Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    If a skilled hacker breaks into the network within PFSense

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 6 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Yet_learningPFSenseY
      Yet_learningPFSense
      last edited by

      If malware is installed on the devices within the network of PFSense due to some kind of vulnerability, is it possible for the logs within the PC and inside PFSense to be erased?

      johnpozJ NollipfSenseN 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
        last edited by

        @Yet_learningPFSense if they could get access to pfsense itself, then sure.

        Best practice is to only allow access to pfsense via web or ssh from the management network. So this compromised box would have to be on the management network, this is the lan by default and has the antilockout rule to allow access to pfsense management gui and ssh (if enabled).

        In a secure setup, the management could be limited to only a specific IP, or network that only management workstation(s) are on and shouldn't be used in a sense that they would normally be commonly open to infection. Ie they don't browse the web, they don't execute code from outside sources, etc. And this isolated management network wouldn't allow access from other networks, etc

        This compromised box, even if had firewall access to the web/ssh of pfsense would still need to auth, or have some other way in..

        But yeah if you have admin access to pfsense, you could clear the logs, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
        • Yet_learningPFSenseY
          Yet_learningPFSense @johnpoz
          last edited by

          @johnpoz Thank you. I would like to ask one more thing. In a situation where a newly set up PFSense is connected to the internet, is it possible to bypass the PFSense firewall and inject malware into an internal PC?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Not from the outside, all external connections are blocked by default.

            If the internal PC connects out and pulls in malware pfSense will not prevent that.

            Yet_learningPFSenseY 1 Reply Last reply Reply Quote 0
            • Yet_learningPFSenseY
              Yet_learningPFSense @stephenw10
              last edited by

              @stephenw10 That's understandable. However, recently, there have been posts on social media and bulletin boards hinting at my online activities, as well as places I frequently visit.

              It's been bothering me because at first I thought it might be my imagination, but it has persisted, and I'm concerned. For safety reasons, I use a VPN service, and I noticed accesses like the ones shown in this image appearing in ntopng. Is this something that typically occurs?F01AUoZaQAA4-OL.jpg

              johnpozJ AndyRHA 2 Replies Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
                last edited by johnpoz

                @Yet_learningPFSense port 7680 is this

                https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq

                Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP.

                edit: not sure why you hiding a 10.x address.. This rfc1918 - it isn't coming from the internet.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                Yet_learningPFSenseY 2 Replies Last reply Reply Quote 1
                • Yet_learningPFSenseY
                  Yet_learningPFSense @johnpoz
                  last edited by

                  @johnpoz Thank you for your response. Regarding "delivery-optimization," does it mean that communication is being performed with that address to optimize the speed of the VPN service and so on?

                  My private IP address is 192.168.1.xxx, but there are communication logs to addresses other than 192.168.11.41 that are being recorded in ntopng.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Yet_learningPFSense
                    last edited by

                    @Yet_learningPFSense read the FAQ I linked too.. Its not going to optimize your "vpn"

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • AndyRHA
                      AndyRH @Yet_learningPFSense
                      last edited by

                      @Yet_learningPFSense said in If a skilled hacker breaks into the network within PFSense:

                      However, recently, there have been posts on social media and bulletin boards hinting at my online activities, as well as places I frequently visit.

                      This information is stored in cookies by your browser. Unless you block all cookies in your browser you will be tracked like this. Cookies are not the only way to be tracked, but it is a super easy way to do it by design.
                      Many people believe using a VPN stops tracking, it does not. VPNs simply hide your traffic from the ISP and give you a different entry point on the internet.

                      o||||o
                      7100-1u

                      Yet_learningPFSenseY 1 Reply Last reply Reply Quote 1
                      • JonathanLeeJ
                        JonathanLee
                        last edited by JonathanLee

                        With enough time and money nation state actors can do anything, thus I think like this, harden the equipment it to a specific amount of time it would require to break in, add rules make block lists. And backup essential data. I loved quantum LTO scaler systems. They would automate the long time tape backups with robotic arms xyz tray systems. Yes tape backups still are used today as you can store many terabytes on a single tape.

                        "The latest generation, LTO-9, released in 2021, offers up to 45 TB of compressed capacity and 18 TB of native capacity"

                        Plan as if it will happen. That way you can recover if it does happen.

