Recent Posts

Pages: 1 2 [3] 4 5 ... 8
21
Networking / Re: Zabbix 3.2.6 installation and configuration on esx(i) 6.5
« Last post by melloa on June 09, 2017, 01:54:52 AM »
Today's: https://1drv.ms/b/s!AsAq2Gec9J71liVjEb4WqneLrGwF

Tomorrow will continue with Edd's instructions for Discovery.
22
Networking / Re: Zabbix 3.2.6 installation and configuration on esx(i) 6.5
« Last post by melloa on June 09, 2017, 12:23:25 AM »
P.S. For obvious reasons, suggestions and changes should be submitted as posts on this thread.
P.S. 2. Going forward I'll post in pdf format, so people will be less concerned ... but wait ... I also can send virus inside a pdf  ::)
24
Networking / Zabbix 3.2.6 installation and configuration on esx(i) 6.5
« Last post by melloa on June 08, 2017, 11:54:31 PM »
As posted on FB, working on this guide and would love a way to collaborate, so creating this post with this intent.

Initially here and when the final doc is ready, we can move to a How To section.

I'll be posting the document on-line at onedrive as I don't use it and all space is available. I'll post the link when it is there.
25
Networking / Zabbix Appliance 3.2.6 inconsistencies
« Last post by noman on June 08, 2017, 10:09:30 AM »
Hello everyone, I just did a fresh lab deployment of the Zabbix Appliance 3.2.6 and I noticed some inconsistencies from my old lab deployment of Zabbix Appliance 3.0.4

Both ISO files where download from: https://sourceforge.net/projects/zabbix/

Hostname on 3.0.4 is set to: zabbix
Hostname on 3.2.6 is set to: ubuntu

This should be set to zabbix or zabbix-appliance on all versions or a even better option would be a prompt during install to set the hostname, also if you would use Static IP or DHCP configuration, this is a enterprise level server appliance to be deployed in lots of different network environments after all.

Another issue is whit the scrip: Detect operating system,
Command: sudo /usr/bin/nmap -O {HOST.CONN} 2>&1

Does not work as it is not added into sudoers list and nmap is not not installed so after editing it to allow to run the sudo command, it gives error command not find as nmap is not installed to begin whit, this should have been in there to begin whit or this option should have been removed from the front end

This issue is on both version, lucely these are minor issues that are easy to fix, just add the zabbix usergroup to sudo users whit visudo, and then install nmap on the device


Running Script on a detected host, no changes made


Editing sudo users to allow zabbix users to run sudo commands


Running OS Detection script against detected host after sudo rights


Running OS Detection script after nmap was installed
26
Thanks!
Great guide...
27
pfSense / Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard!
« Last post by noman on June 05, 2017, 09:33:44 AM »
Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard!

This is a short write-up of how I got pfSense 2.3 and 2.4-Beta to act as an Proxy filter for ssl and https traffic without the needs of installing or configuring any client side settings or certificates, all configurations are done on the pfSense Firewall itself.
Tools needed:

Web-browser
Putty or similar console emulator
Notepad or Notepad++
WinSCP (Optional) gives you graphical text editor over ssh, good for beginners

All the steps below can be done directly on the firewall using only the GUI or SSH connections but for beginners it would be easier to use tools like Notepad++ and WinSCP to edit the configuration files needed for this to work

Step 1. Configuring the root Certificate Authority (rootCA)
This is probably the part that is most confusing for people and why their setups have failed, Squid need to have a CA assigned to it so that it is able to decrypt parts of the HTTPS header so that it can determine what to do whit that traffic, otherwise all traffic is passed.

I used the built-in openssl tool of pfSense to generate this rootCA, for this you need to ssh in to your firewall or connect to it over console, when at the console menu select option 8 Shell, when you are at the shell prompt you need to manually edit the openssl to give you the necessary prompts and questions for you to configure the rootCA

vi /etc/ssl/openssl.cnf

under the [ REQ ] option change the following line from: prompt=no to prompt=yes
under the [ V3_REQ ] option change the following line from: basicConstraints=CA:FALSE to basicConstraints=CA:TRUE
Then save and quit (to save and quit vi editor use :wq!).
Now we would make a known location in the filesystem to save our rootCA and key file as they need to be imported into pfSense GUI at a later stage, I like to use /tmp for any temporary files

