Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall log - Attack warning

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • hugoeyngH
      hugoeyng
      last edited by

      Hello.

      Since last Friday the firewall log is showing an "attack warning".

      The log shows many warning like this.

      74ad18f3-d546-47a4-b173-1c8c7ba89bd7-image.png

      What the best pratice?

      Downing the interface? Ignore? Change the passoword? All of those options?

      I love pfSense!

      Hugo Eyng
      Datamais Sistemas

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @hugoeyng
        last edited by

        Is 185.220.101.130 an address inside your network? If not I would start by not allowing access to SSH or HTTP/HTTPS on the WAN...

        I think I've something similar to this when our network probe port scans the router's LAN IP.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        hugoeyngH 1 Reply Last reply Reply Quote 0
        • hugoeyngH
          hugoeyng @SteveITS
          last edited by

          @teamits said in Firewall log - Attack warning:

          185.220.101.130

          185.220.101.130 is not an address inside our network and it is not the only one trying to get access to our pfSense. Many different IP´s are trying too.

          "not allowing access to SSH or HTTP/HTTPS on the WAN" how the best way to do this and what about my navigation?

          I love pfSense!

          Hugo Eyng
          Datamais Sistemas

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @hugoeyng
            last edited by

            @hugoeyng said in Firewall log - Attack warning:

            "not allowing access to SSH or HTTP/HTTPS on the WAN"

            All unsolicited inbound traffic to your wan is blocked out of the box. You must of created a rule to allow access to your webgui port and or ssh as well.

            Remove said rules.. Post up your wan rules if you want advice on what is in there that shouldn't be.

            The only thing in wan rules should be stuff you want to allow.. But yeah if you allow access to webgui or ssh to the public internet - its going to get hit, multiple times a day, if not per hour or even per minute.. The internet is a noisy and dangerous place to open up services too.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            hugoeyngH 1 Reply Last reply Reply Quote 0
            • hugoeyngH
              hugoeyng @johnpoz
              last edited by

              @johnpoz Thank you for your answer.

              You are right. I allow access to webgui and SSH, but I limited the access only for known IP´s (contained into an alias).

              I monitor the logs and this is the first time I saw so much trieds to log/access the firewall. Aparentelly they were trying to connect via SSH or the webgui (HTTPS).

              They gave up yesterday. Or, maybe, they were successful yesterday :))

              I am not sure.

              I love pfSense!

              Hugo Eyng
              Datamais Sistemas

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @hugoeyng
                last edited by johnpoz

                If you were seeing such traffic from IPs that are not in your alias - then your rules are not setup like you think. Or your alias contains more IPs then you think?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                JeGrJ hugoeyngH 2 Replies Last reply Reply Quote 0
                • JeGrJ
                  JeGr LAYER 8 Moderator @johnpoz
                  last edited by JeGr

                  @hugoeyng said in Firewall log - Attack warning:

                  You are right. I allow access to webgui and SSH, but I limited the access only for known IP´s (contained into an alias).

                  If you see that traffic, you didn't. Or your alias or rule is serioulsy borked!

                  @hugoeyng said in Firewall log - Attack warning:

                  They gave up yesterday. Or, maybe, they were successful yesterday :))

                  Then you'd see a successful logged in message. Otherwise 3-5 attempts and sshguard locks them out for a block-time (10m?).

                  Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                  If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                  1 Reply Last reply Reply Quote 1
                  • hugoeyngH
                    hugoeyng @johnpoz
                    last edited by

                    @johnpoz 8624b4de-5978-47ac-b60c-e7e6a3995486-image.png

                    The rules on the interface from where they attacked.

                    I love pfSense!

                    Hugo Eyng
                    Datamais Sistemas

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @hugoeyng
                      last edited by

                      Not sure how anyone suppose to help you with most of that obfuscated

                      But this "could" for sure allow access - and has no alias for source.

                      443.png

                      Depending on what the dest is set too?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @johnpoz
                        last edited by

                        @johnpoz that would not be SSH though...there must be something else or else the alias ORIGEMWTS is incorrect on the SSH rule. Also, not sure why that is marked as "NAT" unless that is a linked NAT firewall rule? NAT wouldn't be necessary for direct access to the WAN IP, though we've set up a different port to NAT to the router's LAN IP in cases where 443 was being NATted to a LAN server.

                        @hugoeyng Hover your mouse over the ORIGEMWTS alias and see what it is resolving to.

                        Also, the SSH firewall rule has 0 bytes of traffic so hasn't been used since it started counting.

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @SteveITS
                          last edited by

                          Agreed that is not ssh, but his top ssh rule shows no hits..

                          But as I stated we are not seeing the whole picture here.. We have no idea what those bottom rules are - they are not using aliases, and they don't show what the port or dest IP are even. But they do have hits.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.