Netgate shared root with ISP? ¯\_(❞⦈)_/¯

TheHowTo

Dear,

Most Internet Service Providers in Europe allowed only whitelisted modem/router.
What that means is that the modem/router factory provided ISP with root access.

Have Netgate shared PfSense root with any ISP?

Thank you.

JKnott

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

Have Netgate shared PfSense root with any ISP?

I certainly hope not. Are you sure they don't mean access to the modem only? For example, my ISP can access my cable modem, but not pfSense.

TheHowTo

@JKnott said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

I certainly hope not. Are you sure they don't mean access to the modem only? For example, my ISP can access my cable modem, but not pfSense.

When you use modem/router’s os that not in ISP’s whitelisted library, then your profile will be put on fallback profile. This means that your download and upload speed become slower (around 1-10% from your paid capacities).

I do hope an official Netgate spokesperson's will answer my question.

JKnott

@TheHowTo

If you have a modem, in bridge mode as I do, the ISP can access it, just as they can when it's in gateway mode. They do not have any reason to access anything beyond that, including pfSense. Remote management of telecom has long been common practice, but it does not extend to anything beyond the "demarc". My demarc is the the Ethernet ports on the LAN side of the modem. Would they also insist on access to a computer running Windows or Linux, if it was connected directly to the modem, whether in bridge or gateway mode. I can understand a "white list" of modems directly connected to their network, but not anything beyond it. So, I can accept that if you buy a modem they can access it, but not pfSense or anything else that's beyond the modem. Maybe you could clarify this with your ISP.

Gertjan

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

I do hope an official Netgate spokesperson's will answer my question.

You are missing a very imortant thing : pfSense is based on OpenSource. Most (can't tell if I can say "all") is avaibla on github.

This means - and I'm not kidding - everybody can check the question : "who has accesses to what". It's just a question of reading the code == just another language, which can be learned.

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

Most Internet Service Providers in Europe allowed only whitelisted modem/router.

Probably true, as they can 'set a file some where on a pre defined host' that informs the router to have itself upgrade.
And they, the ISP, controls what the code is, as they know how these triple-boxes (phone, Internet, TV) work.
So ok, the 'control my router or modem.
I'm close to a big don't care situation here, as all the traffic - except maybe DNS - is already TLS. I wish them much luck deciphering ... For the nerds, DNS can also wrapped into TLS.
So what do they see ? I don't use their phone services, neither TV.
So they see my 'LAN' IP == the WAN IP of pfSense. probably also it's MAC address.
That's ok to me ^^
Maybe some (ISP) router (double) NAT rules ? Or a 'DMZ' setup in the ISP's router ? Ok, nice, it all points to pfSense.

chrcoluk

No root is not shared, the password is set during installation, you can also add keys and/or change password post install, the ISP is not provided this information.

ISP whitelists are usually just for the modem side, and even then they are often not rigidly enforced or can be bypassed.

e.g. with virgin media in the UK, they do have a enforced whitelist for the modem, so in that situation you would put their superhub in modem mode which then bridges the traffic to a router that is chosen by the end user, e.g. pfSense.

TheHowTo

The problem, most Europe’s ISP use (cheap) outsourcing from outside the Europe where the cyber crime law is not enforced.

I noticed that as soon as the connection is being made with ISP, they directly injected a script to change the PfSense configurations. This means ISP has already a backdoor access to PfSense.
Also they used either virtual machines from Azure (Microsoft) and AWS (Amazon) to hide their connections to all connected devices on PfSense. But little that they know, they (e.g. Matt, Lucky, Christophe and so on) were also being monitor by Authority ;)

NogBadTheBad

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

I noticed that as soon as the connection is being made with ISP, they directly injected a script to change the PfSense configurations. This means ISP has already a backdoor access to PfSense.

Your router isn't configured securely or your statement isn't true.

Seems a very odd thing to post for your first post.

Gertjan

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

they directly injected a script to change the PfSense configurations.

... and of course, as always, no reflex to take a photo with that smart phone, neither a capture of the screen, no copy of the scripts.

This means ISP has already a backdoor access to PfSense.

