Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/22 Nathan Eisenberg : > I do feel that changing the port may not truly constitute an increase in > security. It makes you less visible, perhaps. But this particular firewall > is already subjected to port scans across the entire range, including > highports (it has some very high traffic web sites behind it), so the > alternate port would be detected relatively quickly anyways. > > Thank You, > Nathan Eisenberg > Sr. Systems Administrator > Atlas Networks, LLC > > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > in such cases i use also snort with oinkmaster-rulesets there could detecting also portscans and bans such IP's for a while completely from your Firewall and your net. This prevents also other services like ftp. Our ftp-Service is also getting often compromised by Crackers w/ brute-force-attacks... regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
I do feel that changing the port may not truly constitute an increase in security. It makes you less visible, perhaps. But this particular firewall is already subjected to port scans across the entire range, including highports (it has some very high traffic web sites behind it), so the alternate port would be detected relatively quickly anyways. Thank You, Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/22 Jeppe Øland : >> Some of my pfsense boxes get a lot of SSH bruteforces; is there a >> package like fail2ban out there which could automatically blacklist >> IPs after x > Request: It would be really nice if pfsense could limit the > connection-rate *per IP*. IIRC it is possible to set this per source-IP ;-) >>> Maybe I missed an option then? >>> How do you configure it? >> This is configured through the Advanced options in each Filter-Rule. >> Ich you set 5 Connection see attached picture ;-) > > The way I read these options are: > * Simultaneous client connection limit > The number of simultaneous connections each client can have. > * Maximum new connections / per second > Global maximum connection limits. also related per Source-IP, so far as i understand the lines in XML-Backup-File right the pf-filter itself supports it in this way, and i think pfsense use it in this way... as you can see... snip===8<= pass wan 5 keep state 5 60 tcp mcip 22 limited ssh access to max 5 conn/host 5 conn/minute =>8=snap= > The first option will limit how many concurrent SSH sessions I can run from > any one IP. > The second option will limit how many connections can be attempted per > interval. > As far as I know, setting a client connection limit will *not* prevent the > connection/time limit from killing you in case somebody starts hammering the > server. it does you prevent, because its related to each own source-ipif i was right... > Am I not reading these options right? > (Some documentation would be nice too *G*) >> Yes, only using SSH-Keys is an very good option, but not useful if you >> are on the Way or you have your keys not by hand. ;-) > > Indeed everything is a compromise. > Changing the port also has issues since some admins won't allow all ports > outbound (of course they might not allow SSH out either). :-D you could set it to allowed common port, ok ok , this brings propably other issues. using port 80 or 443 or 25 is not really nice > Regards, > -Jeppe regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
> Some of my pfsense boxes get a lot of SSH bruteforces; is there a > package like fail2ban out there which could automatically blacklist > IPs after x Request: It would be really nice if pfsense could limit the connection-rate *per IP*. >>> IIRC it is possible to set this per source-IP ;-) >> Maybe I missed an option then? >> How do you configure it? > This is configured through the Advanced options in each Filter-Rule. > Ich you set 5 Connection see attached picture ;-) The way I read these options are: * Simultaneous client connection limit The number of simultaneous connections each client can have. * Maximum new connections / per second Global maximum connection limits. The first option will limit how many concurrent SSH sessions I can run from any one IP. The second option will limit how many connections can be attempted per interval. As far as I know, setting a client connection limit will *not* prevent the connection/time limit from killing you in case somebody starts hammering the server. Am I not reading these options right? (Some documentation would be nice too *G*) > Yes, only using SSH-Keys is an very good option, but not useful if you > are on the Way or you have your keys not by hand. ;-) Indeed everything is a compromise. Changing the port also has issues since some admins won't allow all ports outbound (of course they might not allow SSH out either). Regards, -Jeppe
