconnect from 208.113.167.128
- sshd 25744 Unable to negotiate with 198.98.60.145 port 55671: no matching key exchange method found.
Looking at the firewall, it appears I inadvently set pfBlockerNG to create Permit Inbound rule for my region. I've disabled pfBlockerNG (for now) and manually deleted its auto rules.
I have ssh set-up for pubic key, and my pfSense login passwords are very strong. I haven't found any evidence of my pfSense settings being changed. The only port forwards I have are configured with a Source Address, except for a minecraft server. I don't see any indication that anyone accessed the minecraft server.
What else should I look for for any indication of a sucessful attack?
How unprotected was my network? I'm hoping NAT kept hackers out of the network itself? -
It would only have opened access to services on the firewall itself. If anyone had been able to login, very unlikely, you would see a successful login logged in the system log.
Steve
-
There is a danger when you let pfBlockerNG create automatic inbound "allow" rules, especially on the WAN. There is a long thread from about a year ago about the issue posted here: https://forum.netgate.com/topic/143007/new-user-to-pfsense-some-doubts.
I believe that as a result of that thread discussion and some offline back and forth among others, @BBcan177 made some changes to the pfBlockerNG package to address this issue. Not sure exactly what they were, though, as I don't use that package.
The best way to use the package is to create your own aliases and let pfBlockerNG maintain the content of those aliases. Then you create your own firewall rules referencing those aliases.
-
Yes, I completely agree with that. Having pfBlocker create aliases only and assigning them yourself allows you to see exactly what's happening. That's how I use it.
Steve