What can I add to my opnsense stack to increase security?

I've got Crowdsec and Qfeeds, Unbound block lists, IDS/IPS w/ ET, OPNSense
and Snort rules (Though I am on PPPoE, so this may be irrelevant), GeoIP blocking and ClamAV. What else should I be doing? I've got public facing
web, telnet, ssh, radio, tv, jellyfin and more servers that I would like to
be as hardened as possible.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

On 14 Jun 26 13:02:00, Shurato said the following to All:

I've got Crowdsec and Qfeeds, Unbound block lists, IDS/IPS w/ ET, OPNSense and Snort rules (Though I am on PPPoE, so this may be irrelevant), GeoIP blocking and ClamAV. What else should I be doing? I've got public facing web, telnet, ssh, radio, tv, jellyfin and more servers that I would like to be as hardened as possible.

If you are running all of this on a residential / non-commercial Internet connection your ISP may "secure things" for you by cancelling your service
for violating AUP...

Atreyu

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:400/24)

Atreyu wrote to Shurato:

If you are running all of this on a residential / non-commercial Internet connection your ISP may "secure things" for you by cancelling your service for violating AUP...

One needs to have a firewall on the machine with the ports open; an edge firewall can only do so much. I do have a very robust filter in pfSense to block problematic CIDR ranges, but besides pfSense's own standard denial of
all inbound traffic on all ports except the open ones, all the rest of that
is absolutely overkill in my professional opinion.

It'a the firewall on the machine with the open ports that needs to be strong because that machine needs to protect itself. My BBS' firewall is only 262 lines but within those lines, it does a lot. Of course, fail2ban is a big
help and my firewall works intractively with fail2ban to create a strong, dynamic defense agains the usual idiots.

Though I am not sure what Pakistan and Iran want anything to do with me (I
know it's just script blasting bit still kinda weird).

I have about 100 CIDR ranges blocked for 26 weeks due to my custom recidive filters for problematic subnets on several ports or my custom-written "recidive-telnet" jail for script kiddies bonking my BBS' telnet port. I've
a couple dozen in my custom sshd jail too.

Most of these address ranges being blocked by fail2ban are from compromised home routers. Most of the real problematic stuff I block with pfSense which outright blocks traffic from ever entering my LAN in the first place.

It's taken me many hours of work to get here, but I run no extra security programs in pfSense--just using standard pfSense functionality--and fail2ban
on the BBS box itself.

-- digi


--- MBSE BBS v1.1.7.2 (Linux-x86_64)
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

On 16 Jun 26 02:45:00, Digimaus said the following to Atreyu:

If you are running all of this on a residential / non-commercial Internet connection your ISP may "secure things" for you by cancelling your service for violating AUP...

One needs to have a firewall on the machine with the ports open; an edge firewall can only do so much. I do have a very robust filter in pfSense to block problematic CIDR ranges, but besides pfSense's own standard denial of all inbound traffic on all ports except the open ones, all the rest of that is absolutely overkill in my professional opinion.

My original point to him was that with a residential Internet connection, he
is ultimately at the mercy of his AUP and they can shut off services at any time for running servers or really anything listening on ports... irregardless of any firewall put in place. If they look at the inbound bot traffic destined for his IP address, that can be a red-flag...

Atreyu

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:400/24)

Atreyu wrote to Digimaus <=-

My original point to him was that with a residential Internet
connection, he is ultimately at the mercy of his AUP and they can shut
off services at any time for running servers or really anything
listening on ports... irregardless of any firewall put in place. If
they look at the inbound bot traffic destined for his IP address, that
can be a red-flag...

It really depends on his ISP. My ISP is actually my local power co-op that has
some of the fastest fiber speeds in the US. I ordered a forward-facing static(1) IPv4 address and they told me that with that, they expect me to be running my own server, but I think they think it's like a Minecraft server, but
not the suite I have running.