RE: [pfSense Support] 1U Case Reco
I have Nokia IP330, 3x 10/100 Ethernet, 1U Rackmount. $30, I have offered these on the m0n0wall list, I'll make a post on this list also. -Original Message- From: Joseph L. Casale Sent: Tuesday, July 21, 2009 7:46 PM To: 'support@pfsense.com' Subject: [pfSense Support] 1U Case Reco Anyone know who makes a decent 1u case with the eth and peripheral slot open in the front and that also redirects the leds up front for a Soekris 5501? If need be, I am open to a different mobo suggestion as well, I just need ~4 eth ports and an embedded design resilient to any potential power outages at this location. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1U Case Reco
I don't know if it meets all of your requirements but I do quite a few installs on http://www.ironsystems.com AR230. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jul 21, 2009 at 7:46 PM, Joseph L. Casale wrote: > Anyone know who makes a decent 1u case with the eth and peripheral > slot open in the front and that also redirects the leds up front > for a Soekris 5501? > > If need be, I am open to a different mobo suggestion as well, I just > need ~4 eth ports and an embedded design resilient to any potential > power outages at this location. > > Thanks, > jlc > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
Paul Cockings wrote: > Jeppe Øland wrote: >> >> Some of my pfsense boxes get a lot of SSH bruteforces; is there a >> package >> >> like fail2ban out there which could automatically blacklist IPs >> after x bad >> >> logins? >> > b) limit the connection-rate to a preferred useful value in the >> filter-rules >> >> This works reasonably well. >> Unfortunately, the entire rule gets locked down when the rate is >> exceeded, so you may lock yourself out too. (It automatically unlocks >> when the hammering stops and your rate interval expires, and most >> hammer scripts move on to a new IP when it stops responding, so it's >> not the end of the world). >> >> Request: It would be really nice if pfsense could limit the >> connection-rate *per IP*. >> >> Regards, >> -Jeppe > Why leave you ssh service exposed to the world? Lock it down to a > range of ip's (or subnet of your isp), or if you don't have static > ip's try setting up openvpn > IMO its best to expose as little as possible. > > regards, > Pc > >From a practical standpoint, I harden ssh as best I can(disable v1 and use the allowgroups directive to limit the number of available valid login ids). But you would be surprised at how effective changing the sshd port is. Again, don't forget to harden sshd as best you can, changing the port should not be your only security measure to implement. And agressive log monitoring is a must. Lyle Giese LCR Computer Services, Inc. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1U Case Reco
Anyone know who makes a decent 1u case with the eth and peripheral slot open in the front and that also redirects the leds up front for a Soekris 5501? If need be, I am open to a different mobo suggestion as well, I just need ~4 eth ports and an embedded design resilient to any potential power outages at this location. Thanks, jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] IGMP packet out of WAN
> -Original Message- > From: Ermal Luçi [mailto:ermal.l...@gmail.com] > Sent: July 20, 2009 2:38 PM > To: support@pfsense.com > Subject: Re: [pfSense Support] IGMP packet out of WAN > > Sorry for the late reply but i have been busy with work. > Read below... > > On Sun, Jul 19, 2009 at 2:29 AM, Evgeny > Yurchenko wrote: > >> -Original Message- > >> From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On > Behalf Of > >> Chris Buechler > >> Sent: July 18, 2009 3:50 AM > >> To: support@pfsense.com > >> Subject: Re: [pfSense Support] IGMP packet out of WAN > >> > >> On Mon, Jul 13, 2009 at 6:59 PM, Evgeny > >> Yurchenko wrote: > >> > > >> > No, I can not see in logs. But on LAN I have > >> > > >> > 18:55:24.602839 IP 192.168.1.2 > 224.0.0.22: igmp v2 report > >> > 239.142.1.1 > >> > > >> > It does not go out of WAN. And when I disable packet > >> filtering it does go out of WAN. > >> > > >> > >> You're using the IGMP proxy package on 1.2.x I presume? It's not > >> blocking it if it isn't getting logged (unless you > disabled logging > >> on the default rules), but it sounds like it has some sort > of impact > >> on the traffic. I spent some time working with that > package and never > >> could get it to pass the traffic as it should, though the code it > >> came from in 2.0 did work for me. Haven't had time to go back and > >> look at it further. > >> > >> > - > >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com For > >> additional commands, e-mail: support-h...@pfsense.com > >> > >> Commercial support available - https://portal.pfsense.org > >> > >> > > Yes, I use 1.2 release. I am sorry for misinforming you. When I > > disable packet filtering then packet received on LAN goes > to WAN which > > is quite expected behaviour, so it is not packet generated > by igmpproxy. > > My findings are here. I get in debug mode: > > igmpproxy, Version 0.1 beta2, Build 090427 Copyright 2005 by Johnny > > Egeland Distributed under the GNU GENERAL PUBLIC > > LICENSE, Version 2 - check GPL.txt > > > > Debu: Searching for config file at '/tmp/igmpproxy.conf' > > Debu: Config: Quick leave mode enabled. > > Debu: Config: Got a phyint token. > > Debu: Config: IF: Config for interface bge0. > > Debu: Config: IF: Got downstream token. > > Debu: Config: IF: Got ratelimit token '0'. > > Debu: Config: IF: Got threshold token '1'. > > Debu: Config: IF: Got altnet token 224.0.0.0/4. > > Debu: Config: IF: Altnet: Parsed altnet to 224/4. > > Debu: IF name : bge0 > > Debu: Next ptr : 0 > > Debu: Ratelimit : 0 > > Debu: Threshold : 1 > > Debu: State : 2 > > Debu: Allowednet ptr : 2820c030 > > Debu: Config: Got a phyint token. > > Debu: Config: IF: Config for interface bge1. > > Debu: Config: IF: Got upstream token. > > Debu: Config: IF: Got ratelimit token '0'. > > Debu: Config: IF: Got threshold token '1'. > > Debu: Config: IF: Got altnet token 224.0.0.0/4. > > Debu: Config: IF: Altnet: Parsed altnet to 224/4. > > Debu: IF name : bge1 > > Debu: Next ptr : 0 > > Debu: Ratelimit : 0 > > Debu: Threshold : 1 > > Debu: State : 1 > > Debu: Allowednet ptr : 2820c040 > > Debu: Adding Physical Index value of IF 'bge0' is 1 > > Debu: buildIfVc: Interface bge0 Addr: 192.168.1.1, Flags: > 0x8943, > > Network: 192.168.1/24 > > Debu: Adding Physical Index value of IF 'bge1' is 2 > > Debu: buildIfVc: Interface bge1 Addr: 192.168.7.171, Flags: > > 0x8843, > > Network: 192.168.7/24 > > Debu: Adding Physical Index value of IF 'lo0' is 6 > > Debu: buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0x8049, > > Network: 127/8 > > Debu: Found config for bge1 > > Note: adding VIF, Ix 0 Fl 0x0 IP 0x0101a8c0 bge0, Threshold: 1, > > Ratelimit: 0 > > Debu: Network for [bge0] : 192.168.1/24 > > Note: adding VIF, Ix 1 Fl 0x0 IP 0xab07a8c0 bge1, Threshold: 1, > > Ratelimit: 0 > > Debu: Network for [bge1] : 192.168.7/24 > > Debu: Network for [bge1] : 224/4 > > Debu: Got 262144 byte buffer size in 0 iterations > > Debu: Joining all-routers group 224.0.0.2 on vif 192.168.1.1 > > Note: joinMcGroup: 224.0.0.2 on bge0 > > Debu: SENT Membership query from 192.168.1.1 to 224.0.0.1 > > Debu: Sent membership query from 192.168.1.1 to 224.0.0.1. Delay: 10 > > Debu: Created timeout 1 (#0) - delay 10 secs > > Debu: (Id:1, Time:10) > > Debu: Created timeout 2 (#1) - delay 21 secs > > Debu: (Id:1, Time:10) > > Debu: (Id:2, Time:21) > > Debu: Packet from 192.168.1.1: proto: 2 hdrlen: 20 iplen: 8 or 2048 > > Note: RECV Membership query from 192.168.1.1 to > 224.0.0.1 (ip_hl > > 20, data 8) > > ^[[5~Debu: About to call timeout 1 (#0) > > Debu: Aging routes in table. > > Debu: > > Current routing table (Age active routes); > > - > > > > Debu: No routes in table... > > Debu: > > --- > > > > > > Then I run small program on my laptop connected to
RE: [pfSense Support] IGMP packet out of WAN