Command:
mkdir /tmp/Proxyfiles

Now move to the folder you created whit:
cd /tmp/Proxyfiles

When you’re in this folder you are ready to start the openssl tool and start to create your rootCA, you start whit generating your KEY file by running the command:

openssl genrsa -out myProxykey.key 2048

This will create an rsa key file named myProxykey.key that we use to sign our rootCA whit in the next command for generating the pem file for the rootCA
Create a pem file signed whit key using command:

openssl req -x509 -new -nodes -key myProxykey.key -sha256 -days 365 -out myProxyca.pem

This will prompt you to answer some questions to generate the needed pem file in my case it is as below, you need to change this for where you are

US []:NO    - Country code
Somewhere []:Oslo  - State or province
Somecity []:Oslo   - Your city or town
CompanyName []:IT-Monkey   - Name of your company or business, "make something up if you’re a home user"
Organizational Unit Name (eg, section) []:IT-Department  - What part of the company issued the cert, can also be left blank
Common Name (eg, YOUR name) []:Admin    - Your name or identity in the company
Email Address []:admin@it-monkey.local  - Your contact email

At this point you should have 2 files in your /tmp/Proxyfiles directory

myProxyca.pem
myProxykey.key

This can be double checked whit command:

ls -la

If both are there then you are ready to download them and exit the shell environment and continue to the GUI of pfSense, if not you need to look over any error or try again.

To download these files I like to use WinSCP as its fast to navigate and find the files you want to move you can also do this from pfSense Diagnostic -> Command Prompt option and select the file path of:

/tmp/Proxyfiles/myProxyca.pem
/tmp/Proxyfiles/myProxykey.key



In the download box, this is somewhat slower to navigate but works just fine.

Now as you have these files on your desktop or computer you need to open them in a text editor, I prefer Notepad++ as it’s able to adjust the formatting layout of the text but any text editor will work as you will need to copy paste the information in these files to fields in the pfSense GUI.
Navigate to System -> Cert. Manager -> CA's
Here you want to add a new CA

Descriptive name: SquidCA
Method: Import an existing Certificate Authority
Certificate data: Copy \ Paste the info from myProxyca.pem file
Certificate Private Key: Copy \ Paste the info from myProxykey.key file
Save and apply




now you should see your SquidCA (rootCA) populated under System -> Cert. Manager -> CA's whit all the info you provided in the shell prompt and you are done whit Step 1.

You might want to undo the changes from the /etc/ssl/openssl.cnf file before proceeding

vi /etc/ssl/openssl.cnf

under the [ REQ ] option change the following line from: prompt=yes to prompt=no
under the [ V3_REQ ] option change the following line from: basicConstraints=CA:TRUE to basicConstraints=CA:FALSE

Then save and quit (to save and quit vi editor use :wq!).

Step 2. Installing required packages
this is probably the easiest step of the whole write up and you have probably already done it before looking up this post...
Navigate to System -> Package Manager -> Available Packages

Now look for Squid, SquidGuard and Lightsquid (if you want a log phraser)There is a small bug whit squid and SquidGuard installation that I have seen a few times and that is that you need to install the packages in a certain order for them to work properly

1. Squid
2. Lightsquid
3. SquidGuard



When installation is done you are done whit step 2.


Step 3. Configuration of Squid
Now we are going to setup the Squid service to handle the all the HTTP and HTTPS traffic for our clients, but before we can start the configurations Squid have an little bug where it will not save any of your settings before the Local Cache values are set so navigate to Services -> Squid Proxy Server -> Local Cache then set whatever options you like or scroll down to the bottom and hit save.

When the site refreshes from saving the Local Cache settings navigate to Services -> Squid Proxy Server -> General Settings
I have the following option set:

Squid General Settings
Enable Squid Proxy: Yes
Keep Settings/Data: Yes
Proxy Interface(s): LAN & Loopback
Proxy Port: 3128 (you can change this to a custom one if you like)
Allow Users on Interface: Yes



