Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate shared root with ISP? ¯\_(❞⦈)_/¯

    Scheduled Pinned Locked Moved General pfSense Questions
    46 Posts 13 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • TheHowToT
      TheHowTo
      last edited by

      Dear,

      Most Internet Service Providers in Europe allowed only whitelisted modem/router.
      What that means is that the modem/router factory provided ISP with root access.

      Have Netgate shared PfSense root with any ISP?

      Thank you.

      JKnottJ Bob.DigB 2 Replies Last reply Reply Quote 0
      • JKnottJ
        JKnott @TheHowTo
        last edited by

        @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

        Have Netgate shared PfSense root with any ISP?

        I certainly hope not. Are you sure they don't mean access to the modem only? For example, my ISP can access my cable modem, but not pfSense.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        TheHowToT 1 Reply Last reply Reply Quote 0
        • TheHowToT
          TheHowTo @JKnott
          last edited by

          @JKnott said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

          I certainly hope not. Are you sure they don't mean access to the modem only? For example, my ISP can access my cable modem, but not pfSense.

          When you use modem/router’s os that not in ISP’s whitelisted library, then your profile will be put on fallback profile. This means that your download and upload speed become slower (around 1-10% from your paid capacities).

          I do hope an official Netgate spokesperson's will answer my question.

          JKnottJ GertjanG 2 Replies Last reply Reply Quote 0
          • JKnottJ
            JKnott @TheHowTo
            last edited by

            @TheHowTo

            If you have a modem, in bridge mode as I do, the ISP can access it, just as they can when it's in gateway mode. They do not have any reason to access anything beyond that, including pfSense. Remote management of telecom has long been common practice, but it does not extend to anything beyond the "demarc". My demarc is the the Ethernet ports on the LAN side of the modem. Would they also insist on access to a computer running Windows or Linux, if it was connected directly to the modem, whether in bridge or gateway mode. I can understand a "white list" of modems directly connected to their network, but not anything beyond it. So, I can accept that if you buy a modem they can access it, but not pfSense or anything else that's beyond the modem. Maybe you could clarify this with your ISP.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 1
            • GertjanG
              Gertjan @TheHowTo
              last edited by

              @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

              I do hope an official Netgate spokesperson's will answer my question.

              You are missing a very imortant thing : pfSense is based on OpenSource. Most (can't tell if I can say "all") is avaibla on github.

              This means - and I'm not kidding - everybody can check the question : "who has accesses to what". It's just a question of reading the code == just another language, which can be learned.

              @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

              Most Internet Service Providers in Europe allowed only whitelisted modem/router.

              Probably true, as they can 'set a file some where on a pre defined host' that informs the router to have itself upgrade.
              And they, the ISP, controls what the code is, as they know how these triple-boxes (phone, Internet, TV) work.
              So ok, the 'control my router or modem.
              I'm close to a big don't care situation here, as all the traffic - except maybe DNS - is already TLS. I wish them much luck deciphering ... For the nerds, DNS can also wrapped into TLS.
              So what do they see ? I don't use their phone services, neither TV.
              So they see my 'LAN' IP == the WAN IP of pfSense. probably also it's MAC address.
              That's ok to me ^^
              Maybe some (ISP) router (double) NAT rules ? Or a 'DMZ' setup in the ISP's router ? Ok, nice, it all points to pfSense.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • C
                chrcoluk
                last edited by chrcoluk

                No root is not shared, the password is set during installation, you can also add keys and/or change password post install, the ISP is not provided this information.

                ISP whitelists are usually just for the modem side, and even then they are often not rigidly enforced or can be bypassed.

                e.g. with virgin media in the UK, they do have a enforced whitelist for the modem, so in that situation you would put their superhub in modem mode which then bridges the traffic to a router that is chosen by the end user, e.g. pfSense.

                pfSense CE 2.8.0

                1 Reply Last reply Reply Quote 0
                • TheHowToT
                  TheHowTo
                  last edited by

                  The problem, most Europe’s ISP use (cheap) outsourcing from outside the Europe where the cyber crime law is not enforced.

                  I noticed that as soon as the connection is being made with ISP, they directly injected a script to change the PfSense configurations. This means ISP has already a backdoor access to PfSense.
                  Also they used either virtual machines from Azure (Microsoft) and AWS (Amazon) to hide their connections to all connected devices on PfSense. But little that they know, they (e.g. Matt, Lucky, Christophe and so on) were also being monitor by Authority ;)

                  NogBadTheBadN GertjanG C 3 Replies Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad @TheHowTo
                    last edited by

                    @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                    I noticed that as soon as the connection is being made with ISP, they directly injected a script to change the PfSense configurations. This means ISP has already a backdoor access to PfSense.

                    Your router isn't configured securely or your statement isn't true.

                    Seems a very odd thing to post for your first post.

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @TheHowTo
                      last edited by Gertjan

                      @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                      they directly injected a script to change the PfSense configurations.

                      ... and of course, as always, no reflex to take a photo with that smart phone, neither a capture of the screen, no copy of the scripts.

                      This means ISP has already a backdoor access to PfSense.

                      Look at the calendar. We are not friday yet. Friday after noon, pure BS is ok, as most of use are already gone doing weekend things.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      TheHowToT 1 Reply Last reply Reply Quote 0
                      • C
                        chrcoluk @TheHowTo
                        last edited by

                        @TheHowTo this is blatantly not true.

