How we use PFsense with Snort & PFblockerNG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to another computing video so in this one we're going to be running through our setup and configuration of that pf sense home firewall um it's massively overpowered for what we need it for here but i'd rather be over spec than under spec if you know what i mean so what we'll do is i'll walk you through the configuration how i've got it set up and what the services are that we're going to be all that we've got running on there so let's get straight into it so the first thing we do is we want to log on to the firewall configured it with the normal admin password a very strong password okay so this is uh this is the interface as you can see here we are running the latest release so we're on two four five and if we move down you can ignore all the top stuff but if we move down to the cpu type you can see here that we're running an i3 at 2 gigahertz currently at 500 megahertz but maximum so it will it'll flex up and down according to uh according to need and throughputs four virtual cpus as you can see here which is two cores and two hardware threads and we're using a esni encryption so this is cryption encryption or decryption actually on the cpu itself so we're not using a hardware chip on the board so moving down temperature as you can see here this doesn't really change no matter what we do with the box so that's great and cpu temperature will go up and down flexing with uh according to your processes or packages that you've got installed memory we again are overpowered so we've got eight gig of memory in this box um never really goes above eight percent uh despite all the different services that we've got running so without further ado let's look at the services so um we used to run a dhcp server on our pi hole which then brings me on to the pf blocker ng so we're now using that on box rather than using off box pie hole so it does the same thing it's basically a dns sinkhole where you can black hole any dodgy domains or adverts or tracking so what we use it for is is really to block access to any malicious domains we also run snort as you can see here and that's pretty much it so snork dns resolver and pf blocker ng so let's have a look at how what we've got configured so we're using a number of lists we're using ip block lists and dnsbl lists which are to do with the domain so ip and domain blocking on there and it's quite active as you can see here this is the count and that's basically the number of domains and ip addresses and you can see how many packets that we've blocked here moving down to our snort alerts we can clearly see that that's doing its job again so that's an ips and ids system then moving on to our firewall so the nice thing about the firewall is that actually the snort alerts ipys filter into the firewall log so for instance if we trigger a snort alert and it automatically blocks the ip address that'll that'll be blocked in the firewall so that's all there is to it in terms of the interface so let's have a look at how we've got things set up now the first thing i wanted to point out was throughput so if we just do a quick speed test we'll just use the standard google speed test uh we're on a 200 meg service we should be getting around about 20 meg upload so 200 down and 20 upload we always tend to get a bit more which is which is fantastic but we get a full speed which is excellent you can see their 20 20 meg upload 220 meg download so that's the speed test taken care of so the first thing we want to do is to show you the general setup i'll walk you through what we've got here so at the moment we're using google dns servers for our upstream dns there's nothing nothing much else really that you need to be aware of only on this one if we then go to the advanced settings again this first admin access page we leave it as default is sufficient for us if we move on to the firewall and that section we're using the firewall optimization options as normal no need to to change anything from the default really i'm not going to talk you any through through anything here i'm just running through how we've got it set up for us networking this one's really important so we've disabled ipv6 depends if you're if your isp supports it then great go ahead enable it but what we have done is we're saying that uh um if you tick this box here it will allow ipv6 whether you're capable of doing it or not um but we've unticked this so we we block all ipv6 and we just use ipv4 so moving down to this network interfaces piece this is really important so our device has actually got intel nics and we found that what we've had to do is disable hardware checks on offloading we've also sorry we've had to enable leave hardware check some offloading enabled and we've also removed the disabled hardware tcp segmentation offload and we've also removed the disable hardware large receive offload so these are quite important so with these two what we did actually here we had hardware check some offloading and tcp segmentation offloading these were um set to disabled so when we did a speed test uh we still got meg download but we found that our upload speeds was limited to 3.4 megabits a second so going through here and um unticking these all of these options here for um our intel mix resolve that problem what you'd have got to do is obviously once you save it you then need to reset your interfaces so you reload your networking or the easiest option is to come into your diagnostics tab and then just reboot your device using the option here moving on to miscellaneous we haven't touched any of this this is all standard default ah sorry we have so we set our cryptographic hardware to use aesni cpu-based acceleration so this is using the the cpu to encrypt and decrypt system tunables this we have not touched at all and notifications we've actually set this up so that we get notified when the things don't work correctly so for instance downloading some of the lists if there's an issue there will get notified and some other some of the other options uh i'm not going to talk about the wayne