Transparent Proxy Settings
NO I do not use this leave option empty



SSL Man In the Middle Filtering
HTTPS/SSL Interception: Yes
SSL/MITM Mode: SPLICE ALL <- THIS IS AN IMPORTANT SETTING, IF SETT WRONG IT WILL NOT WORK.
SSL Proxy Port: 3129 (you can change this to a custom one if you like)
SSL Proxy Compatibility Mode: Modern
DHParams Key Size: 2048 Default
CA: SquidCA <- This is the rootCA you created in Step 1.
SSL Certificate Daemon Children: 5 Default
Remote Cert Checks: Do not verify remote certificates
Certificate Adapt: Sets the "Not Before" (setvalidbefore)



Logging Settings
Enable Access Logging: Yes
Log Store Directory: /var/squid/logs
Rotate Logs: 62 - keeps 2 months of logs in case of access reviews or issues, large SSD recommended
Log Pages Denied by SquidGuard: Yes
Save and apply



Step 4. Configuration of SquidGuard Proxy filter
This is where you define your ACL's and Blacklist, I do not use any pre-defined blacklist in this guide as I believe you get better control when you set it up manually from scratch, I am going to use Facebook and YouTube as primary targets to block as these are the most requested sites to be blocked by my clients, but this will work for any sites running on HTTP and HTTPS.

To start the configuration navigate to Services -> SquidGuard Proxy filter -> General Settings

General Options
Enable: Yes

LDAP Options
NO I do not use this leave option empty

Logging options
Enable GUI log: Yes
Enable log: Yes
Enable log rotation: Yes

Miscellaneous
Clean Advertising: Yes

Blacklist options
NO I do not use this leave option empty
Save and apply.





Now that SquidGuard is configured and running we need to setup some instructions for it to follow in terms of what to allow and what to block, this is called Target Categories or Target ACL's you can configure this by navigating to Services -> SquidGuard Proxy filter -> Target Categories

There is a bug in SquidGuard that it will not initiate the blacklist blocking before it has a dummy ACL defined under Target Categories so we need to create 3 ACL's for this to work properly



1. Dummy
2. myBlockList
3. myAllowList

Dummy ACL
Name: Dummy
Description: Dummy ACL
Save





myBlockList
Name: myBlockList
Order: ---
Domain List: facbook.com fb.com youtube.com
URL List: facbook.com/ fb.com/ youtube.com/
Regular Expression: BLANK
Redirect mode: int error page
Redirect: these sites have been blocked by your ADMIN, if you have business reason to visit this page contact your supervisor.
Description: Blocked internet sites
Save





myAllowlist
Name: myAllowlist
Order: ---
Domain List: it-monkey.net company.local
URL List: it-monkey.net/ company.local/
Regular Expression: BLANK
Redirect mode: None
Redirect: BLANK
Description: All allowed sites to bypass Proxy filter
save





You should now have all the needed Target ACL's configured to block Facebook and YouTube, but you may wonder why you put the information in both the Domain List and URL List option of the ACL's and there is a reason for that. If a site uses HTTPS it will read from the Domain List option and if it uses HTTP then it uses URL List option and it the sites uses both then you need to have it in both places to fully block the site

HTTP = URL List
HTTPS = Domain List


Now we need to assign an action for what SquidGuard should do whit the different "Categories" this is where you specify if the list you created is a Blacklist and should be blocked or if it’s a whitelist and should bypass all the filters and always allow traffic for it, to do this navigate to
Services -> SquidGuard Proxy filter -> Common ACL

General Options
Target Rules List  + \ -
[Dummy]  Access: ---
[myBlockList]  Access: Block
[myAllowlist]  Access: Whitelist
Default access [all] Access: Allow



Do not allow IP-Addresses in URL: Yes
Proxy Denied Error: Default
Redirect mode: int error message
Use SafeSearch engine: Yes
Rewrite: None
Save and apply



Now that the entire configuration in Squid and SquidGuard is done you need to apply it to the current running configuration by pressing the large green Apply button has to be pressed found on
Services -> SquidGuard Proxy filter -> General Settings

" Important: Please set up at least one category on the 'Target Categories' tab before enabling. The Save button at the bottom of this page must be clicked to save configuration changes. To activate SquidGuard configuration changes, the Apply button must be clicked. "

Now we have to setup WPAD and Firewall rules for pfSense to automatically push the Proxy configuration to its client and also who has access to connect and use the internet on your network, I will setup WPAD first since it will only work when pfSense GUI runs on HTTP and not the default HTTPS so it will affect how you configure your firewall rules.

