External IP Flagged in Blocklist in Maltrail and Appears to also be affecting blocks on other sites...

Question

External IP Flagged in Blocklist in Maltrail and Appears to also be affecting blocks on other sites...

Closed this issue a month ago · 20 comments

Question
For some reason Maltrail is blocking my external IP See below:

I have added an allow rule within the firewall above the maltrail block, so I am able to get exetrnal access now, but when I have gone to other sites, it appears my IP is still flagged for some reason. most appear to be associated with DNS for some reason as seen in the image...

Support
Any thoughts on what would cause this or why it is getting flagged?

Answer 1 · 2024-04-09T06:29:26.000Z

Hello!

Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.

Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Answer 2 · 2024-04-09T11:33:52.000Z

is 99.137.X.Y your external IP? if yes, that means that Maltrail detected your IP as a source of suspicious behavior - and that's perfectly normal. in such case you should inspect why are there such requests and if there is a need to be worry of

Answer 3 · 2024-04-09T11:34:54.000Z

p.s. from what i can see, those are most probably benign (but marked as "suspicious" by Maltrail - not meaning "malicious")

Answer 4 · 2024-04-09T18:07:16.000Z

Hello!

Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.

Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP

. This was not an issue previously, but started getting dropped, via the Maltrail ACL on OPNsense. My question is around why I am getting tagged. I do not see a clear answer. I run internal unbound DNS with Pihole for my DNS request, so not sure why or how I am being flagged there either. I do host services internall and use cloudflare DNS/reverse proxy for access again that has been that way for some time.

Answer 5 · 2024-04-09T18:19:02.000Z

p.s. from what i can see, those are most probably benign (but marked as "suspicious" by Maltrail - not meaning "malicious")

Yes that is my external IP. I realize that it is showing as suspicious but trying to understand the Trails References for the items...

Answer 6 · 2024-04-09T18:27:38.000Z

Hello!
Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.
Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP. This was not an issue previously, but started getting dropped, via the Maltrail ACL on OPNsense. My question is around why I am getting tagged. I do not see a clear answer. I run internal unbound DNS with Pihole for my DNS request, so not sure why or how I am being flagged there either. I do host services internall and use cloudflare DNS/reverse proxy for access again that has been that way for some time.

@mimugmail Hello! Could you, please, attend to our conversation? Need details how OPNSense firewall builds its blocking rules due to Maltrail's detections. Thank you!

Answer 7 · 2024-04-09T18:32:38.000Z

Hello!
Maltrail doesn't block connections itself, it is just IDS. It can be set up to work together with block mechanism (https://github.com/stamparm/maltrail/wiki/Miscellaneous#1-setting-up-maltrail-as-an-intrusion-prevention-system-ips), but I think your case is not related.
Also have re-chehcked your IP in static trails for FP -- also clear. What environment do you use for Maltrail? Is it a plugin in OPNSense?

Yes, This is an OPNsense plugin. I have the following configuration ISP <===| OPNsense (Transparent FW) |===> Unifi UDM with IP Passthrough from ISP. This was not an issue previously, but started getting dropped, via the Maltrail ACL on OPNsense. My question is around why I am getting tagged. I do not see a clear answer. I run internal unbound DNS with Pihole for my DNS request, so not sure why or how I am being flagged there either. I do host services internall and use cloudflare DNS/reverse proxy for access again that has been that way for some time.

@mimugmail Hello! Could you, please, attend to our conversation? Need details how OPNSense firewall builds its blocking rules due to Maltrail's detections. Thank you!

This is my two cents on what I know on the blocks, there is an alias created that is associated with the fail2ban item and then an ACL on the interface.

NOTE: The rules above the Mailtrail blocks are to bypass the blacklisting the of the external IP.

