Allowed IP is blocked but not present in VirusProt table

pedreter

HI !

I have a rule to allow all traffic with no restrictions from my home IP to LAN network. The rule works OK.

When i scan Lan network with OpenVas from home (with a very slow scan), my IP gets blocked withtin Pfsense for some time.

I have no Snort and no Suricata, justa a plain PFsense install.

Why this happens? shouldn't my IP be in Virusprot table if blocked by some limit-override?

Thanks to all in advance!!!

Pete.

stephenw10

Do you actually see the traffic blocked?

What rule do you see it blocked by?

Steve

pedreter

Hi @stephenw10!

Thanks for your reply...

I have a rule to allow everthing from that IP. This rule is the first one, at the top of the rules window for maxium priority.
In fact OpenVas activity works for a short period of time, and then pfsense blocks it for some time...

When this happens, there is no firewall log in pfense about rejecting this traffic.

Thanks again Stephen!

Pete.

Gertjan

@pedreter

Goto Status > System Logs > System > General
and look in the process common, you'll find a process called "sshguard".

Whne you do your "OpenVas activity", is that the moment sshguard kicks in and blocks the IP running this openvas, doing 'bad' things ? If sshguard starts to block it, it will log that event to the Generall log.

pedreter

Thank Gertjan !!

i will check asap!!

what is sshguard for? i mean? how does it detect "bad things" when no snort or Suricata are in place?

Thanks!

Pete.

Gertjan

@pedreter

See here : System > Advanced > Admin Access
under "Login Protection".

The process scans the general log, and if there are to many failed login attempts are logged, it starts block temporary that IP.

Normally, GUI and SSH logins are (should be) possible from a trusted LAN only. You can even be more specific, and allow failed login from trusted devices that you can specify with their IP.
All others, if to many failures are detected, will be blocked for a moment, the time you chose.

stephenw10

Yes it would only be triggered if the OpenVAS scanning process attempts to login to the firewall with bad credentials.
If you don't have Snort or Suricata running it's unlikely to be blocked by the firewall. Perhaps something upstream is blocking it? Do you see traffic arriving at the pfSense WAN?