Step 5. Configuring pfSense to act as WPAD for Squid
For security purpose I am separating the WebGUI and the WPAD servers by using a custom port HTTP TCP port for the WebGUI, I will be running WebGUI on 8080 and WPAD on 80
(8080 is a known admin\ gui port and is only used as example; you should set a custom port for your network)

Stat by creating a allow rule so you don’t lock yourself out of the firewall by going to Firewall -> Rules -> LAN and create an allow rule for port 8080

Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: Single host or alias: IT_Department
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  8080 To: other Custom  8080 
Description: Allow IT-Admins access to WebGUI



I use Aliases for everything, but if you do not have an IT-Department Alias defined, then just set the source to the IP-Address of your main computer.
Save and apply this rule



Now we are ready to change the WebGUI to a custom HTTP port without locking yourself out, to do this navigate to System -> Advanced -> Admin Access

webConfigurator
Protocol: HTTP
TCP port: 8080
Save and apply, then wait for it to automatically redirect your session to the new port this takes about 30sec or so.



Next thing you need to do is set the DNS Record for WPAD to resolve to the webserver that will be hosting your Proxy settings file, since I will run all of this out of pfSense I use the DNS Resolver service for this, If you want you could use whatever DNS and Web server you want as long as you set it to resolve the correct URL to its correct IP.
Navigate to Services -> DNS Resolver add a new Host Override

Host Override Options
Host: wpad
Domain: it-monkey.local  (Set your own internal domain here, if you do not have one you can set one in the System -> General Settings)
IP Address: 192.168.1.1  (LAN IP of pfSense, this has to be set to the local IP of the interface you want to run the Proxy on)
Description: WPAD Autoconfigure Host
Save and Apply



General DNS Settings



Internal Domain Settings



Now we are ready to create the actual client configuration file that will be pushed by this setup, some programing is involved so open your Notepad++ and get ready to create the following 3 files:

wpad.dat
wpad.da
Proxy.pac

All of these files require the same code so it is just a copy\paste or save-as exercise, the code needed is

function FindProxyForURL(url,host)
 {
 return "PROXY IP-of-pfSense-LAN:PORT-of-Squid";
 }

In my setup that would be

function FindProxyForURL(url,host)
 {
 return "PROXY 192.168.1.1:3128";
 }



Now you would need to upload these files to pfSense, I recommend using WinSCP or similar for this the path you want to store these files in are:
/usr/local/www

When all files are uploaded you should see them in the directory like

/usr/local/www/wpad.dat
/usr/local/www/wpad.da
/usr/local/www/Proxy.pac

Now that all this is done we are done whit the WPAD configurations and only need to adjust our firewall rules and lockdown unrestricted access of our network.

Step 6. Logging whit Lightsquid
Lightsquid is currently the only supported and maintained log phraser that you can use whit Squid and SquidGuard on pfSense, this is a small applicatuon that takes all the logs from your proxy server and sort them by your prefrense and the present them to you in a easily read format through its own webinterface. To configure this serverce navigate to Status -> Squid Proxy Reports

Web Service Settings
Lightsquid Web Port: 7445 (Default port, you can use custom port)
Lightsquid Web SSL: Yes
Lightsquid Web User: Admin
Lightsquid Web Password: MysuperSecretandSEXYkeYg3n3ratedbyN0tApA$$w0rdgenetAT0r

Report Template Settings
Language: English
Report Template: Base
Bar Color: Orange

Reporting Settings and Scheduler
IP Resolve Method: DNS
Skip URL(s): None left blank
Refresh Scheduler: None




Step 7. Configuring the Firewall Rules
Start by navigating back to Firewall -> Rules -> LAN
Depending on your preferences you should only need to have about 5 - 8 rules in this list, I currently only have 6 rules defined and in use, those are the following in order

Allow IT Department management access to pfSense
Allow ICMP form LAN Clients
Allow DNS from LAN Clients
Allow WPAD from LAN Clients
Allow Proxy from LAN Clients
Block Everything else from anywhere



Whit this rule set only Ping and DNS traffic is allowed to be used outside of the Proxy filter, this is a good thing for diagnostics purpose in case something breaks for your clients , you can use simple tests for connectivity using Ping and DNS without touching the Proxy or Firewall settings