> -Original Message- > From: cbuech...@gmail.com [mailto:cbuech...@gmail.com] On > Behalf Of Chris Buechler > Sent: July 21, 2009 10:58 AM > To: support@pfsense.com > Subject: Re: [pfSense Support] IGMP packet out of WAN > > On Mon, Jul 20, 2009 at 6:51 PM, Evgeny > Yurchenko wrote: > >> -Original Message- > >> From: Ermal Luçi [mailto:ermal.l...@gmail.com] > >> Sent: July 20, 2009 6:03 PM > >> To: support@pfsense.com > >> Subject: Re: [pfSense Support] IGMP packet out of WAN > >> > >> On Mon, Jul 20, 2009 at 9:02 PM, Evgeny > >> Yurchenko wrote: > >> [snip] > >> > >> > >> > think I'll spend the rest of my life trying to figure out how to > >> > install development enviroment > on pfSense unless there > is a guide > >> > somewhere -))) > >> I patched the port so later on a new binary will be > available for you > >> to test. > >> Please report back your findings. > >> > >> > >> -- > >> Ermal > >> > > > > Thank you Ermal, please let me know when I can grab this new binary. > > > > Try this (built from what Ermal committed earlier). > http://cvs.pfsense.org/~cmb/igmpproxy > > Sorry but no Luck: Debu: Packet from 192.168.8.2: proto: 2 hdrlen: 20 iplen: 8 or 2048 Note: RECV V2 member report from 192.168.8.2 to 224.0.0.22 (ip_hl 20, data 8) Debu: Should insert group 239.142.1.1 (from: 192.168.8.2) to route table. Vif Ix : 0 Debu: No existing route for 239.142.1.1. Create new. Debu: Found existing routes. Find insert location. Debu: Inserting at beginning, before route 239.255.255.250 Info: Inserted route table entry for 239.142.1.1 on VIF #0 Debu: Joining group 239.142.1.1 upstream on IF address 192.168.254.1 Note: joinMcGroup: 239.142.1.1 on bge1 Warn: MRT_ADD_MEMBERSHIP failed; Errno(22): Invalid argument - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
On Tue, Jul 21, 2009 at 10:42 AM, Nathan Eisenberg wrote: > Hello Paul, > > I've considered that, but in this instance, it's not an option. I agree > that limiting exposure is a good first step, but I think brute force > protection regardless of source address could be a valuable next step. SSH > keys ensure that the accounts won't actually be breached; it's just > irritating to me that clearly hostile traffic is allowed to attack the > service for as long as it pleases. > > Plus it clutters up the logs and uses some CPU/bandwidth resources - and > while I have plenty of both, 'waste not, want not'! :) Amen. db
Re: [pfSense Support] seperate gui and console password
Nick Smith wrote: > thanks for any help, id like to keep the console password to something > other than the gui password if at all possible. could you use ssh keys to grant console access without giving out web gui password, or do you want to do it the other way round? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: odd sip firewall issue
Chris Buechler wrote: > On Tue, Jul 21, 2009 at 11:55 AM, R. Th. Boots wrote: >> Correct me if I am not misinterpret option 1, but my problem is with >> inbound connection so option 1 should not apply to my problem. I tried >> it but still the same. >> > > That inbound connection generally isn't an inbound connection, it's > part of a state for an outbound connection. that may vary. if you do > need to forward that traffic inbound make sure it's forwarded properly > in NAT, hitting a pass firewall rule with logging will log it as > passed, but it's not going to send it anywhere without the proper NAT > config. > > One of those 3 solves every VoIP problem I've personally seen, and > siproxd doesn't apply here, so I'm out of ideas unless you need and > are missing inbound NAT. > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Thanks for the help. When I do a dump on the pflog0 interface than I see the packets coming in but now to the internal address instead of the external address. So all seem to be doing fine expect for the fact that it never leaves the the lan interface. Regards, Richard - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
Hello Paul, I've considered that, but in this instance, it's not an option. I agree that limiting exposure is a good first step, but I think brute force protection regardless of source address could be a valuable next step. SSH keys ensure that the accounts won't actually be breached; it's just irritating to me that clearly hostile traffic is allowed to attack the service for as long as it pleases. Plus it clutters up the logs and uses some CPU/bandwidth resources - and while I have plenty of both, 'waste not, want not'! :) Best Regards Nathan Eisenberg Sr. Systems Administrator Atlas Networks, LLC -Original Message- From: Paul Cockings [mailto:p...