Look at the calendar. We are not friday yet. Friday after noon, pure BS is ok, as most of use are already gone doing weekend things.

chrcoluk

@TheHowTo this is blatantly not true.

I am not staff of netgate or pfSense, my comment is as an individual who has knowledge of FreeBSD the underlying OS that powers pfSense.

The default firewall configuration in pfSense blocks all external traffic to the firewall interface, so that alone would prevent them doing what you state.

TheHowTo

@Gertjan
Wait let me see... aren't you from Belgium?
I think I read some article about Gertjan.

TheHowTo

@chrcoluk said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

@TheHowTo this is blatantly not true.

I am not staff of netgate or pfSense, my comment is as an individual who has knowledge of FreeBSD the underlying OS that powers pfSense.

The default firewall configuration in pfSense blocks all external traffic to the firewall interface, so that alone would prevent them doing what you state.

That is why I let an official Netgate spokesperson's answer my question.

Bob.Dig

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

Most Internet Service Providers in Europe allowed only whitelisted modem/router.

Bullshit and blocked.

Rico

Don't feed the troll.

-Rico

JKnott

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

That is why I let an official Netgate spokesperson's answer my question.

As a long time user of firewalls, including pfsense, I have never heard of such a thing. Firewalls should block any such attempt to gain root access or they're not doing their job. For example, I do not have any such access enabled on pfSense, I have to use a VPN to get in. What access control are you supposed to use? Do you given them passwords? SSH keys? If not, your firewall is wide open to anyone. With cable modems, as I have here, the ISP does have access to it, but nothing beyond. If you put an ordinary computer there, do they get root access to it too?

TheHowTo

@JKnott said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

As a long time user of firewalls, including pfsense, I have never heard of such a thing. Firewalls should block any such attempt to gain root access or they're not doing their job. For example, I do not have any such access enabled on pfSense, I have to use a VPN to get in. What access control are you supposed to use? Do you given them passwords? SSH keys? If not, your firewall is wide open to anyone. With cable modems, as I have here, the ISP does have access to it, but nothing beyond. If you put an ordinary computer there, do they get root access to it too?

I have a long and strong PfSense password (upper/lowercase, numbers, symbols). My PfSense configuration is stealth.
But messages “login: login on ttyv0 as root” keep appearing in my log, while I have enable password protect the console menu.
Does this means my PfSense has been compromised because an unauthorized person logged into my PfSense console?

The answer of my question is very simple, yes or no?

johnpoz

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

login on ttyv0 as root

https://docs.netgate.com/pfsense/en/latest/monitoring/troubleshooting-login-on-console-as-root-log-messages.html

TheHowTo

@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

https://docs.netgate.com/pfsense/en/latest/monitoring/troubleshooting-login-on-console-as-root-log-messages.html

Thanks for the link to the document.
As stated in the document, if console logins are already enabled, then this means someone logged into the console.

Let give Netgate the benefit of doubt. But I still do hope that Netgate spokesperson's will answer my main question.

stephenw10

Of course not!

As already stated you can change the root password anyway, and I assume you have done.

I also assume you have not opened anything on your WAN anyone could login from?

And the physical console is not publicly accessible?

Let's see your logs so we check what's happening.

Steve

TheHowTo

@stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

Of course not!

As already stated you can change the root password anyway, and I assume you have done.

I also assume you have not opened anything on your WAN anyone could login from?

And the physical console is not publicly accessible?

Let's see your logs so we check what's happening.

Steve

Because of those messages I have changed PfSense root password and reset PfSense many times, but somehow they always manage to open a superuser’s backdoor and bypass the password protection. After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).
My wan firewall rule is set to default (empty), Lan is not accessible from Opt and Opt ports are for devices to connect to internet (only 80, 443). All IPv6 are disabled and I use pfBlockerNG and Snort.

For security reasons, I cannot post my logs here. ISP hires an irresponsible outsourcing IT company that opens the door to hackers to carry out attacks. And you can find those hackers in this forum too. Usually they aim for administrators or moderators functions. Their common traits and characteristics are bullying, intimidation, harassment, lying and belittling people (calling people delusional). Right mr. Peeters?

NogBadTheBad

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

@stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

Of course not!

As already stated you can change the root password anyway, and I assume you have done.

