Help please
-
Hi,
I am realy stuck here and wondered if somebody could give me some advice, I have inherited a Pfsense firewall and find it under attack from what i presume is a remote keylogger or something, I have placed the offending Ip address as a block on any protocol to any internal Ip address boith as a source block and destination block, however the Ip seems to still get through, in and out, what am I doing wrong,Jedski
-
when viewing the 'States' section I see 1,000s of this, 10010 to be exact
source destination state
218.100.58.38 <- 194.x.x.x 0:0
194.x.x.x -> 218.100.58.34 0:0194.x.x.x is my internal Ip range and 218 is the offending party
-
It would be helpful to have more details. Specifically
-
What firewall rules have you added and on what interfaces? Is logging enabled on these rules? Do you see any log entries from these rules?
-
Did you reset firewall states after adding the rules?
-
Why do you think access is still successfully happening? What are you seeing that you didn't expect to see?
-
-
Hi,
I have set destination and source rules for the offending IP's covering all ports, I did have the rules set on the WAN interface but have now duplicated them on to the LAN interface too, things have quietened down but I'm not sure if this is just coincidence.
I have a remote syslog server collecting logs but have just set indicators on particular rules to log packets from these too, as I said I have inherited this, never heard of pfsense before, time for some quick learning, thanks for the reply.. -
We'd really need a lot more information. Nothing you've posted gives any indication of malicious activity or supports your theory. The IP you posted is a transit IP range internal to APNIC, which clouds the issues further.
Exactly what makes you think your network was under attack?