or the lan um i am going to talk about the firewall though so the firewall i'm not going to talk about itself but particularly i'm going to talk about pf blocker ng so as you can see here we've got this set to enabled now i'm just going to whiz back to uh dashboard if you've got a problem with dn sbl from starting up um you need to persist with it it just means that what actually that is using um a mini sql database and sometimes it doesn't start correctly so restarting that service will kick that into interaction but i'm just going to go back and talk you through the setup and configuration here that we've got so first of all i've enabled it and then i've told it to keep the settings so if i ever remove it it's going to keep the settings so i can reinstall it later easily that's all there is to it on that home page next we're going to come to our ip page so this is where you can set it up for geoip and some various ipv4 or ipv6 lists and your ip reputation so what we've got here we're basically saying detube the list so remove the duplicate ips placeholder ip address is important so we've not actually changed this this is just using the standard that pf sense wants if you're going to be using goip which we have got it set but we're not using it currently because we don't run any of those services inbound it's taken care of with our snort for instance on our standard firewall but if you wanted to block via geoip you need to go off and create yourself a um a free max mind account i am going to blur this out by the way so you won't see that then if we go down to our interfaces this is important you want to tell your system that your inbound file rules will be running on your wan interface and your outbound firewall rules are going to be running on your lan interfaces and we have come in here to set uh auto a file auto rule suffix normally it says auto rule we've have our set to null no suffix and we've also enabled kill states so basically when any blocked ips that are found in the firewall states they're going to get cleared when uh when it doesn't up an update when you do a force update ipv6 we're not worried about this because we're not using it but geoip this is where you can set your top spammers and things like that so if you're running your um your own mail service for instance or web server that kind of thing this is the place that you would then come in and set all of your various links up and if you go into the pencil icon here this will show you actually what is in the list and what you can do to block it so if you you can come in here hold you can control key down you can select various countries or if you want to select everything then obviously you can do that as well just by using ctrl a to select them all and again you've got all of your um items here that you can go and do this for for all of your different lists so you've got ipv4 on the left and then ipv6 countries on the right once you're happy with that then obviously you want to set it to log and then save your rules next we come on to our dnsbl lists um and this is important so you want to make sure that you've got it enabled if you're going to be using tld so top level domains if you're going to be selecting this option here it's going to block all of your sub domains as well but be careful if you're on a low powered system you will take a hit in terms of memory and cpu but particularly memory so you don't want to be using that if you've only got a gig of ram in your device virtual ip address so you want to make sure that you are setting your virtual ip address to an ip address that isn't in use by your system or any other services from your system in our instance we've actually just accepted pf senses default and then where you want your dnsbl web server to be listening so the way it works it downloads the list to your web server and then you pull in your lists from your web server which is running locally you want to make sure that you select the appropriate lan interface that that is going to be running on okay so permit file rules we like to set our configuration up that uses floating um firewall rules basically what this means is it puts all of your firewall rules in the same place rather than having separate firewalls for each of your interfaces in the file will set up so we've also got this one enabled here so this will always allow your access to your dnsbl web server so you want to make sure that that is set there in terms of whitelist this is where the standard whitelist list lives we've not changed this but whenever you white list something it will appear in here and the top 1 million white list domains you can specify that here but in our instance we're not using that at all the rest of it is default we don't change that either so once you've got that uh set up you can then move on to your groups so as you can see here we are blocking the dnsbl malicious and the bb scan 177 feeds if you want to go in and check what they are just click on this list here this icon here and this will show you all the lists that we've got that are dragged into that group so abuse antisocial and malware basically we don't block any ads although we could do and we don't block any tracking either but if those ip addresses or domains happen to fall in one of these lists then they'll be blocked unless you white list them or suppress them from the list i should say so that's that we can go back to the groups again and this is the group in the the feed that we got here we're only using one list and i'll show you how you can populate those lists so if we go to our categories this is where you would um select your uh your sharla list if you've got it we don't we've got as set to disable and then your safe search again we're not using safe search so if we go back to our groups now and we wanted to add a group um then if you've selected the various lists they will automatically appear in your groups so the next section we're going to talk about briefly is update chrome does its does its own thing so we just let that one take care of itself reporting we'll come back to that so this is where your reports