The rules are defined whit the following details

Allow IT Department management access of pfSense
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: Single host or alias: IT_Department (alias IT_Department contains IP of 192.168.1.2 which is the main desktop used by IT)
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  PF_MGMT To: other Custom  PF_MGMT  (port alias contains port 22, 7445 and 8080 and allow you to define it in a single rule)
Description: Allow IT Department management access of pfSense



Allow ICMP form LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: ICMP
ICMP Subtypes: Any
Source: LAN Net
Destination: Any 
Description: Allow ICMP



Allow DNS from LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP \ UDP
Source: LAN Net
Destination: ANY
Destination Port Range: From: DNS To: DNS
Description: Allow DNS



Allow WPAD from LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: LAN Net
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  WPAD To: other Custom WPAD  (port alias WPAD contains port 80 \ HTTP)
Description: Allow WPAD



Allow Proxy from LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP \ UDP
Source: LAN Net
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  3128 To: other Custom  3129
Description: Allow Proxy



Block Everything else from anywhere
Action: BLOCK
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: ANY
Source: ANY
Destination: ANY
Destination Port Range: ANY
Log: Yes
Description: Block Everything



Firewall Aliases

PF_MGMT Ports



WPAD



IT_Admin



All Aliases



When you have all these rules created and applied then all the pieces are in place and you are ready to test these settings on your client computer, However since you have done a lot of configurations as changes to the pfSense systems and rules I suggest that you reboot it so you clear out any conflicting rule or state stuck in the system memory, that way you would start testing on a freshly booted system and rule set.

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers.
28
Edd Noman's Guide to pfSense 04 – How-To Block Ad’s and Websites using pfBlockerNG

In this guide I will be covering how to use the DNSBL feature of pfBlockerNG package to block users from accessing unwanted websites like porn, Facebook or YouTube and also keep your users safe from known infected website so that the risk of getting infected whit viruses or malware is reduces, this will also clean up Ad’s seen on websites also so you get a better browsing experience.

How pfBlockerNG and DNSBL achieve to do all this even if the sites uses HTTPS and SSL encryptions is by using DNS bases aliases that has both the Domain and IP to generate the firewall rules. These aliases are generated upon predefined txt files that contain the IP and Domain information that are updated by known security professionals and provider once a bad IP or Domain is identified.

The only issue whit pfBlockerNG and DNSBL is that it can use a lot of resources both RAM and CPU the more lists you assign it the more RAM and CPU it would need to process all of them, the lowest set of hardware I would recommend using for this is 2Gb RAM and 4Core 1.5Ghz processor.

pfBlockerNG uses the DNS Resolver service of pfSense to handle DNS resolutions so before we start the installation make sure your DNS Resolver is running whit the Forwarding mode enabled, this is found under Services -> DNS Resolver -> General Option



Now you would install pfBlockerNG as you would any other package by navigating to: System -> Packet Manager -> Available Packets and then search for “pfBlocker” and then click install



Confirm that you want to install the package and all its dependency



Now the installer and progress bar will go over your screen, give it a few moments to complete as it is a fairly large package to download and install and depending on the system you using it can take a few moments to get it done



When installation is done Navigate to Firewall -> pfBlockerNG to start the configuration

General Settings
Enable pfBlockerNG: Yes (checked)
Keep Settings: Yes (checked)
CRON Settings: Every hour | :15 | 0 | 0 (this will sync the list every 15min past a full hour ie, 01:15 then 02:15)
De-Duplication: Yes (checked)
CIDR Aggregation: Yes (checked)
Suppression: Yes (checked)
MaxMind Localized Language: English
Download Failure Threshold: 4
Logfile Size: 20000



Interface/Rules Configuration
Inbound Firewall Rules: WAN | Block
Outbound Firewall Rules: LAN | Reject
Rule Order: pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match | pfSense Block/Reject
Auto Rule Suffix: Auto Rule
Kill States: Yes (checked)
Save and Apply



Now we want to move on to DNSBL settings found on Firewall -> pfBlockerNG -> DNSBL

DNSBL Configuration
Enable DNSBL: Yes (checked)
Enable TLD: Yes (checked)
DNSBL Virtual IP: 10.10.10.1
DNSBL Listening Port: 8081
DNSBL SSL Listening Port: 8443
DNSBL Listening Interface: LAN
DNSBL Firewall Rule: Yes | LAN



DNSBL IP Firewall Rule Settings
List Action: Deny Outbound
Enable Logging: Enable
Save and Apply