I also assume you have not opened anything on your WAN anyone could login from?

And the physical console is not publicly accessible?

Let's see your logs so we check what's happening.

Steve

Because of those messages I have changed PfSense root password and reset PfSense many times, but somehow they always manage to open a superuser’s backdoor and bypass the password protection. After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).
My wan firewall rule is set to default (empty), Lan is not accessible from Opt and Opt ports are for devices to connect to internet (only 80, 443). All IPv6 are disabled and I use pfBlockerNG and Snort.

For security reasons, I cannot post my logs here. ISP hires an irresponsible outsourcing IT company that opens the door to hackers to carry out attacks. And you can find those hackers in this forum too. Usually they aim for administrators or moderators functions. Their common traits and characteristics are bullying, intimidation, harassment, lying and belittling people (calling people delusional). Right mr. Peeters?

Crap or get off the pot post the logs and change the IP addresses if you are that worried.

stephenw10

So the logs you are seeing are like, for example?:

Aug 16 12:14:22 	syslogd 		kernel boot file is /boot/kernel/kernel
Aug 16 12:14:22 	kernel 		done.
Aug 16 12:14:23 	php-fpm 	343 	/rc.start_packages: Restarting/Starting all packages.
Aug 16 12:14:24 	login 		login on ttyv0 as root
Aug 16 12:15:34 	check_reload_status 		rc.newwanip starting igb0
Aug 16 12:15:35 	php-fpm 	343 	/rc.newwanip: rc.newwanip: Info: starting on igb0. 

That is expected and not an indication some bad actor is connected to your firewall as that link shows.

Steve

johnpoz

I don't know - if your first thought after seeing some log entries you don't understand is that what is pretty much the most well known and used opensource firewall distro on the planet is that they have colluded with the man to allow back doors into their project.. And for that matter if doing such a thing, too stupid or lazy to even not log said entries..

Hmmmm,

I think maybe its time to lay off the paranoia inducing recreational drugs ;)

But maybe that's just me ;) hehehehe

I also don't think they faked the moon landing... Or believe that our Reptilian overlords pull the strings, etc. So maybe not really the best one to ask ;)

akuma1x

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

After that they changed my PfSense settings (e.g. disabling some firewall rules, changing DNS, DHCP and so on).

Well that's complete nonsense, and doesn't happen with a NORMAL install of pfsense. And when I say normal, I mean, you didn't turn off the top 2 deny rules for the WAN interface:

• Block private networks
• Block bogon networks

Show us a screenshot of your WAN rules, and mask out any sensitive information.

jimp

ttyv0 is the physical video console. Nobody can login to that remotely. It can only be accessed via keyboard and monitor. Similarly, ttyu0 is a serial (uart) console and cannot be logged into remotely, only via local serial connection.

Seeing a login on ttyv0 just means the menu redrew itself. If you see it a lot, something is probably corrupted on your filesystem leading to a problem with the tty itself.

Nobody has shared root access with your ISP or anyone else. There are no backdoors.

TheHowTo

@stephenw10 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

So the logs you are seeing are like, for example?:

Aug 16 12:14:22 	syslogd 		kernel boot file is /boot/kernel/kernel
Aug 16 12:14:22 	kernel 		done.
Aug 16 12:14:23 	php-fpm 	343 	/rc.start_packages: Restarting/Starting all packages.
Aug 16 12:14:24 	login 		login on ttyv0 as root
Aug 16 12:15:34 	check_reload_status 		rc.newwanip starting igb0
Aug 16 12:15:35 	php-fpm 	343 	/rc.newwanip: rc.newwanip: Info: starting on igb0. 

That is expected and not an indication some bad actor is connected to your firewall as that link shows.

Steve

Thanks Steve, but that is not what I see. Your log indicated services restarting because wan dhcp lease renewal process.
Ok, let just say there are no bad actors.

Would you please explain to me the Unexplained Phenomena, like why I see my floating firewall rules being changed, some were edited and some deleted (e.g. AmazonAWS IP Range) with log messages: "Syncing firewall, Reloading filter"?

