Pfsense exploits

Nachtfalke · May 31, 2012, 10:54 AM

I didn't watch that video but the fact that stephenw10 wrote about disabled ssh - if I am not completly wrong - this was fixed.

podilarius · May 31, 2012, 11:07 AM

I am sure it has been … it was pfsense version 2.0 Beta3 iirc.

jimp · Jun 2, 2012, 1:24 AM

That may have been an issue with a really crusty old beta, but never a release.

Plus:

1. Block ssh with firewall rules
2. Even if it's open, sshlockout kicks in and blocks the IP after 5 failed logins
3. Use key-only auth
4. Move ssh to an alternate port

For best results, mix 3 and 4 with a dash of 1. Salt to taste.

cmb · Jun 2, 2012, 6:55 AM

It's a simple password brute force attack. The only "issue" there was the XMLRPC interface didn't automatically lock out attempted brute force attacks, where as the web interface and SSH did at the time. It does since at least 2.0.1 release and maybe earlier, don't recall the exact timing. So if you had an easy enough password to brute force guess, yeah you could succeed via that and not via the web interface or SSH unless you got it in the first 10 tries. It's far from an "exploit", no more so than the ability to brute force everything in existence is an exploit. And of everything else, we're one of the very few devices that will automatically block IPs trying to brute force attack. If you consider that an "exploit", then virtually every other firewall, router, and operating system in existence today is "vulnerable" out of the box, but we aren't.

The moral of the story is don't use weak passwords on anything. We do far better than pretty much anything else at protecting you from yourself, but there is no alternative to strong passwords.

mr_bobo · Jun 3, 2012, 8:05 PM

@cmb:

The moral of the story is don't use weak passwords on anything. We do far better than pretty much anything else at protecting you from yourself, but there is no alternative to strong passwords.

How long would it take to crack your password?

Time To Crack:
151850307 centuries
Total Passwords in Pattern:
460 Sextillion

chpalmer · Jun 3, 2012, 10:42 PM

@mr_bobo:

How long would it take to crack your password?

Time To Crack:
151850307 centuries
Total Passwords in Pattern:
460 Sextillion

Thanks for the link…

Mine isnt that good... (or something similar)
Time To Crack:
2 months, 3 days
Total Passwords in Pattern:
5 Trillion

The president of the corporation I used to work for...

This password needs more strength
Time To Crack:
less than 1 day
Total Passwords in Pattern:
18 Thousand

:o ;D

marcelloc · Jun 3, 2012, 10:59 PM

I suggest you to do not enter your real passwords in any password test site as it could be used to populate brute force databases.

chpalmer · Jun 3, 2012, 11:16 PM

I suggest you to do not enter your real passwords in any password test site as it could be used to populate brute force databases.

(or something similar)

Way ahead of ya! ;D

neriberto · Jun 4, 2012, 3:39 PM

Hi everybody,

I wrote this auxiliary for metasploit and I don´t consider it an exploit. This issue was fixed in pfSense 2.0-RC3 and I hope that it encourage everyone to update your system

[]s.

Supermule · Jun 4, 2012, 3:49 PM

Time To Crack:
1306628104 centuries
Total Passwords in Pattern:
4 Septillion