• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense exploits

Scheduled Pinned Locked Moved General pfSense Questions
14 Posts 11 Posters 11.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    Nachtfalke
    last edited by May 31, 2012, 10:54 AM

    I didn't watch that video but the fact that stephenw10 wrote about disabled ssh - if I am not completly wrong - this was fixed.

    1 Reply Last reply Reply Quote 0
    • P
      podilarius
      last edited by May 31, 2012, 11:07 AM

      I am sure it has been … it was pfsense version 2.0 Beta3 iirc.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Jun 2, 2012, 1:24 AM

        That may have been an issue with a really crusty old beta, but never a release.

        Plus:

        1. Block ssh with firewall rules
        2. Even if it's open, sshlockout kicks in and blocks the IP after 5 failed logins
        3. Use key-only auth
        4. Move ssh to an alternate port

        For best results, mix 3 and 4 with a dash of 1. Salt to taste.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by Jun 2, 2012, 6:55 AM

          It's a simple password brute force attack. The only "issue" there was the XMLRPC interface didn't automatically lock out attempted brute force attacks, where as the web interface and SSH did at the time. It does since at least 2.0.1 release and maybe earlier, don't recall the exact timing. So if you had an easy enough password to brute force guess, yeah you could succeed via that and not via the web interface or SSH unless you got it in the first 10 tries. It's far from an "exploit", no more so than the ability to brute force everything in existence is an exploit. And of everything else, we're one of the very few devices that will automatically block IPs trying to brute force attack. If you consider that an "exploit", then virtually every other firewall, router, and operating system in existence today is "vulnerable" out of the box, but we aren't.

          The moral of the story is don't use weak passwords on anything. We do far better than pretty much anything else at protecting you from yourself, but there is no alternative to strong passwords.

          1 Reply Last reply Reply Quote 0
          • M
            mr_bobo
            last edited by Jun 3, 2012, 8:05 PM

            @cmb:

            The moral of the story is don't use weak passwords on anything. We do far better than pretty much anything else at protecting you from yourself, but there is no alternative to strong passwords.

            How long would it take to crack your password?

            Time To Crack:
            151850307 centuries
            Total Passwords in Pattern:
            460 Sextillion

            1 Reply Last reply Reply Quote 0
            • C
              chpalmer
              last edited by Jun 3, 2012, 10:42 PM

              @mr_bobo:

              How long would it take to crack your password?

              Time To Crack:
              151850307 centuries
              Total Passwords in Pattern:
              460 Sextillion

              Thanks for the link…

              Mine isnt that good... (or something similar)
              Time To Crack:
              2 months, 3 days
              Total Passwords in Pattern:
              5 Trillion

              The president of the corporation I used to work for...

              This password needs more strength
              Time To Crack:
              less than 1 day
              Total Passwords in Pattern:
              18 Thousand

              :o ;D

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • M
                marcelloc
                last edited by Jun 3, 2012, 10:59 PM

                I suggest you to do not enter your real passwords in any password test site as it could be used to populate brute force databases.

                Treinamentos de Elite: http://sys-squad.com

                Help a community developer! ;D

                1 Reply Last reply Reply Quote 0
                • C
                  chpalmer
                  last edited by Jun 3, 2012, 11:16 PM

                  I suggest you to do not enter your real passwords in any password test site as it could be used to populate brute force databases.

                  (or something similar)

                  Way ahead of ya!    ;D

                  Triggering snowflakes one by one..
                  Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                  1 Reply Last reply Reply Quote 0
                  • N
                    neriberto
                    last edited by Jun 4, 2012, 3:39 PM

                    Hi everybody,

                    I wrote this auxiliary for metasploit and I don´t consider it an exploit. This issue was fixed in pfSense 2.0-RC3 and I hope that it encourage everyone to update your system

                    []s.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Supermule Banned
                      last edited by Jun 4, 2012, 3:49 PM

                      Time To Crack:
                      1306628104 centuries
                      Total Passwords in Pattern:
                      4 Septillion

                      1 Reply Last reply Reply Quote 0
                      14 out of 14
                      • First post
                        14/14
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received