Next we configure the DNSBL EasyList from Firewall -> pfBlockerNG -> DNSBL -> DNSBL EasyList

DNSBL – EasyList
DNS GROUP Name: EasyList
Description: EasyList

EasyList Feeds
State: ON | EasyList Feeds: EasyList W\O Elements | Header: EasyList
State: ON | EasyList Feeds: EasyPrivacy | Header: EasyPrivacy



DNSBL - EasyList Settings
Categories: All selected*
List Action: Unbound
Update Frequency: Once a day
Weekly (Day of Week): Monday
Save and Apply



Now we get to the heart of the configurations as we need to define our DNSBL Feeds and from where pfBlockerNG should pull its information from, a good source for this is on the pfSense forum from the developer himself on this link: https://forum.pfsense.org/index.php?topic=102470.msg573167#msg573167

Navigate to Firewall -> pfBlockerNG -> DNSBL -> DNSBL Feeds to add your feeds lists
I am currently running 4 different feeds and those are: Adverts, Malicious, DGA Crypto and hpHost and I have them configured whit the following information

Adverts
DNS GROUP Name: Ads
Description: DNSBL Adverts
DNSBL:
Format: Auto|State: ON | Source: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext | Header: yoyo
Format: Auto|State: ON | Source: http://hosts-file.net/ad_servers.txt | Header: hpHosts_ads
Format: Auto|State: ON | Source: https://adaway.org/hosts.txt | Header: Adaway
Format: Auto|State: ON | Source: http://sysctl.org/cameleon/hosts | Header: Cameleon
List Action: Unbound
Update Frequency: Every 8hours
Weekly (Day of Week): Monday
Save and Apply



Malicious
DNS GROUP Name: Malicious
Description: DNSBL Malicious
DNSBL:
Format: Auto|State: ON | Source: http://hosts-file.net/download/hosts.zip| Header: hpHosts
Format: Auto|State: ON | Source: http://someonewhocares.org/hosts/hosts| Header: SWC
Format: Auto|State: ON | Source: https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt| Header: spam404
Format: Auto|State: ON | Source: https://malc0de.com/bl/BOOT| Header: malc0de
Format: Auto|State: FLEX | Source: https://mirror1.malwaredomains.com/files/justdomains | Header: MDS
Format: Auto|State: ON | Source: http://winhelp2002.mvps.org/hosts.txt| Header: MVPS
Format: Auto|State: ON | Source: http://www.malwaredomainlist.com/hostslist/hosts.txt| Header: MDL
List Action: Unbound
Update Frequency: Once a day
Weekly (Day of Week): Monday
Save and Apply



DGA
: DGA
Description: DNSBL DGA for Cryptolocker
DNSBL:
Format: Auto|State: ON | Source: http://osint.bambenekconsulting.com/feeds/dga-feed.gz| Header: BBC_DGA
Format: Auto|State: ON | Source: http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt| Header: BBC_C2
List Action: Unbound
Update Frequency: Every 8hours
Weekly (Day of Week): Monday
Save and Apply



hpHost
DNS GROUP Name: hpHosts_partial
Description: DNSBL hpHosts_partial
DNSBL:
Format: Auto|State: ON | Source: http://hosts-file.net/hphosts-partial.asp| Header: hpHosts_partial
List Action: Unbound
Update Frequency: Every 6hours
Weekly (Day of Week): Monday
Save and Apply



When done you should be left whit the same 4 categories for blocking Ad’s and some of the malware and crypto locker, you can add more list and sources to this configuration but you need to do your own research on that. The entire list I used is free and open source maintained but there is also paid alternatives for feeds.



At this point we have only configured pfBlockerNG to use DNSBL and react on domain names, but we would also want to block the known bad IPs out on the internet to do this navigate to: Firewall -> pfBlockerNG -> IPv4

I will only be covering IPv4 in this guide, but if you use IPv6 the same method is used to add the rules needed for that, I just do not have the source list to provide you. My IPv4 alias list is called Badguys and are configured as following

