Hacker got into my network? Strange access to my Google account?
-
Also if I were you I would set the PFBlockerng rules to use the floating rules that way it is only one list and out of the way so you can concentrate on setting up your LAN rules.
I am a Default Deny type so seeing your inner lans able to get out along any port or from any address seems too open for my taste.
I always start with block everything and open up communications as needed. That way if any system does get compromised you have a log of something that is not allowed trying to get out. It gives one a chance to find the unwanted access.
Below is a link I mentioned this reason just before your post today. Personally I feel the Default lan rules are great for initual setup so it works for you but for security they are not very secure as you are now aware. Good firewall rules should go for both directions. -
@webtyro:
I am a Default Deny type …
I always start with block everything and open up communications as needed. That way if any system does get compromised you have a log of something that is not allowed trying to get out. It gives one a chance to find the unwanted access.
Personally I feel the Default lan rules are great for initual setup so it works for you but for security they are not very secure ... Good firewall rules should go for both directions.Ditto, Bravo, Standing Ovation, Encore, the crowd of one goes crazy…
Finally I'm not the only one.
Outbound actually concerns me more than inbound.
-
@webtyro:
I am a Default Deny type …
I always start with block everything and open up communications as needed. That way if any system does get compromised you have a log of something that is not allowed trying to get out. It gives one a chance to find the unwanted access.
Personally I feel the Default lan rules are great for initual setup so it works for you but for security they are not very secure ... Good firewall rules should go for both directions.Ditto, Bravo, Standing Ovation, Encore, the crowd of one goes crazy…
Finally I'm not the only one.
Outbound actually concerns me more than inbound.
LOL… another fan of Marcus Ranum's - The Six Dumbest Ideas in Computer Security.
http://www.ranum.com/security/computer_security/editorials/dumb/
Written over a decade ago but still relevant today. Go figure. :o
No, your not the only nutjob here. Normal is overated in my view. -
"Normal is overated in my view."
So far I've been successful at avoiding that. Don't think I'm in any danger of ever being called "normal" by anyone but Mom.
-
so about 2 weeks ago I was doing a "cleanup" in my Google account when all of a sudden I noticed that a windows device had connected to my Google account a few hours prior, from my public IP. The problem is that I DO NOT run any windows devices on my network. Im a 100% freeBSD/Linux user. So this sign-in with a windows device was NOT me. Nobody has access to my Google account but me.
VLAN20 - LAN devices = OpenLDAP
VLAN30 - WLAN devices =FreeRadius Server with certificates and encryption
WiFi client isolation in pfSense "on"
WPA2 enterprise only
New WLAN Password
Clear often the browser cache
don´t store the Name and password in the browsers scripts on sites you are visiting may try
to find some things out without your knowledge. Scan all WiFi networks of your near area and
deny them all or blacklist them.So I proceeded to obtain more info about this mysterious windows device, and what puzzled me, is that according to Google's data, the device was running Firefox 31.9 which was way behind of any Firefox browsers I ran on my LAN (all 41+).
If someone is recording your wireless connection and traffic and stores this in a dump file
and at home he is then cracking this file and finding out your nice password? He is able
to spoof your IP and entering in your network if he or she is seeing you are going out of your home!
Bang, inside! With Radius certificates you will be one step ahead of this doings, only in my opinion.Sure thing, 6 hours ago, a windows devices from my public IP connected to my account, with Firefox 42 this time. All of my firefox'es are 45+ ( I keep ALL of my systems up to date on a constant basis).
Or he or she is setting up an rogue WLAN AP and your devices will even and even more connect to
that AP in the near neighborhood of you. Did thing about that?I am not sure what to do here.. I have the feeling something is fishy, should I contact Google? Is there anything I can use in pfsense to monitor this? Right now my suspicion is that someone in my neighborhood hacked my wifi AP, and sniffed my google password from a mobile device (probably my ipod since the first windows device signed before I purchase my nexus phone).
I would disable WiFi or install a FreeRadius server for any WiFi devices and an OpenLDAP Server for the
LAN devices. This could be done by an small RaspBerry PI and Debian Linux and on top of that you could
try out setting up VLANs for the entire LAN and WLAN. -
Didn't read all of that. But another incredibly dumb thing is that no matter how bad a system is the implementers get praised, bonuses, and promotions. Then the poor folks end up having to fix the system get praised, bonuses, and promotions. And the folks who tried to prevent the implementation in the first place get pigeonholed.
Which is akin to the philosophy of "never let a crisis go to waste". To which I append. "If there's not a crises to take advantage of, create one."
-
"If there's not a crises to take advantage of, create one."
Like the Internet Of Things. Nothing will go wrong there. Hackers have got it too easy.
Tell Mom I say hi. ;) -
So let me get this right, someone got into your wifi, and you use a 60 character psk? And they also happened to sniff your google password? So they also did a MITM on you since when has google send passwords in the clear?? You can not access gmail without using https..
