Pfsense exploits





  • Well for starts- use a strong password.  pfSense will lock you out after only a few try's so I see no problem there.

    2nd- don't expose port 22 to the rest of the world…



  • I would love to see someone try that on a pfsense firewall with the password unknown and port 22 disabled on the WAN. Even on the LAN, the password would need to be known or in a list of common passwords to hack the system with brute force.
    Like chpalmer said, don't keep the default password and change it to a strong password that would be hard to guess.


  • Netgate Administrator

    The main point of this video seems to be that he is able to log in via ssh when ssh appears to be disabled in the webGUI. That is slightly odd.
    But since he knows the password already and has exposed port 22 on WAN this doesn't seem like something that could be easily exploited in the real world.
    Also he is running 2.0RC3 so it may well have been fixed since then.

    Steve



  • I didn't watch that video but the fact that stephenw10 wrote about disabled ssh - if I am not completly wrong - this was fixed.



  • I am sure it has been … it was pfsense version 2.0 Beta3 iirc.


  • Rebel Alliance Developer Netgate

    That may have been an issue with a really crusty old beta, but never a release.

    Plus:

    1. Block ssh with firewall rules
    2. Even if it's open, sshlockout kicks in and blocks the IP after 5 failed logins
    3. Use key-only auth
    4. Move ssh to an alternate port

    For best results, mix 3 and 4 with a dash of 1. Salt to taste.



  • It's a simple password brute force attack. The only "issue" there was the XMLRPC interface didn't automatically lock out attempted brute force attacks, where as the web interface and SSH did at the time. It does since at least 2.0.1 release and maybe earlier, don't recall the exact timing. So if you had an easy enough password to brute force guess, yeah you could succeed via that and not via the web interface or SSH unless you got it in the first 10 tries. It's far from an "exploit", no more so than the ability to brute force everything in existence is an exploit. And of everything else, we're one of the very few devices that will automatically block IPs trying to brute force attack. If you consider that an "exploit", then virtually every other firewall, router, and operating system in existence today is "vulnerable" out of the box, but we aren't.

    The moral of the story is don't use weak passwords on anything. We do far better than pretty much anything else at protecting you from yourself, but there is no alternative to strong passwords.



  • @cmb:

    The moral of the story is don't use weak passwords on anything. We do far better than pretty much anything else at protecting you from yourself, but there is no alternative to strong passwords.

    How long would it take to crack your password?

    Time To Crack:
    151850307 centuries
    Total Passwords in Pattern:
    460 Sextillion



  • @mr_bobo:

    How long would it take to crack your password?

    Time To Crack:
    151850307 centuries
    Total Passwords in Pattern:
    460 Sextillion

    Thanks for the link…

    Mine isnt that good... (or something similar)
    Time To Crack:
    2 months, 3 days
    Total Passwords in Pattern:
    5 Trillion

    The president of the corporation I used to work for...

    This password needs more strength
    Time To Crack:
    less than 1 day
    Total Passwords in Pattern:
    18 Thousand

    :o ;D



  • I suggest you to do not enter your real passwords in any password test site as it could be used to populate brute force databases.



  • I suggest you to do not enter your real passwords in any password test site as it could be used to populate brute force databases.

    (or something similar)

    Way ahead of ya!    ;D



  • Hi everybody,

    I wrote this auxiliary for metasploit and I don´t consider it an exploit. This issue was fixed in pfSense 2.0-RC3 and I hope that it encourage everyone to update your system

    []s.


  • Banned

    Time To Crack:
    1306628104 centuries
    Total Passwords in Pattern:
    4 Septillion


Locked