If a skilled hacker breaks into the network within PFSense
-
If malware is installed on the devices within the network of PFSense due to some kind of vulnerability, is it possible for the logs within the PC and inside PFSense to be erased?
-
@Yet_learningPFSense if they could get access to pfsense itself, then sure.
Best practice is to only allow access to pfsense via web or ssh from the management network. So this compromised box would have to be on the management network, this is the lan by default and has the antilockout rule to allow access to pfsense management gui and ssh (if enabled).
In a secure setup, the management could be limited to only a specific IP, or network that only management workstation(s) are on and shouldn't be used in a sense that they would normally be commonly open to infection. Ie they don't browse the web, they don't execute code from outside sources, etc. And this isolated management network wouldn't allow access from other networks, etc
This compromised box, even if had firewall access to the web/ssh of pfsense would still need to auth, or have some other way in..
But yeah if you have admin access to pfsense, you could clear the logs, etc.
-
@johnpoz Thank you. I would like to ask one more thing. In a situation where a newly set up PFSense is connected to the internet, is it possible to bypass the PFSense firewall and inject malware into an internal PC?
-
Not from the outside, all external connections are blocked by default.
If the internal PC connects out and pulls in malware pfSense will not prevent that.
-
@stephenw10 That's understandable. However, recently, there have been posts on social media and bulletin boards hinting at my online activities, as well as places I frequently visit.
It's been bothering me because at first I thought it might be my imagination, but it has persisted, and I'm concerned. For safety reasons, I use a VPN service, and I noticed accesses like the ones shown in this image appearing in ntopng. Is this something that typically occurs?
-
@Yet_learningPFSense port 7680 is this
https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-faq
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP.
edit: not sure why you hiding a 10.x address.. This rfc1918 - it isn't coming from the internet.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz Thank you for your response. Regarding "delivery-optimization," does it mean that communication is being performed with that address to optimize the speed of the VPN service and so on?
My private IP address is 192.168.1.xxx, but there are communication logs to addresses other than 192.168.11.41 that are being recorded in ntopng.
-
@Yet_learningPFSense read the FAQ I linked too.. Its not going to optimize your "vpn"
-
@Yet_learningPFSense said in If a skilled hacker breaks into the network within PFSense:
However, recently, there have been posts on social media and bulletin boards hinting at my online activities, as well as places I frequently visit.
This information is stored in cookies by your browser. Unless you block all cookies in your browser you will be tracked like this. Cookies are not the only way to be tracked, but it is a super easy way to do it by design.
Many people believe using a VPN stops tracking, it does not. VPNs simply hide your traffic from the ISP and give you a different entry point on the internet.o||||o
7100-1u -
With enough time and money nation state actors can do anything, thus I think like this, harden the equipment it to a specific amount of time it would require to break in, add rules make block lists. And backup essential data. I loved quantum LTO scaler systems. They would automate the long time tape backups with robotic arms xyz tray systems. Yes tape backups still are used today as you can store many terabytes on a single tape.
"The latest generation, LTO-9, released in 2021, offers up to 45 TB of compressed capacity and 18 TB of native capacity"
Plan as if it will happen. That way you can recover if it does happen.
Tape is slow so it can't be deleted quickly by hackers, it lasts 50 plus years once written, and can even be set up as a worm drive. It's hard to access if it's in a storage case.
https://www.ibm.com/docs/en/ts4500-tape-library?topic=cartridges-capacity-supported-lto-tape
-
@JonathanLee said in If a skilled hacker breaks into the network within PFSense:
Tape is slow
Slow random, screaming daemon sequential. I was the storage guy and we had to be careful how we setup disks as backups frequently made them busy.
Tape is king when protecting data against hackers. Can't mess with it when it is on a shelf.
-
@AndyRH We had a location with this monster Sepaton system huge in 2009ish, the onsite guy jammed in a replacement system card thinking it was hot swapable he flat shorted out the backplane, and new system card. Our team got onsite with this Sepaton management software called Syntricity and started to migrate everything off of that dead backplane. The system went live for the business in short while, all the data was safe. I got so much praise from him. After, the onsite admin jumped up and said, "I have to run my tape backups!! I have not run them in over a month, you just saved my job thank you so much." We ordered him new stuff, I will never forget that. Just because it looks hot swappable doesn't mean it is. Another site I worked on replacing downed LTO drives, it was the size of a city bus, the thing had to be shut down for the replacement, it started to boot and I asked can we test it, onsite admin says "sure once it completes the inventory audit of the tapes" I asked ok how long until that completes, he replied with a blank straight face, "around 72 hours." I mean this was one of the biggest tape archive systems I have ever seen. Today most of the data storage has moved to solid state systems like the Veritas cloud acess, Tintri, Nutrainix meaning it reads and writes so fast if a bug hit it would be gone in a split second. A good working tape system is a hacker's nightmare, when they go off on some ransomware attack tangent with pay me this and that, the tape system makes it like nothing happened when those backups start to restore. With how fast storage is getting, and the longevity of tape upwards of 50 years shelf life, tape was always a great network tool to have in your corner. The coolest things for me to work with was tape storage systems, I loved them.
-
@johnpoz I couldn't find the time as I was busy. Thank you. So, it's the port for connecting to Microsoft's CDN. I'm not sure if it communicates with Microsoft using a private IP address when using a VPN, but I understand now.
-
@AndyRH Thank you. For example, is it possible for a hacker to track roughly when and where someone went by preparing a manipulated cookie for their website and making the browser consume it?
-
@Yet_learningPFSense said in If a skilled hacker breaks into the network within PFSense:
If malware is installed on the devices within the network of PFSense
It would be the network administrator responsible cause only he/she can introduce such.
-
@Yet_learningPFSense I am assuming yes, but I am not sure. Cookies can contain most any information and they are time stamped. pfSense cannot help with this level of tracking because cookies are mostly legitimate and there is not good way to tell if they are being misused.
-
@AndyRH said in If a skilled hacker breaks into the network within PFSense:
are mostly legitimate and there is not good way to tell if they are being misused.
And how would pfsense even see them, since they would almost for sure be inside the https connection.. Without breaking end to end encryption and doing a mitm there would be no way for pfsense to even see cookies being used between the server and the client.