As mentioned your firewall rules are completely pointless there.. WTF does snort have to do with getting on your wifi network?? Why do you not look in your dhcp log if you think some windows machine got on your wifi and accessed your gmail? Or did they also setup a static IP?
As to not able to access your AP from your lan.. Does it have a grateway set? Maybe a old soho router used as AP by connecting it via lan port don't even have way to set a gateway on lan.
What is the point of your wifi segment there? Seems like its any any.. Might as well be on your lan.. If your going to wear a your tinfoil hat a bit tight, atleast make an effort.. Setting up eap-tls is pretty simple these days with the free radius clickity clickity install you can do on pfsense. And a easy to use CA right there to create your certs for you, etc.
So you lock down your devices to use that wifi network, and still isolate it from your normal network Then have a guest wifi that is completely isolated from all your other networks. This way your guest are not even on the same wifi as your devices like your ipad and phones, so they going to have a hard time seeing any traffic they might be sending, etc.
-
Whoa!! You guys are incredible!
OK so let me get this straight: Im not a networking guy although I grasp the basics… MY firewall is ill-configured (useless) and I need better protection with FreeRADIUS and OpenLDAP. Correct?
Also, to answer a few questions:
-the AP is NOT configured with static IP
-AFAIK OPT1 (LAN) and OPT2 (SEG) are not "bridged" or interconnected in any way. They independently run their own DHCP server and as a matter of fact, I tried to make OPT2 as independent as possible from LAN.**First thing first: Configure the firewall to be effective and not useless! **
I have moved pfblocker's rules to a floating set as suggested. This helps clarity. Then I reconfigured my interfaces (LAN and SEG) with the basic rules as documented in https://doc.pfsense.org/index.php/Example_basic_configuration
I am just wondering about the Default Deny Type rules… I thought by default when traffic did not match a specific rule, it was blocked. So if I have a set of rules allowing LAN clients to go out, do I need to add a "block all" type of rule at the bottom of the ruleset? (see attached screenshot for my current ruleset for LAN, I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely).
The other question is regarding connectivity between clients. I run several services on my LAN, each with different ports. For example, SSH daemons are running on custom ports. Do I need to create a rule to explicitly allow (pass) traffic from all LAN clients to the host where the service is running? For example lets assume SSHd is running on port 24 on server1. Do I need to create a LAN rule like this:
Source=LAN net / Port * / Destination=server1 / Port 24 ???
After my firewall is properly configured, I will move on to the original problem and setup the additional security measures.
Thanks!
-
I use Google's two factor authentication on my phone. Even works offline aka It doesn't send you codes.
-
The Default Deny Rule will block everything that is not covered by the rules above it. The important thing is you will be able to Log everything it blocks. Example: You just installed a new program and it cannot update or is being blocked. You simply check your firewall logs and see that particular machine trying to get out by a certain protocol and port at the same time you were hitting the update on the program. Now you know exactly what rule is needed for that program. Simple, Yes!
That rule is for logging purposes and piece of mind that indeed everything else will explicitly be blocked.
As for your screenshot you should put destination instead of "Lan Address" to "This Firewall" and maybe setup your Managment Ports and Machines into an "Alias List" and block all other machines to the firewall management. Same for the DNS to "This Firewall".
Remember for machines connected to a common switch they can talk to each other without a rule being needed.
Best way is try it and if it works then no rule needed. The name of the game is the fewer rules the better.
The plus to all the work is the knowledge you will gain in knowing everything that is running on your network.
The Default Deny rules make IPv4+6* and not just IPv4 with TCP, block all protocols. -
"I added a default deny type rule but deactivated it for now since"
You do understand that every interface has a not shown default deny… As to your lan and seg interface being isolated.. Yeah from broadcast traffic that was it.. They both had any any rules on them.. So what is the point of locking down your LAN?? You worried they are going to come into your how and plug into your network and then get on your wifi network??
What is your wifi segment rules?
-
"You do understand that every interface has a not shown default deny"
I think he mentioned that above and the rule is to be able to show and hide the log traffic as needed from that webpage. Helps to seperate the wheat from the chaff when hunting down infections.
"They both had any any rules on them.."
In the screenshot they were disabled but not yet removed, he is getting there eventually.Another good practice is a Default Deny to the LAN Address just "BELOW" your inner network rules before you start the rules for Outbound traffic to the web.
So you eventually have your inner network rules above and seperated from the Outbound rules with that Default Deny to Lan Address and at the bottom below the Outbound you have the Default Deny to ALL.
You still need to figure out your Segregation of machines from trusted and untrusted and wireless access and Guests if any. -
"I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely)."
He is not talking about logging.. This makes no mention of creating a rule to log and turning off default logging..