Answer 8 · 2024-04-09T18:42:44.000Z

Exactly, opnsense fetches the fail2ban url at Regularien intervall and builds an dynamic alias

Answer 9 · 2024-04-09T18:44:42.000Z

Would suspect, that's the reason of blocking:

See FAIL2BAN_REGEX triggers list: https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L48

Answer 10 · 2024-04-09T18:45:06.000Z

Exactly, opnsense fetches the fail2ban url at Regularien intervall and builds an dynamic alias

How do you exclude (allowlist) explicit IPs or domains because I have placed the IP in the config but not bypassing:

Answer 11 · 2024-04-09T19:06:26.000Z

Due to CHANGELOG: MT from 0.65 version (https://github.com/stamparm/maltrail/blob/master/CHANGELOG#L43) has possibility to build custom blacklists (#19230):

. Looks like this mechanism allows to build bypass rule for defined filter (e.g. mass_scanner due to current case).

but not sure it is implemented in OPNSense plugin, in particular, in UI. @mimugmail ?

Answer 12 · 2024-04-10T02:43:06.000Z

Due to CHANGELOG: MT from 0.65 version (https://github.com/stamparm/maltrail/blob/master/CHANGELOG#L43) has possibility to build custom blacklists (#19230):

. Looks like this mechanism allows to build bypass rule for defined filter (e.g. mass_scanner due to current case).

but not sure it is implemented in OPNSense plugin, in particular, in UI. @mimugmail ?

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Answer 13 · 2024-04-10T06:37:51.000Z

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Answer 14 · 2024-04-10T11:06:59.000Z

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Thanks

Answer 15 · 2024-04-10T13:54:08.000Z

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Thanks

As the workaround I can propose to manually modify /maltrail.conf file by deleting string mass_scanner (see https://github.com/opnsense/plugins/blob/master/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf#L11) and restart the MT plugin. Hope, this will OK for you.

Answer 16 · 2024-04-10T15:52:15.000Z

Is the plugin maintained by OPNsense then or is that part of the Maltrail project?

Plugin is maintained by OPNsense.

Thanks

As the workaround I can propose to manually modify /maltrail.conf file by deleting string mass_scanner (see https://github.com/opnsense/plugins/blob/master/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf#L11) and restart the MT plugin. Hope, this will OK for you.

No I do not think that is the right direction...If OPNsense maintains the plugin (thought is was handled by maltrail like other OPNsense plugins) , they should try to resolve, especially since I shoudl be whitelisted from the console perspective within OPNsense. Removing the mass_scanner is definitely good info for monitoring, which I do.

Answer 17 · 2024-04-10T15:54:59.000Z

@MikhailKasimov on a side note, has there been a change in the way the known_attacker is handled? This may be another OPNsense related issue, but since I have gone to explicit FW to transparent FW, the known_attacker hits have completely disappeared, where I was averaging a few dozen a day previously.

Answer 18 · 2024-04-10T16:29:11.000Z

on a side note, has there been a change in the way the known_attacker is handled?

As far I remember, there were no changes.

But, what I can see, when comparing "native" /maltrail.conf (https://github.com/stamparm/maltrail/blob/master/maltrail.conf) and OPNSense's one (https://github.com/opnsense/plugins/blob/master/security/maltrail/src/opnsense/service/templates/OPNsense/Maltrail/maltrail.conf), OPNSense one does not contain the option DISABLED_TRAILS_INFO_REGEX (https://github.com/stamparm/maltrail/blob/master/maltrail.conf#L72-L73), which allows to supress "noisy" detections like known attacker.

Perhaps, @mimugmail would give a more thoughtful hint here...

Answer 19 · 2024-08-29T17:02:57.000Z

This is just an update to this issue. After applying the OPNsense 24.7.3 update today, the Maltrail traffic patterns that were expected returned. So not sure if part of the issue was associated with the delta and/or changes between 24.7.2, but now seeing the visibility expected...

Answer 20 · 2024-08-29T17:38:46.000Z

This is just one more confirmation, that Maltrail works OK itself. The deal was in its environment. Thank you for letting know!