Wednesday, December 30, 2020

Multi-Factor Authentication for the PfSense WebGUI

 Multi-Factor Authentication for the PfSense WebGUI

1. Download the "freeradius3" package

 2. Navigate to the FreeRADIUS option listed under the "Services" tab

3. Go to the "Interfaces" tab and click the green "Add" button

4. Put "Authentication" in description and hit save

5. Click "Add" again

6. Change Port to 1813

7. Change interface Type to Accounting"

8. Put "Accounting" in the description and hit save

9. Go to the "NAS/Clients" tab and click "Add"

10. Under General Configuration put "" as the Client IP address

11. Put "RadServer" (or whatever you want) in in the "Client Shared Secret"

12. Put a shared secret (keep up with shared secret)

13. Save

14. Navigate to "User Manager" under the "System" tab on the top bar of the pfSense menu

15. Go to "Authentication Servers" and click "Add"

16. Under Server Settings enter descriptive name

17. Change type to "RADIUS"

18. Under RADIUS Server Settings put "" as the "Hostname or IP address"

19. Change the "RADIUS NAS IP Attribute" to LAN

20. Enter same shared secret from step 12

21. Hit save

22. Navigate back to the "FreeRADIUS" package under the "Services" tab

23. Under the "users" tab click "Add"

24. Create a username and password and click save

25. Test by going to "Authentication" listed under the "Diagnostics" tab on the top menu of the pfSense

26. Change Authentication Server to "RadServer" (or whatever you named the server) and enter your credentials

27. Click "Test"

28. If successful it will say "User authenticated successfully"

29. Navigate back to "User Manager" under the "System" tab and click on "Authentication Servers"

30. Click the edit button on your "RADIUS" type server

31. Under the "RADIUS server settings" change the Protocol to "PAP" and click "Save"

32. Navigate to the "FreeRADIUS" package under "Services" and click on the "Settings" tab

33. Scroll down to the "Mobile-One-Time-Password Configuration" area and check the box beside "Mobile-One-Time- and click "Save"

34. Click on the "Users" tab and click to edit previously created     user

35. Scroll down to the "One-Time Password Configuration" area

36. Check box beside "One-Time Password"

37. Change "OTP Auth Method" to "Google-Authenticator"

38. Click blue "Generate OTP Secret" (copy this secret somewhere easily accessible as it will be used by the user to set up his Google Authentication on his mobile device)

39. Enter a pin ***MUST BE NUMBERS ONLY***

40. Under the "General Configuration" area remove password (password area must be blank)

41. Click "Save"

42. On the clients phone, download the  Google Authenticator app

43. Click the add button (a "+" sign on the Apple app)

44. Click "Manual entry" 

45. Enter the username from step 24 

46. Enter the OTP Secret from step 38

47. Hit save

48. Credentials are the Username from step 24, and the password is the PIN from step 39 plus the code given on the Google Authenticator app. So if you entered a PIN of "1234" on step 39 and Google Authenticator had a code of "123 4567" your password would be "12341234567"

49. Go to System / User Manager / User and click Add

50. The Username must be the exact same as one of the users you created on the FreeRADIUS service (that was step 23).

51. Create a password (I recommend a VERY long and difficult password, as pfSense will recognize this password as well as your OTP with Google Authenticator as a fail-safe in case your FreeRADIUS quits working). 

52. Add to the "admins" group and click Save. 

53. Go to Settings and change the Authentication Server to your FreeRADIUS server and hit Save.

54. Go back to the FreeRADIUS service and click to edit the user you are using for the WebGUI multi-factor authentication.

55. Scroll down to the "Advanced Configuration" area near the bottom of the page, and enter Class := "admins" into the Additional RADIUS Attributes (REPLY-ITEM) box. Click Save.

56. Test your login to make sure it works with the PIN+OTP from Google Authenticator (ie if you entered a PIN of "1234" on step 39 and Google Authenticator had a OTP code of "123 4567" your password would be "12341234567").

Monday, December 14, 2020

Suricata Startup Instructions

 This is a guide to the basic startup for Suricata on the pfSense. There are many in-depth settings that can be configured to best fit your individual needs, but for this guide I will only be going over the basics needed to start using Suricata. I wouldn’t recommend installing this on any system lower than an SG-3100 as it can be very memory intensive. 

Install Suricata package under “Package Manager”.
Navigate to Suricata under the “Services” tab and click on “Global Settings”.
Check the box for “Install ETOpen Emerging Threats rules” under the “Please Choose The Type Of Rules You Wish To Download” section.
Check the boxes for “Install Snort GPLv2 Community rules” and “Hide Deprecated Rules Categories” under the same section as step 3.
While in the same section, check the box for “Use a custom URL for ETOpen downloads” and on a separate window navigate to the following site:
Copy and paste the following link from the site into the box for “ETOpen Custom Rule Download URL” on the pfSense (be aware that this link may change if Suricata is updated to a different version in the future, so always get the link from site and not this document):
Under the “General Settings” section towards the bottom of the page it is recommended that the time for “Remove Blocked Hosts Interval” be set to 1 hour.
Click the “Save” button at the bottom of the page.
Click on the “Updates” tab and then click “Update” under the “UPDATE YOUR RULE SET” section.
Once updated, navigate to the “Global Settings” tab and change the “Update Interval” to once a day under the “Rules Update Settings” section and click “Save” at the bottom of the page.
Navigate to the “Interfaces” tab and click “Add”.
Under “General Settings” change the “Interface” and “Description” to LAN and click “Save” at the bottom of the page.
Click on the “LAN Categories” tab and click “Select All” under the “Select the rulesets (Categories) Suricata will load at startup” section, then click “Save” at the bottom of the page.
Click on the “Interfaces” tab and click on the blue “play” type button on the interface to start Suricata on this interface.
Click the edit button on that interface and make sure the “Block Offenders” box isn’t checked under the “Alert and Block Settings”.

 I suggest monitoring the feed on the “Alerts” tab for at least a week to check for false positives before implementing it with blocking enabled. If a false positive is found click the red “x” to the right of the alert to force disable the rule and remove it from the current ruleset.