His any any rules from before when he was talking about his wifi being isolated - not with those original rules it wasn't, with any any all he had going was 2 different broadcast domains nothing more..
Who is taking book that his is all just BS plain and simple.. Some windows machine got on his wifi, somehow sniff/gleaned his gmail password… And then did what logged in a couple of times? Who is taking action that it was just one of his own devices?? He then changed it to 60+ character psk, and still happened? Come on really???
There is locking down your networks because its the right thing to do, and their is just plain I smoked too much dope paranoia ;)
-
"I added a default deny type rule but deactivated it for now since I did not want to lock everything down completely)."
He is not talking about logging.. This makes no mention of creating a rule to log and turning off default logging..
His any any rules from before when he was talking about his wifi being isolated - not with those original rules it wasn't, with any any all he had going was 2 different broadcast domains nothing more..
Who is taking book that his is all just BS plain and simple.. Some windows machine got on his wifi, somehow sniff/gleaned his gmail password… And then did what logged in a couple of times? Who is taking action that it was just one of his own devices?? He then changed it to 60+ character psk, and still happened? Come on really???
There is locking down your networks because its the right thing to do, and their is just plain I smoked too much dope paranoia ;)
Ahhh the good old days, never mind. I here you, just trying to lead this horse to the water. We both know it is not up to us if they drink.
-
. The important thing is you will be able to Log everything it blocks
I had a good feeling this was the case. I guess for housekeeping I will keep them on both LAN interfaces so I have logs should something happens..
You do understand that every interface has a not shown default deny..
I was not sure about this one. I figured there was a default block rule by observing the FW logs, but the rule not being showed, I was not sure…
Yeah from broadcast traffic that was it.. They both had any any rules on them.. So what is the point of locking down your LAN?? You worried they are going to come into your how and plug into your network and then get on your wifi network??
The point of LAN is for my well known machines and smart TV, appliances, etc. I have a ruleset and snort rules for those machines. For the other machines (wifi, cells, laptops) that are not totally under my control, I'd rather have them segregated on a different interface so troubleshooting can be done, and more granular control is achieved. I am not sure why this is so complicated. If I could, I'd just copy LAN and rename it SEG and be done with it!!!!
Attached are screenshots of my CURRENT setup. I observe major problems with this config and I am not sure why….
1. I cannot access one of the clients on SEG. I cannot ping it and I cannot SSH to it. Its completely isolated from LAN it seems... Strange thing though, I can finally access my idiotic AP on SEG (webpage and all)... So why the AP and not the client? (BTW to have the AP work on SEG, I had to configure it for static IP in its firmware)....
2. With the rulesets posted in attachment, clients on SEG have no internet connectivity although the rulesets are identical between LAN and SEG. Of course LAN clients have internet connectivity because I couldnt write this... ;) The only way to allow internet connectivity for clients on SEG, is to add a "Allow all" rule at the top of SEG's ruleset (it is disabled on the screenshot). So why do I need such a rule on SEG and not on LAN??? Is there somnething obscure on how pfsense treats non LAN interfaces? Kinda the deny all rule being there but hidden?
-
According to the LAN rules image you posted clients can…
Access pfSense (LAN Address) on ports 468 and 80.
Access pfSense (LAN Address) on port 53 (DNS).
Access anything on ports 80 (HTTP), 443 (HTTPS), and 993 (IMAP/S).Of course you already know all of that.
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.
Also once a rule is matched and the connection established and placed in the state table then the rules are bypassed for that connection.Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
-
What you seem to be unclear on is that all other ingress is blocked, by implicit default rules. So no need to add a deny rule at the end (it's already there, just not shown).
I know, like I said in my last post, I put it only for logging purposes.
Another thing that may be unclear, or maybe it is, so just to be sure, the interface specific rules only apply to ingress.
For egress floating rules are used.We never spoke about floating rules so far, except for pfblocker's rules where someone suggested to make them floating for uncluttering the LAN and SEG interfaces… Are you suggesting I use a floating rule to allow traffic between the LAN & SEG? Im asking because I screwed up enough so far, before I do something stupid (or stupider...)
Rules for services hosted on other LAN connected servers should not be needed as that traffic should be direct between the client and server.
So if I understand what you're saying, no need for a rule on a specific interface when communication is betwen 2 clients on the same interface? Analogous to 2 computers connected to a single switch? In that case, should I add a rule to allow traffic between LAN and SEG? -
Wasn't suggesting that you do anything particular. Just wanted to be sure you had the understanding.
-
Another tip for the logging, I know it is available in 2.3 but looks like your on 2.2.6 so you can check around the
Status/System Logs/ Settings and allow another column to show which rule fired the block log.
Anyway I posted a screenshot of my untrusted network rule set over here if it helps.
https://forum.pfsense.org/index.php?topic=109512.0