The biggest thing is traffic: if they see you getting an inordinate amount of traffic, yeah, they'll probably lock you down. But 90% of my traffic is junk, like Mirai-style botnets, IoT botnets, and other floatsam and jetsam.

I do agree with the point you were making though. I guess my point is that there is a point of protecting your system and the protection becoming overkill.

1 = it's not really static; it's a dynamic IP with an extra-long TTL.

-- digi

... "Happiness is...finding two olives in your martini when youre hungry."

--- MultiMail/Win
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

On 16 Jun 26 02:45:00, Digimaus said the following to Atreyu:

My original point to him was that with a residential Internet connection, he is ultimately at the mercy of his AUP and they can shut off
services at any time for running servers or really anything listening
on ports... irregardless of any firewall put in place. If they look
at the inbound bot traffic destined for his IP address, that can be
a red-flag...

I've got the highest connection available at my residence, a 140/20 DSL. I don't have much traffic on my servers at all, but I do have several hundred thousand attack attempts (just detected by crowdsec alone) a week to a
million. My ISP knows I'm running servers and I have their blessing. I'm
not making any money or charging anything, so it's not an issue.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

I've got the highest connection available at my residence, a 140/20 DSL. I

140/20? I hope you're not paying much.

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (618:400/24)

* In a message originally to Shurato, Exodus said:

I've got the highest connection available at my residence, a 140/20

DSL. I

140/20? I hope you're not paying much.

$70/mo. It's all that's available at this address. Most of Boise is only
20/5 at best. I'm reall lucky to have this.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

Shurato wrote to Exodus <=-

* In a message originally to Shurato, Exodus said:

I've got the highest connection available at my residence, a 140/20

DSL. I

140/20? I hope you're not paying much.

$70/mo. It's all that's available at this address. Most of Boise is
only 20/5 at best. I'm reall lucky to have this.

Got to say that I find that impossible to believe. My brother lives in Meridian and has 600/50 cable. Used to be called CableONe but is now
called SparkLight I think. Boise is a big city and using DSL doesn't
even make sense.



... Gone crazy, be back later, please leave message.
=== MultiMail/Linux v0.52
--- SBBSecho 3.37-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Shurato wrote to Exodus <=-

* In a message originally to Shurato, Exodus said:

I've got the highest connection available at my residence, a 140/20

DSL. I

140/20? I hope you're not paying much.

$70/mo. It's all that's available at this address. Most of Boise is only 20/5 at best. I'm reall lucky to have this.

Got to say that I find that impossible to believe. My brother lives in Meridian and has 600/50 cable. Used to be called CableONe but is now called SparkLight I think. Boise is a big city and using DSL doesn't
even make sense.

They could probably get gigabit through Quantum Fiber. I don't have either available here. I'm in very low income housing. Meridian is significantly newer infrastructure than the majority of Boise.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

Re: OPNSense security...
By: Shurato to All on Sun Jun 14 2026 01:02 pm

What can I add to my opnsense stack to increase security?

How does clamav help your current deployment?

Are you hosting all those services in the same machine?

The most obvious thing I see you missing is a solution such as fail2ban to block login attempts from bots.

A full IDS solution is probably a bit overkill. Those things are tipically designed to run as an attatchment to your network rather than reside in one of the computers hosting services you protect.

If you are starting to get serious you could set a GreenBone instance and run periodic vulnerability checks to ensure you are not running vulnerable services.


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.37-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Re: Re: OPNSense security...
By: digimaus to Atreyu on Tue Jun 16 2026 02:45 am

It's taken me many hours of work to get here, but I run no extra security programs in pfSense--just using standard pfSense functionality--and fail2ban on the BBS box itself.

In my opinion, routers should route and all the extra services should be placed elsewhere if possible XD

Most often I think a firewall with a dynamic blacklist for known bad hosts and AS' is enough. If you have a ton os services running behind your firewall I also like to create a fail2ban-like service - I let services report which IPs are storming them with bogus login attempts, then the fail2ban-like service reports it to the firewall and bans the IPs across the whole network.