Gertjan

When logging in to the GUI, you'll see this :

Logging in using a ssh client :

The IP's "192.168.1.120" and "2001:470:1f13:5c0:2::84" are both the ones from my LAN network.
Let's say : it's an inside job. It's me using a device on my LAN.

Btw : great : your ISP is helping you administrating your pfSense ?!!
What are your WAN firewall rules ? Or did you install a KVM module for them so they can remotely using a keyboard / VGA ? ( @jimp : people often omit to mention the most incredible details about their installation ) They have a OpenVPN access for remote administration ?

For me, it just an inside job. Or the (one of) the other you(s).

johnpoz

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

I see my floating firewall rules being changed, some were edited and some deleted

And what does your config history show.. example

jimp

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

Would you please explain to me the Unexplained Phenomena, like why I see my floating firewall rules being changed, some were edited and some deleted (e.g. AmazonAWS IP Range) with log messages: "Syncing firewall, Reloading filter"?

Maybe you have something like pfBlockerNG which is automatically managing your rules? It does exactly those kinds of things.

johnpoz

I was thinking the same thing... While pfblocker is a great package, I am not a fan of anything that auto manipulates rules.. I use it really as just fancy aliases management - I have it create the aliases, and then I use those in my rules as I want.

But I would have to assume any changes to rules would be listed in the configuration history, but since I don't have pfblocker manipulating my rules, not sure how that would look in the log?

TheHowTo

What I know and experienced, pfBlockerNG only prioritizes their rules in floating rules order, but it never deleted any custom rules.

If you do not believe me, try to install pfBlockerNG, make custom rules to block AmazonAWS (hackers virtual machines) and then do a cron update.
Here is AmazonAWS’s IP range: AWS IP address ranges

johnpoz

And did you bother to look in your config history... Anything that changes the config should be listed there..

TheHowTo

@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

And did you bother to look in your config history... Anything that changes the config should be listed there..

Config history says "Edited a firewall alias, made unkown change" However I did not login to SSH or GUI at that specific time.

It does not matter anymore because even after factory reset, everytime the hackers knew how to bypass the password protection.
I still give Netgate the benefit of doubt. Maybe there are some bugs or loopholes (e.g. superuser's backdoor) in PfSense version 2.4.5-p1.

I really wish that I can hardening PfSense with Firejail and Apparmor.

johnpoz

@TheHowTo said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

"Edited a firewall alias, made unkown change"

And what did it say did that that unknown change.. Post a screenshot of your config history showing these changes..

OMG - I've been hacker3d

TheHowTo

@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

And what did it say did that that unknown change.. Post a screenshot of your config history showing these changes..

OMG - I've been hacker3d

Gotcha!

TheHowTo

@stephenw10 Would you please tell Dev to fix these loophole (superuser's backdoor) and bug (openvpn over tcp) on the next PfSense version.
Thank you.

johnpoz

OMG dude - there is not a "superuser" backdoor.. And what bug in openvpn over tcp... It work it just fine. Where is the redmine link to this "bug"??

stephenw10

If you think you have found a bug (you almost certainly haven't) then you should open a redmine ticket with the details and how to replicate.

You are going to have to present some evidence though. There is no reason you can't post screenshots of your config history or system log text with your public IPs removed. That gives away nothing that you should care about.
Otherwise it just looks like you're trolling. We will have to lock the thread.

Steve

AKEGEC

Hi all, I had similar problem with (2.4.5-p1) openvpn running over TCP specifically the client site. You need to edit your openvpn.inc file to fix this.

@johnpoz said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

OMG dude - there is not a "superuser" backdoor.. And what bug in openvpn over tcp... It work it just fine. Where is the redmine link to this "bug"??

johnpoz

@C3G3K4 said in Netgate shared root with ISP? ¯\_(❞⦈)_/¯:

You need to edit your openvpn.inc file to fix this.

And where is the link to this bug report? Or even the thread discussing this issue, or what exactly did you change.

And lets be specific.. Stating there is a "bug" in openvpn tcp, as a client to to some vpn service? With site 2 site? I run tcp client to pfsense from my phone, from my pc at work over tcp and have not seen any "bugs" or issues at all.

Saying there is a "bug" doesn't help anyone nor is going to get anything fixed if there is an actual issue.