                        R (2).jpeg

                        Tape is slow so it can't be deleted quickly by hackers, it lasts 50 plus years once written, and can even be set up as a worm drive. It's hard to access if it's in a storage case.

                        https://www.ibm.com/docs/en/ts4500-tape-library?topic=cartridges-capacity-supported-lto-tape

                        Make sure to upvote

                        AndyRHA 1 Reply Last reply Reply Quote 0
                        • AndyRHA
                          AndyRH @JonathanLee
                          last edited by

                          @JonathanLee said in If a skilled hacker breaks into the network within PFSense:

                          Tape is slow

                          Slow random, screaming daemon sequential. I was the storage guy and we had to be careful how we setup disks as backups frequently made them busy.

                          Tape is king when protecting data against hackers. Can't mess with it when it is on a shelf.

                          o||||o
                          7100-1u

                          JonathanLeeJ 1 Reply Last reply Reply Quote 1
                          • JonathanLeeJ
                            JonathanLee @AndyRH
                            last edited by JonathanLee

                            @AndyRH We had a location with this monster Sepaton system huge in 2009ish, the onsite guy jammed in a replacement system card thinking it was hot swapable he flat shorted out the backplane, and new system card. Our team got onsite with this Sepaton management software called Syntricity and started to migrate everything off of that dead backplane. The system went live for the business in short while, all the data was safe. I got so much praise from him. After, the onsite admin jumped up and said, "I have to run my tape backups!! I have not run them in over a month, you just saved my job thank you so much." We ordered him new stuff, I will never forget that. Just because it looks hot swappable doesn't mean it is. Another site I worked on replacing downed LTO drives, it was the size of a city bus, the thing had to be shut down for the replacement, it started to boot and I asked can we test it, onsite admin says "sure once it completes the inventory audit of the tapes" I asked ok how long until that completes, he replied with a blank straight face, "around 72 hours." I mean this was one of the biggest tape archive systems I have ever seen. Today most of the data storage has moved to solid state systems like the Veritas cloud acess, Tintri, Nutrainix meaning it reads and writes so fast if a bug hit it would be gone in a split second. A good working tape system is a hacker's nightmare, when they go off on some ransomware attack tangent with pay me this and that, the tape system makes it like nothing happened when those backups start to restore. With how fast storage is getting, and the longevity of tape upwards of 50 years shelf life, tape was always a great network tool to have in your corner. The coolest things for me to work with was tape storage systems, I loved them.

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • Yet_learningPFSenseY
                              Yet_learningPFSense @johnpoz
                              last edited by

                              @johnpoz I couldn't find the time as I was busy. Thank you. So, it's the port for connecting to Microsoft's CDN. I'm not sure if it communicates with Microsoft using a private IP address when using a VPN, but I understand now.

                              1 Reply Last reply Reply Quote 0
                              • Yet_learningPFSenseY
                                Yet_learningPFSense @AndyRH
                                last edited by

                                @AndyRH Thank you. For example, is it possible for a hacker to track roughly when and where someone went by preparing a manipulated cookie for their website and making the browser consume it?

                                AndyRHA 1 Reply Last reply Reply Quote 0
                                • NollipfSenseN
                                  NollipfSense @Yet_learningPFSense
                                  last edited by

                                  @Yet_learningPFSense said in If a skilled hacker breaks into the network within PFSense:

                                  If malware is installed on the devices within the network of PFSense

                                  It would be the network administrator responsible cause only he/she can introduce such.

                                  pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                                  pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                                  1 Reply Last reply Reply Quote 0
                                  • AndyRHA
                                    AndyRH @Yet_learningPFSense
                                    last edited by

                                    @Yet_learningPFSense I am assuming yes, but I am not sure. Cookies can contain most any information and they are time stamped. pfSense cannot help with this level of tracking because cookies are mostly legitimate and there is not good way to tell if they are being misused.

                                    o||||o
                                    7100-1u

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator @AndyRH
                                      last edited by

                                      @AndyRH said in If a skilled hacker breaks into the network within PFSense:

                                      are mostly legitimate and there is not good way to tell if they are being misused.

                                      And how would pfsense even see them, since they would almost for sure be inside the https connection.. Without breaking end to end encryption and doing a mitm there would be no way for pfsense to even see cookies being used between the server and the client.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                      1 Reply Last reply Reply Quote 1
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.