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.37-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Gamgee wrote to Shurato <=-

Got to say that I find that impossible to believe. My brother lives in Meridian and has 600/50 cable. Used to be called CableONe but is now called SparkLight I think. Boise is a big city and using DSL doesn't
even make sense.

For my $70 a month, I get 750/750 fiber Internet and a forward-facing public IPv4 "static" address. I consider myself very lucky.

Just ran a speed test at speedtest.net:

Download Mbps: 759.98
Upload Mbps: 763.12

https://www.speedtest.net/result/19324442010

I'd love to upgrade to their 1GB or 10GB (!) speed, but I'd have to upgrade
my networking equipment and I just can't afford that now. However, I am looking at getting a part-time job and who knows...maybe my network will be connected at plaid speed. LOL

-- digi <8D~

... What do you call a broken can opener? A can't opener.

--- MultiMail/Win
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Arelor wrote to digimaus <=-

In my opinion, routers should route and all the extra services should
be placed elsewhere if possible XD

In my scope, that's overcomplicating things. I'm running a home lab, not a multi-billion dollar business. I have one way in and out, not dozens.

Most often I think a firewall with a dynamic blacklist for known bad
hosts and AS' is enough. If you have a ton os services running behind
your firewall I also like to create a fail2ban-like service - I let services report which IPs are storming them with bogus login attempts, then the fail2ban-like service reports it to the firewall and bans the
IPs across the whole network.

That's what I do here. Once a week, I give Copilot a list of my current fail2ban banned list and it takes my current pfSense alias list, adds to it, refines it, and spits out a new alias list that I patch into pfSense's
master configuration. Could I automate this? Sure, but it's more trouble
than it's worth.

But in the end, it's always an uphill battle but I am slowly making headway with the cloud providers, "security scan" companies (Censys, Palo Alto Networks) and companies who have no reason to be port scanning me
(Microsoft, Google Meta), as well as the usual suspect rogue nations. Thankfully, the services I run are smart enough to know when they're being messed with and simply drop connection.

My BBS' internal firewall is toughened also and that helps keep the noise
down but in an ever-increasingly noisy enviroment, you do what you can do to protect yourself without overkill and unnecessary overhead.

-- digi <8D~

--- MultiMail/Win
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

* In a message originally to Shurato, Arelor said:

Re: OPNSense security... By: Shurato to All on Sun Jun 14 2026 01:02
pm

What can I add to my opnsense stack to increase security?

How does clamav help your current deployment?

Are you hosting all those services in the same machine?

The most obvious thing I see you missing is a solution such as fail2ban to block login attempts from bots.

Not running Linux! I'm running rgtel for my telnet server, and that works
for blocking telnet abuse. Also, crowdsec and qfeeds block IP addresses of known threat actors.

A full IDS solution is probably a bit overkill. Those things are tipically designed to run as an attatchment to your network rather than reside in
one of the computers hosting services you protect.

If you are starting to get serious you could set a GreenBone instance and run periodic vulnerability checks to ensure you are not running vulnerable services.

I've considered getting a Stingbox, I don'tknow if that would be equivalent.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

digimaus wrote to Gamgee <=-

Gamgee wrote to Shurato <=-

Got to say that I find that impossible to believe. My brother lives in Meridian and has 600/50 cable. Used to be called CableONe but is now called SparkLight I think. Boise is a big city and using DSL doesn't
even make sense.

For my $70 a month, I get 750/750 fiber Internet and a forward-facing public IPv4 "static" address. I consider myself very lucky.