Badguys
Alias Name: Badguys
List Description: IPv4 Badguys
IPv4 Lists:
Format: Auto|State: ON | Source: https://gist.githubusercontent.com/BBcan177/d7105c242f17f4498f81/raw/90eb2ac8bdc01af3008d728b7c0f10dc7b2506b4/MS-3| Header: BBcan177_Domains_IPv4
Format: Auto|State: ON | Source: https://rules.emergingthreats.net/blockrules/compromised-ips.txt| Header: ETCompromised
Format: Auto|State: ON | Source: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt| Header: ETBlocked
Format: Auto|State: ON | Source: https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/b344ebc9475acdea1fae38a12c4ea9332838a184/MS-1| Header: BBcan177Threats
Format: Auto|State: Auto | Source: http://www.malwaredomainlist.com/hostslist/ip.txt| Header: Malwaredomainlist
Format: Auto|State: ON | Source: https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt| Header: Ransomware
List Action: Deny Both
Update Frequency: Once a day
Weekly (Day of Week): Monday
Enable Logging: Enable
States Removal: Enable
Save and Apply





And this is all that is needed for a working setup of pfBlockerNG to act on known bad sites ether whit domain or IP, it will also block AD’s on webpages you visits, and the last thing for us to do is creating a custom block list of website we do not want our user to visit even though they are marked as clean you may have other reasons for why they need to be blocked. This is handled by the TLD feature of DNSBL so to do this we need to navigate to: Firewall -> pfBlockerNG -> DNSBL

At the bottom of this page you have several advanced options the one we are after is TLD Exclusion List, TLD Blacklist and TLD Whitelist. Yes the names are as intuitive as to what functions they have

TLD Exclusion List will be used for domains you do not want to be included in any pfBlockerNG rules or aliases, no action is performed on these domains, other rules in pfSense may apply
TLD Blacklist will be used for domains you want to specifically block access to
TLD Whitelist will be used for any domains you want to always be accessible, these sites will not be blocked by the firewall.

Open up TLD Blacklist and enter the following domains:

fb.com
facebook.com
youtube.com
cnn.com

Save



After you have made any changes to DNSBL or the TLD lists you need to force an update of the new rule set before the changes take effect on your network, to do a update navigate to Firewall -> pfBlockerNG ->Update
When doing a manual update or forced update due to changes in the config you do not want to run it close to when the cron task is running there is a clock on the update page that will tell you when the next update will run

Select 'Force' option: Reload
Select 'Reload' option: All



When the update is finished you can try to access one of the domains you blocked in TLD Blacklist and you should only get a black screen instead of the actual site loading





Now this should be all there is to blocking websites and ad’s from pfBlockerNG

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers
29
Edd Noman's Guide to pfSense 03 - How-To Monitor Bandwidth Usage whit NtopNG

In this guide I will only focus on bandwidth monitoring whit use of the NtopNG package in pfSense, bandwidth monitoring is a complex topic on its own and I will try to provide the basic you need to understand and get started whit this task and how this can improve your network situation. pfSense have several option for monitoring bandwidth and you can read about them here: https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage

A word on bandwidth monitoring:
While it used to be that monitoring your bandwidth meant solely focusing on internet traffic, bandwidth usage monitoring now encompasses a broader range of components. For example, you can monitor bandwidth speed or capacity, you can observe network traffic between devices or general web application traffic. Regardless of what traffic you are monitoring, though, its important to understand the bandwidth that is being utilized so you can ensure users are getting the best possible performance out of your network.

I would go as far as saying that monitoring your network bandwidth usage is the most critical function for any network administrator.

What does bandwidth really mean?
To sum it up in one word: data. Bandwidth is quantified as the amount of data transferred in time, typically measured in bits per second. Thirty years ago, data was sent through physical mediums like the postal service; now there are myriad ways to transmit and receive massive amounts of data with the push of a button.

Since most organizations rely on the internet to conduct business-critical operations, internet speed can make all the difference in their success. What people dont know, however, is that there are actually two different types of bandwidth speed: upload and download. Upload speed is the speed at which data is sent to its destination, while download speed refers to the rate at which data is received. It used to be normal for businesses to use low bandwidth services like 56.k modems to transmit information. Now, those who have the funds can install Gigabit speed to their infrastructure to support the growth in data consumption. Firms are still using DSL and cable connections to run their business, but service providers have been able to allocate more resources to support these lower-tier Telco options.
 