will live now how do we get our lists um well we do that via our feeds so in here basically this um primary one feed is selected by default which means that you can select a single category here and various lists will automatically populate into that category this is priority two so priority one priority two priority three and so on all the way down through your ipv4 and ipv6 lists as you can see here there's a whole ton of them and then we move on to the dnspl category so these are more around the privacy lists we don't use any of these all we are interested in doing is blocking malicious domains so as you can see here we're automatically blocking all of the all of the malicious domains we are not blocking phishing although that you probably want to think about doing that so this is when someone receives an email with a link in it and they click on it if you're blocking this these fishing um lists chances are you're going to be blocking that as well you want to be careful though because you may well get some um you may well get some false positives we're not using any of these hp hosts here from malwarebytes but we are using this bb scan bb chem 177 list here the rest of it is all disabled so malicious 2 we're not using any of that because there's likely to be quite a few false positives in there we're not using crypto jackers either so that populates the dnsbl lists and groups based on the categories that you select so once you've selected all of the different categories they will appear in your groups here so as you can see here here's our two groups and if we go to our ip lists we they will appear in in here so what we're telling saying here is priority one ip lists uh we're denying both inbound and outbound we're going to block those if it if we get a match on that geo ip as i said we're not using and we're not using ip reputation either dnsbl lists we are using and we are blocking so what happens when we get a block well if we go back to our dashboard we can see here um the number of packets that we're blocking for um ip lists and also our domain lists so you can click on these packets and that will take you to the reporting for each of those or when you are in your pf blocker you can go into reports and that will give you the same report so let's have a look at this and you can see here what we're currently what we're currently blocking so the ip blocks seem to be mostly from russia but quite a few other countries as well that we're blocking in those lists if you want to query the ip address you would click on this information or threat intelligence lookup and then you can select on from a whole number of different websites to actually go in and find out about what that ip is is doing so let's have a look at 40 guard iplookup okay so the category is not rated and it's not analyzed and click here okay so that one's not rated basically you will find that on quite a few of them if the source is set to unknown but eventually they will work their way into those varying lists it's obviously known about it in the feed here but in terms of the rest of the information on the various websites it doesn't know about that yet but we made a decision and we're blocking it and then if we scroll down here you can see here what are we actually blocking well actually it's picked it up in this malicious domains list not so sure it is a malicious domain basically because it's standard google analytics stuff so you know i would class that as a uh as a as a false um false instance and you can white list it if you really want to by basically you can come here and you click on the plus sign and that will then white list it across your across your system so that's um the alerts if we can now move to the ip block stats this gives you a bit more a bit more granularity and it gives you some pretty graphs as well to tell you uh you know where your locations are and so on and so forth all the way down to what what source port is using um what destination port is using so in other words depending on whether the source is remote will determine on what the destination or the source port is so have a look at those i'm not going to talk too much about them uh and then we're going to move on to our dnsbl stats which quite clearly you can see it's not um malicious at all because it's standard youtube stuff so a lot of these other classes false positives although it doesn't interfere with any of the system or what the rest of the household is viewing on youtube and some of those other websites that are used for social media if you want to get to the raw logs you can come to your raw logs file here and you can select the various logs so if we go here for the ip blocking this will pick up the raw data that is being used in our log files and the same form for everything else in here so that's all there is to um pf blocker ng now we're going to move on to snorts we're going to have a quick look at snort and run through how this has been set up so we're only running it on our wan interface because we're basically blocking inbound traffic and to set up your snort lists you would come into your interface and drill in here so as you can see here um we are saying to our system that we're using the wen interface because it's the one and we are looking at where we uh log our traffic our alerts and the search method so we're using bnfa which seems to be fine for us there are another whole load of other ones but we've accepted the default we then need to tell it what our home network is so again just use the default basically because it will pick up in your list all of the interfaces and say anything matched in this list is the home network anything not matched in this list is an external network and then the past network is where you're configuring your rules to allow pass through suppression of filtering list so this is when you click on the little plus sign to suppress the alert and allow it that will then add it to this list here so moving on to uh one categories so what are we actually doing so what we are using is this is really important because um otherwise you've got to go through all of your