@cytringan.co.uk] Sent: Tuesday, July 21, 2009 1:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? Jeppe Øland wrote: > >> Some of my pfsense boxes get a lot of SSH bruteforces; is there a > package > >> like fail2ban out there which could automatically blacklist IPs > after x bad > >> logins? > > b) limit the connection-rate to a preferred useful value in the > filter-rules > > This works reasonably well. > Unfortunately, the entire rule gets locked down when the rate is > exceeded, so you may lock yourself out too. (It automatically unlocks > when the hammering stops and your rate interval expires, and most > hammer scripts move on to a new IP when it stops responding, so it's > not the end of the world). > > Request: It would be really nice if pfsense could limit the > connection-rate *per IP*. > > Regards, > -Jeppe Why leave you ssh service exposed to the world? Lock it down to a range of ip's (or subnet of your isp), or if you don't have static ip's try setting up openvpn IMO its best to expose as little as possible. regards, Pc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: odd sip firewall issue
On Tue, Jul 21, 2009 at 11:55 AM, R. Th. Boots wrote: > > Correct me if I am not misinterpret option 1, but my problem is with > inbound connection so option 1 should not apply to my problem. I tried > it but still the same. > That inbound connection generally isn't an inbound connection, it's part of a state for an outbound connection. that may vary. if you do need to forward that traffic inbound make sure it's forwarded properly in NAT, hitting a pass firewall rule with logging will log it as passed, but it's not going to send it anywhere without the proper NAT config. One of those 3 solves every VoIP problem I've personally seen, and siproxd doesn't apply here, so I'm out of ideas unless you need and are missing inbound NAT. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: odd sip firewall issue
Chris Buechler wrote: > On Tue, Jul 21, 2009 at 11:25 AM, R. Th. Boots wrote: >> Chris Buechler wrote: >>> On Sun, Jul 19, 2009 at 5:44 PM, R. Th. Boots wrote: Hello All, I have an asterisk server which is hooked up to 3 providers. With all 3 of them I have no problems connecting to my numbers, however only with 2 of them I am able to receive calls on the numbers. >>> I suspect #2 here. >>> http://doc.pfsense.org/index.php/VoIP_Configuration >>> >>> - >>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >>> For additional commands, e-mail: support-h...@pfsense.com >>> >>> Commercial support available - https://portal.pfsense.org >>> >>> >> Hello Chris, >> >> I have upgraded to 1.2.3-RC1 and set the state table optimization to >> conservative, but I am still seeing the the same things happening. >> >> Any other ideas on this? >> > > Tried option #1 in that doc? > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Correct me if I am not misinterpret option 1, but my problem is with inbound connection so option 1 should not apply to my problem. I tried it but still the same. As said, I connect to 3 providers for which 2 of them have no problems with outgoing calls and incoming calls. But with one I have an issue with incoming calls from the 3rd provider. Regards, Richard - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Re: odd sip firewall issue
On Tue, Jul 21, 2009 at 11:25 AM, R. Th. Boots wrote: > Chris Buechler wrote: >> On Sun, Jul 19, 2009 at 5:44 PM, R. Th. Boots wrote: >>> Hello All, >>> >>> I have an asterisk server which is hooked up to 3 providers. With all 3 >>> of them I have no problems connecting to my numbers, however only with 2 >>> of them I am able to receive calls on the numbers. >>> >> >> I suspect #2 here. >> http://doc.pfsense.org/index.php/VoIP_Configuration >> >> - >> To unsubscribe, e-mail: support-unsubscr...@pfsense.com >> For additional commands, e-mail: support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > Hello Chris, > > I have upgraded to 1.2.3-RC1 and set the state table optimization to > conservative, but I am still seeing the the same things happening. > > Any other ideas on this? > Tried option #1 in that doc? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Re: odd sip firewall issue