Just ran a speed test at speedtest.net:

Download Mbps: 759.98
Upload Mbps: 763.12

https://www.speedtest.net/result/19324442010

I'd love to upgrade to their 1GB or 10GB (!) speed, but I'd have to upgrade my networking equipment and I just can't afford that now.
However, I am looking at getting a part-time job and who knows...maybe
my network will be connected at plaid speed. LOL

Nice! Honestly I doubt you'd see any different between 750M and 1G.
Yes, the 10G is a whole new ballgame and lots of hardware upgrades
required. Can't see much of a need for that myself, for home usage.

I'm still on cable here, which isn't bad, but I'm waiting for the ATT
Fiber folks to ring my doorbell, and will invite them in for coffee.
:-)



... Gone crazy, be back later, please leave message.
=== MultiMail/Linux v0.52
--- SBBSecho 3.37-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

Gamgee wrote to digimaus <=-

Nice! Honestly I doubt you'd see any different between 750M and 1G.
Yes, the 10G is a whole new ballgame and lots of hardware upgrades required. Can't see much of a need for that myself, for home usage.

Honestly, not much at all. When I stream on Twitch, I do it at 720p without
a hiccup. Once I can get a computer actually built for streaming, I could
do 1080p easily.

I'm still on cable here, which isn't bad, but I'm waiting for the ATT Fiber folks to ring my doorbell, and will invite them in for coffee.
:-)

It took us in my area many years to get fiber and it was well worth the
wait.

-- digi <8D~

... GIVE: Support the helpless victims of computer error.

--- MultiMail/Win
* Origin: Outpost BBS * Johnson City, TN (618:618/1)

Re: OPNSense security...
By: Shurato to All on Sun Jun 14 2026 01:02 pm

What can I add to my opnsense stack to increase security?

How does clamav help your current deployment?

It's just something in addition that was available. I like the idea of an additional av scan on network traffic.

Are you hosting all those services in the same machine?

They're on OPNSense. As for Fail2Ban, I've got crowdsec and qfeeds, which
work like globally available fail2ban lists.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

Re: OPNSense security...
By: Shurato to All on Sun Jun 14 2026 01:02 pm

What can I add to my opnsense stack to increase security?

A full IDS solution is probably a bit overkill. Those things are tipically designed to run as an attatchment to your network rather than reside in one of the computers hosting services you protect.

It is, it's on my opnsense router.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


*** THE READER V4.50 [freeware]
---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)

Re: OPNSense security...
By: Shurato to Arelor on Wed Jun 17 2026 12:57 pm

I've considered getting a Stingbox, I don'tknow if that would be equivalent.

Not really.

GreenBone is a frontend for OpenVAS and the idea is it has a *big* database of attacks which gets updated every so often, then it runs it against your stuff and if an attack gets through it reports you have a vulnerable service.

So basically you have your GreenBone box somewhere and it runs attacks against your stuff using known exploits and sends you a report if something cracks.

Some attacks in the database are destructive (ie. they can bring your service down) and so you can enable or disable dangerous attacks in the configuration.


--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.37-Linux
* Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

* In a message originally to Shurato, Arelor said:

Re: OPNSense security... By: Shurato to Arelor on Wed Jun 17 2026
12:57 pm

I've considered getting a Stingbox, I don'tknow if that would be

equivalent.

Not really.

GreenBone is a frontend for OpenVAS and the idea is it has a *big*
database of attacks which gets updated every so often, then it runs it against your stuff and if an attack gets through it reports you have a vulnerable service.

So basically you have your GreenBone box somewhere and it runs attacks against your stuff using known exploits and sends you a report if
something cracks.

Some attacks in the database are destructive (ie. they can bring your service down) and so you can enable or disable dangerous attacks in the configuration.

Cool! I'll look into that.

--
Shurato, Sysop Shurato's Heavenly Sphere (ssh, telnet, pop3, ftp,nntp,
,wss, ssh utf-8) (22,23,110,21,119,999,2222) shsbbs.net FREQ FILES !


---
* Origin: Shurato's Heavenly Sphere telnet://shsbbs.net (618:300/50)