snorts rules files tick whichever ones you want so we've found it easier to actually tick this box here that says use an ips policy selection and then you've got various different policy selections that you can choose so you've got cam connectivity which protects you against the very basics balanced which gives you a little bit more security security which blocks um balanced connectivity and its own and then so on all the way through to max detect which you basically want to test against the new production system so depending on what list you are using we can also tick the emerging threats so we are using basically malware um botnets exploit rules um and trojan rules for emerging threats so these are ones that just started appearing in the wild the way you set that up we'll go through that later let's move on to wan rules now so these are all the rules that we've got in place for our snort system the wan variables we leave this blank so you can rename stuff if you want and the one preprocessors so again we're doing nothing with this and we've accepted all of the defaults and you might want to tune maybe your ssh detection um maybe you want to have a look at disabling your http inspect although i'd really uh think about it before you do that the rest of this is basically we've accepted all the defaults barnyard 2 so we're not using barnyard 2 so the way that this works is it creates its own mysql database where it can dump all of the traffic into but we've got plenty of memory and we've got plenty of cpu usage so um we don't use that next is the one ip reputation list we don't use that either you can load up various lists from various resources on that so that's all there is to it so that's the basic rules and categories configured for snort then we're going to move on to our global settings so these are the rules basically um so what we've got here we're saying we're going to enable our snot subscriber rule set do you want to enable your gpl rule set well we're not using the community rule set but we are using the emerging threat rules so just tick the box and sign up for a pro account if you want to use that but we're just using the open rule set on that and we are using the open app id rule set so sourcefire detectors and that's it basically down here is important how long do you want to block your hosts for so we block our hosts for one hour but if you wanted to just alert and not block then you would set this to never so don't block basically okay moving on to updates and this is where you can manually refresh your rules but they will get refreshed um based on your configuration settings that you set at the beginning we'll come back to alerts we'll come back to blocked and suppress actually you know we're going to go into alerts so this is your alerts here that you're getting from the system again you can let's have a look at these uh compromised hosts so if we click on the um [Music] the magnifying glass that is going to do a dns lookup for us and tell us what the domain is so as you can see here roberto.li and that's obviously a compromise host that is trying to do port 22 so probably a brute force attack on ssh 22. we're not going to whitelist that but if we wanted to suppress that alert and allow it then you would click on the plus sign either by the source or by the destination or if you wanted to disable the um the sid itself so the identifier itself that would block it across but all sources and all destinations moving on so once an alert is triggered it will block it in your firewall so we can have a look at what hosts our blocks so currently we are blocking two hosts and because of our settings previously in our global settings here if you remember down the bottom we set that to how long do you want to block that host full well we set it up for an hour so after an hour this host will be released again so if the attack continues it'll continue to be attacked uh it'll continue to be blocked um but after an hour that'll be released again and what that takes care of is you know say someone's got an infected web server and they go ahead they clean it and they fix it then obviously you don't want to be permanently blocking the ip addresses because actually you might want to get to it in the future past lists we don't use that at the moment so you know what are the um what are the rules that you created and the ip addresses that you created for allowing traffic through snort we tend to use just the suppressed list so as you can see here here's our suppressed list for what we've effectively white listed and the same for ip lists so the ip list is that list that we tick the boxes to one of them was the emerging compromised ip addresses so if we have a look at the list itself that will show you what the ip addresses are that are contained within that list and that will update and refresh itself accordingly based on what's going on out in the wild syd management we don't use that so i'm not going to talk about it that's all there is to our snort setup so let's go back to our dashboard and we'll just have a quick recap what we've got on the dashboard so pf blocker ng stats are here uh snort interface alerts are set here our firewall logs are set here and our services are set here um what i'm going to do is i'll create new videos based on a more in-depth look at each of those and then we'll get that added to our youtube channel for you guys to review so that's all there is to it at the moment if you found that useful give it a thumbs up and don't forget to subscribe to the channel so you don't miss any future updates but we will start looking at these more in depth and explaining what each of those does we're just going to give you a quick walk through on how we've set up our system so once again thanks for watching and catch you in the next one

Info

Channel: Frimley Computing

Views: 18,245

Rating: undefined out of 5

Keywords: PFSense, PFsense 2.4.5, PFblockerNG, Snort, configuring pfblockerng, configuring snort, home firewall, opensource firewall

Id: 3Gldn7DT_QQ

Channel Id: undefined

Length: 31min 28sec (1888 seconds)

Published: Mon May 04 2020