Chris Buechler wrote: > On Sun, Jul 19, 2009 at 5:44 PM, R. Th. Boots wrote: >> Hello All, >> >> I have an asterisk server which is hooked up to 3 providers. With all 3 >> of them I have no problems connecting to my numbers, however only with 2 >> of them I am able to receive calls on the numbers. >> > > I suspect #2 here. > http://doc.pfsense.org/index.php/VoIP_Configuration > > - > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > > Hello Chris, I have upgraded to 1.2.3-RC1 and set the state table optimization to conservative, but I am still seeing the the same things happening. Any other ideas on this? Regards, Richard - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
What about using Snort in an IPS mode. I'm sure there is a rule out there to block a specific IP based on the number of times this even occurs. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Tue, Jul 21, 2009 at 9:00 AM, k_o_l wrote: > > > > > From: Jeppe Øland [mailto:jol...@gmail.com] > Sent: Tuesday, July 21, 2009 5:04 AM > To: support@pfsense.com > Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? > > > Some of my pfsense boxes get a lot of SSH bruteforces; is there a package like fail2ban out there which could automatically blacklist IPs after x >>> Request: It would be really nice if pfsense could limit the >>> connection-rate >>> *per IP*. > >> IIRC it is possible to set this per source-IP ;-) > > Maybe I missed an option then? > > How do you configure it? > > > >> Why leave you ssh service exposed to the world? Lock it down to a range >> of ip's > >> (or subnet of your isp), or if you don't have static ip's try setting up >> openvpn > >> IMO its best to expose as little as possible. > > > > Sometimes you have to expose it. > > I can't install OpenVPN on all PCs that I might need access to servers from, > and on mergency cellphone access to the servers it just might not be > possible. > > > > Best compromise I've found so far has been to require certificates to log in > to the SSH server. > > Hammering doesn't stop, but the risk of compromising the server is massively > reduced. > > And with lockdown after X connection attempts in Y seconds, the risk is all > but gone. > > (For the vast majority of servers at least ... maybe not if you run a bank > or some such) > > > > Regards, > > -Jeppe > > > > What is a good values to set? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] IGMP packet out of WAN
On Mon, Jul 20, 2009 at 6:51 PM, Evgeny Yurchenko wrote: >> -Original Message- >> From: Ermal Luçi [mailto:ermal.l...@gmail.com] >> Sent: July 20, 2009 6:03 PM >> To: support@pfsense.com >> Subject: Re: [pfSense Support] IGMP packet out of WAN >> >> On Mon, Jul 20, 2009 at 9:02 PM, Evgeny >> Yurchenko wrote: >> [snip] >> >> >> > think I'll spend the rest of my life trying to figure out how to >> > install development enviroment > on pfSense unless there is a guide >> > somewhere -))) >> I patched the port so later on a new binary will be available >> for you to test. >> Please report back your findings. >> >> >> -- >> Ermal >> > > Thank you Ermal, please let me know when I can grab this new binary. > Try this (built from what Ermal committed earlier). http://cvs.pfsense.org/~cmb/igmpproxy - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Anything like fail2ban for PFSense?
From: Jeppe Øland [mailto:jol...@gmail.com] Sent: Tuesday, July 21, 2009 5:04 AM To: support@pfsense.com Subject: Re: [pfSense Support] Anything like fail2ban for PFSense? >>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >>> like fail2ban out there which could automatically blacklist IPs after x >> Request: It would be really nice if pfsense could limit the connection-rate >> *per IP*. > IIRC it is possible to set this per source-IP ;-) Maybe I missed an option then? How do you configure it? > Why leave you ssh service exposed to the world? Lock it down to a range of > ip's > (or subnet of your isp), or if you don't have static ip's try setting up > openvpn > IMO its best to expose as little as possible. Sometimes you have to expose it. I can't install OpenVPN on all PCs that I might need access to servers from, and on mergency cellphone access to the servers it just might not be possible. Best compromise I've found so far has been to require certificates to log in to the SSH server. Hammering doesn't stop, but the risk of compromising the server is massively reduced. And with lockdown after X connection attempts in Y seconds, the risk is all but gone. (For the vast majority of servers at least ... maybe not if you run a bank or some such) Regards, -Jeppe What is a good values to set?
