Skip to content

pfSense API Token

Service Name: pfSense

Service Description: pfSense is an open-source firewall/router computer software distribution based on FreeBSD. It provides a web interface for configuration and can be installed on physical hardware or a virtual machine.

Service Address: https://www.pfsense.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the firewall level using pfSense's access rules.

Secret Access Scope: Grants programmatic access to pfSense's configuration API, allowing management of firewall rules, VPN configurations, network interfaces, and other system settings.

Secret Revokement URL: https://docs.netgate.com/pfsense/en/latest/development/using-the-api.html

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwZnNlbnNlX2FwaSIsIm5hbWUiOiJBUEkgVG9rZW4iLCJpYXQiOjE1MTYyMzkwMjJ9.L8J9vV5DaEQn0xtm-3MRfLuJG4AjT0jXcQwG1DbG8XY

Suspicious Activity Investigation Instructions:

  • Review system logs in Status > System Logs for unusual API access patterns
  • Check for unauthorized changes to firewall rules, VPN configurations, or system settings
  • Monitor for unexpected network traffic or connections initiated through API calls
  • Review authentication logs for failed login attempts or brute force attacks against the API
  • Examine the history of configuration changes in Diagnostics > Backup & Restore > Config History

Mitigation Instructions:

  • Log into the pfSense web interface as an administrator
  • Navigate to System > User Manager
  • Locate the user associated with the compromised API token
  • Either delete the user or reset their authentication credentials
  • Generate a new API token if needed for legitimate use cases
  • Consider implementing more restrictive firewall rules to limit API access to specific IP addresses
  • Enable two-factor authentication for administrative access
  • Update pfSense to the latest version to ensure all security patches are applied
  • Review and minimize the permissions granted to API users