Bandwidth capacity is also an important consideration. Bandwidth capacity means the maximum data rate a link can transfer. Bandwidth capacity is an important factor to consider, because when you configure your infrastructure you need to make sure you can support the bandwidth that you require. For example, the service model of your cell phone plan is based on how much data you consume on the vendors network. When you're able to monitor your bandwidth usage, you're better able to determine what plan is right for your environment. As another example, consider an environment with hundreds of users. How do you determine what bandwidth to implement? Its important to have proper metrics and tools that can show you how much bandwidth you'll require to run your day-to-day operations. For business customers, it can become very difficult to forecast current and future consumption of bandwidth without network insight.

High-Speed Web-based Traffic Analysis and Flow Collection whit NtopNG
Ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.

Ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
a web interface.
Limited configuration and administration via the web interface.
Reduced CPU and memory usage (they vary according to network size and traffic).

Features of Ntopng:
- Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
- Show network traffic and IPv4/v6 active hosts.
- Produce long-term reports about various network metrics such as throughput, application protocols
- Top X talkers/listeners, top ASs, top L7 applications.
- For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
- Store on disk persistent traffic statistics in RRD format.
- Geolocate hosts and display reports according to host location.
- Discover application protocols by leveraging on nDPI, ntop's DPI framework.
- Characterize HTTP traffic by leveraging on characterization services provided by Google and HTTP Blacklist.
- Show IP traffic distribution among the various protocols.
- Analyze IP traffic and sort it according to the source/destination.
- Display IP Traffic Subnet matrix (who's talking to who?)
- Report IP protocol usage sorted by protocol type.
- Produce HTML5/AJAX network traffic statistics.
http://www.ntop.org/products/traffic-analysis/ntop/

Whit all that said, we can start by installing the ntopng package by navigating to System -> Package Manager -> Available Packages
Here you search for "ntop" and then click the install button



Now you would need to confirm that you would like to install selected package and its dependency



Now you will see the install process starting whit the progress bar and text output will run for some minute as the installer is about 250mb that would need to be downloaded and then installed so give it some time



When the package is done installing you need to navigate to Diagnostics -> ntopng Settings
The first thing you would want to do here is to set the password to use when login to the ntopng WebGUI

ntopng Admin Password: MysuperSecretandSEXYkeY
Confirm ntopng Admin Password: MysuperSecretandSEXYkeY
Save and Apply



Now after the access password is set we can configure the default settings for ntopng to use

General Options
Enable ntopng: Yes
Keep Data/Settings: Yes (this will keep all settings in case of updates and reinstallations)
Interface: LAN and WAN
DNS Mode: Decode DNS responses and resolve all numeric IPs
Local Networks: Consider all RFC1918 networks as local traffic (this depends on your layout of pfSense is behind NAT you want to use LAN Interface as local)
Disable Alerts: Yes
Save and Apply



When ntopng service is configured and have start running after its done loading when pressing the save button you want to update the GeoIP Data information so click on the green button for updating the information
At this point the configuration in pfSense is done, and you now need to connect to the ntopng WebGUI to finish its configuration so navigate to https://192.168.1.1:3000/ or IP-OF-pfSense:3000 or if you have followed my previous install guides https://10.99.99.1:3000



Once logged in, the first place to go is Settings and set your recording limits, this is done whit the gear icon on the top right corner



Out of the box, it will record RAW packets for 1 day in your File System, the Rolled up reports in MySQL for 30 days, and Total's for 1 year. You can adjust here to work with the available disk space and RAM you have for pfSense.







The Reports:
Everyone will be different and have their own needs for reporting, but I wanted to screenshot some of the cool reports you can generate and view in ntopng to share with you all.
You can also customize and work with anything which is captured going across the LAN.
You can view total traffic on your local network and sort by usage:



You can view Active Data Flows / Destination / Type in real time with ease on the Active Flows Report



You can even view specifics on a specific host on your Network like so, even with total usage, Activity Maps and more



Even break it down by Protocols



For those of you who are more interested in spying, yes you can see the top HTTP traffic destinations....



Now that is all there is to configure ntopng and where to find the different reports, and yes there is a large benefit to running this package even in your home environment as this will give you graphs and statistics of where all your data and bandwidth went and what device used it, and if you did not get the amount you charged for you have actual proof of your usage when you call your ISP to complain about their service and invoice.

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers
30
Where can i send the beer! well writ! thanks! ;)
Pages: 1 2 [3] 4 5 ... 8