[pfSense Support] good ipsec + psk how to
Hi, i'm configuring a pfsense with psk and have some questions about (can't find the anwser at google), and here are they: 1) can i do multiple clients to one server? (eg: one configuration on server and various clients connecting to the same server conf?) - or a have to configure sever / client (to any clients at the same network) ? 2) where's the best "how to" for configure this service, since i can't find it, i have configured alone (spend half of my day on this battle - but it's ok now) - i really want to read something to learn how to configure it, or resolve problems or test my configuration files... (just for learning reasons) 3) what the best pratice to configure dynamic clients to the server (i tried some dyndns but get some errors when trying to connect, then i used valid ip address and it's working) Thank's!!! (sorry for my english!) - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/21 Jeppe Øland : Some of my pfsense boxes get a lot of SSH bruteforces; is there a package like fail2ban out there which could automatically blacklist IPs after x >>> Request: It would be really nice if pfsense could limit the >>> connection-rate >>> *per IP*. >> IIRC it is possible to set this per source-IP ;-) > > Maybe I missed an option then? > How do you configure it? This is configured through the Advanced options in each Filter-Rule. Ich you set 5 Connection see attached picture ;-) >> Why leave you ssh service exposed to the world? Lock it down to a range >> of ip's >> (or subnet of your isp), or if you don't have static ip's try setting up >> openvpn >> IMO its best to expose as little as possible. > > Sometimes you have to expose it. > I can't install OpenVPN on all PCs that I might need access to servers from, > and on mergency cellphone access to the servers it just might not be > possible. > Best compromise I've found so far has been to require certificates to log in > to the SSH server. > Hammering doesn't stop, but the risk of compromising the server is massively > reduced. > And with lockdown after X connection attempts in Y seconds, the risk is all > but gone. > (For the vast majority of servers at least ... maybe not if you run a bank > or some such) > Regards, > -Jeppe Yes, only using SSH-Keys is an very good option, but not useful if you are on the Way or you have your keys not by hand. ;-) regards michael -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = <>- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
>>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >>> like fail2ban out there which could automatically blacklist IPs after x >> Request: It would be really nice if pfsense could limit the connection-rate >> *per IP*. > IIRC it is possible to set this per source-IP ;-) Maybe I missed an option then? How do you configure it? > Why leave you ssh service exposed to the world? Lock it down to a range of ip's > (or subnet of your isp), or if you don't have static ip's try setting up openvpn > IMO its best to expose as little as possible. Sometimes you have to expose it. I can't install OpenVPN on all PCs that I might need access to servers from, and on mergency cellphone access to the servers it just might not be possible. Best compromise I've found so far has been to require certificates to log in to the SSH server. Hammering doesn't stop, but the risk of compromising the server is massively reduced. And with lockdown after X connection attempts in Y seconds, the risk is all but gone. (For the vast majority of servers at least ... maybe not if you run a bank or some such) Regards, -Jeppe
Re: [pfSense Support] Anything like fail2ban for PFSense?
2009/7/21 Jeppe Øland : >>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >>> like fail2ban out there which could automatically blacklist IPs after x >>> bad >>> logins? >> b) limit the connection-rate to a preferred useful value in the >> filter-rules > > This works reasonably well. > Unfortunately, the entire rule gets locked down when the rate is exceeded, > so you may lock yourself out too. (It automatically unlocks when the > hammering stops and your rate interval expires, and most hammer scripts move > on to a new IP when it stops responding, so it's not the end of the world). > Request: It would be really nice if pfsense could limit the connection-rate > *per IP*. > Regards, > -Jeppe IIRC it is possible to set this per source-IP ;-) -- = = = m i c h a e l - s c h u h . n e t = = = Projektmanagement - IT-Consulting - Professional Services IT Michael Schuh Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 mobil: 0175/5616453 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
Jeppe Øland wrote: >> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >> like fail2ban out there which could automatically blacklist IPs after x bad >> logins? > b) limit the connection-rate to a preferred useful value in the filter-rules This works reasonably well. Unfortunately, the entire rule gets locked down when the rate is exceeded, so you may lock yourself out too. (It automatically unlocks when the hammering stops and your rate interval expires, and most hammer scripts move on to a new IP when it stops responding, so it's not the end of the world). Request: It would be really nice if pfsense could limit the connection-rate *per IP*. Regards, -Jeppe Why leave you ssh service exposed to the world? Lock it down to a range of ip's (or subnet of your isp), or if you don't have static ip's try setting up openvpn IMO its best to expose as little as possible. regards, Pc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Anything like fail2ban for PFSense?
>> Some of my pfsense boxes get a lot of SSH bruteforces; is there a package >> like fail2ban out there which could automatically blacklist IPs after x bad >> logins? > b) limit the connection-rate to a preferred useful value in the filter-rules This works reasonably well. Unfortunately, the entire rule gets locked down when the rate is exceeded, so you may lock yourself out too. (It automatically unlocks when the hammering stops and your rate interval expires, and most hammer scripts move on to a new IP when it stops responding, so it's not the end of the world). Request: It would be really nice if pfsense could limit the connection-rate *per IP*. Regards, -Jeppe