                        I am not staff of netgate or pfSense, my comment is as an individual who has knowledge of FreeBSD the underlying OS that powers pfSense.

                        The default firewall configuration in pfSense blocks all external traffic to the firewall interface, so that alone would prevent them doing what you state.

                        pfSense CE 2.8.0

                        TheHowToT 1 Reply Last reply Reply Quote 0
                        • TheHowToT
                          TheHowTo @Gertjan
                          last edited by

                          @Gertjan
                          Wait let me see... aren't you from Belgium?
                          I think I read some article about Gertjan.

                          1 Reply Last reply Reply Quote 0
                          • TheHowToT
                            TheHowTo @chrcoluk
                            last edited by

                            @chrcoluk said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                            @TheHowTo this is blatantly not true.

                            I am not staff of netgate or pfSense, my comment is as an individual who has knowledge of FreeBSD the underlying OS that powers pfSense.

                            The default firewall configuration in pfSense blocks all external traffic to the firewall interface, so that alone would prevent them doing what you state.

                            That is why I let an official Netgate spokesperson's answer my question.

                            JKnottJ 1 Reply Last reply Reply Quote 0
                            • Bob.DigB
                              Bob.Dig LAYER 8 @TheHowTo
                              last edited by

                              @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                              Most Internet Service Providers in Europe allowed only whitelisted modem/router.

                              Bullshit and blocked.

                              1 Reply Last reply Reply Quote 1
                              • RicoR
                                Rico LAYER 8 Rebel Alliance
                                last edited by

                                Don't feed the troll.

                                -Rico

                                1 Reply Last reply Reply Quote 1
                                • JKnottJ
                                  JKnott @TheHowTo
                                  last edited by

                                  @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                  That is why I let an official Netgate spokesperson's answer my question.

                                  As a long time user of firewalls, including pfsense, I have never heard of such a thing. Firewalls should block any such attempt to gain root access or they're not doing their job. For example, I do not have any such access enabled on pfSense, I have to use a VPN to get in. What access control are you supposed to use? Do you given them passwords? SSH keys? If not, your firewall is wide open to anyone. With cable modems, as I have here, the ISP does have access to it, but nothing beyond. If you put an ordinary computer there, do they get root access to it too?

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  TheHowToT 1 Reply Last reply Reply Quote 0
                                  • TheHowToT
                                    TheHowTo @JKnott
                                    last edited by

                                    @JKnott said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                    As a long time user of firewalls, including pfsense, I have never heard of such a thing. Firewalls should block any such attempt to gain root access or they're not doing their job. For example, I do not have any such access enabled on pfSense, I have to use a VPN to get in. What access control are you supposed to use? Do you given them passwords? SSH keys? If not, your firewall is wide open to anyone. With cable modems, as I have here, the ISP does have access to it, but nothing beyond. If you put an ordinary computer there, do they get root access to it too?

                                    I have a long and strong PfSense password (upper/lowercase, numbers, symbols). My PfSense configuration is stealth.
                                    But messages “login: login on ttyv0 as root” keep appearing in my log, while I have enable password protect the console menu.
                                    Does this means my PfSense has been compromised because an unauthorized person logged into my PfSense console?

                                    The answer of my question is very simple, yes or no?

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      @TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                      login on ttyv0 as root

                                      https://docs.netgate.com/pfsense/en/latest/monitoring/troubleshooting-login-on-console-as-root-log-messages.html

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      TheHowToT 1 Reply Last reply Reply Quote 0
                                      • TheHowToT
                                        TheHowTo @johnpoz
                                        last edited by

                                        @johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                        https://docs.netgate.com/pfsense/en/latest/monitoring/troubleshooting-login-on-console-as-root-log-messages.html

                                        Thanks for the link to the document.
                                        As stated in the document, if console logins are already enabled, then this means someone logged into the console.

                                        Let give Netgate the benefit of doubt. But I still do hope that Netgate spokesperson's will answer my main question.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Of course not!

                                          As already stated you can change the root password anyway, and I assume you have done.

                                          I also assume you have not opened anything on your WAN anyone could login from?

                                          And the physical console is not publicly accessible?

                                          Let's see your logs so we check what's happening.

                                          Steve

                                          TheHowToT 1 Reply Last reply Reply Quote 0
                                          • TheHowToT
                                            TheHowTo @stephenw10
                                            last edited by

                                            @stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

                                            Of course not!

                                            As already stated you can change the root password anyway, and I assume you have done.

                                            I also assume you have not opened anything on your WAN anyone could login from?

                                            And the physical console is not publicly accessible?

                                            Let's see your logs so we check what's happening.

                                            Steve

                                            Because of those messages I have changed PfSense root password and reset PfSense many times, but somehow they always manage to open a superuser’s backdoor and bypass the password protection. After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).
                                            My wan firewall rule is set to default (empty), Lan is not accessible from Opt and Opt ports are for devices to connect to internet (only 80, 443). All IPv6 are disabled and I use pfBlockerNG and Snort.

                                            For security reasons, I cannot post my logs here. ISP hires an irresponsible outsourcing IT company that opens the door to hackers to carry out attacks. And you can find those hackers in this forum too. Usually they aim for administrators or moderators functions. Their common traits and characteristics are bullying, intimidation, harassment, lying and belittling people (calling people delusional). Right mr. Peeters? 😉

                                            NogBadTheBadN A 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.