pfSense API Token
Service Name: pfSense
Service Description: pfSense is an open-source firewall/router computer software distribution based on FreeBSD. It provides a web interface for configuration and can be installed on physical hardware or a virtual machine.
Service Address: https://www.pfsense.org/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the firewall level using pfSense's access rules.
Secret Access Scope: Grants programmatic access to pfSense's configuration API, allowing management of firewall rules, VPN configurations, network interfaces, and other system settings.
Secret Revokement URL: https://docs.netgate.com/pfsense/en/latest/development/using-the-api.html
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJwZnNlbnNlX2FwaSIsIm5hbWUiOiJBUEkgVG9rZW4iLCJpYXQiOjE1MTYyMzkwMjJ9.L8J9vV5DaEQn0xtm-3MRfLuJG4AjT0jXcQwG1DbG8XY
Suspicious Activity Investigation Instructions:
- Review system logs in Status > System Logs for unusual API access patterns
- Check for unauthorized changes to firewall rules, VPN configurations, or system settings
- Monitor for unexpected network traffic or connections initiated through API calls
- Review authentication logs for failed login attempts or brute force attacks against the API
- Examine the history of configuration changes in Diagnostics > Backup & Restore > Config History
Mitigation Instructions:
- Log into the pfSense web interface as an administrator
- Navigate to System > User Manager
- Locate the user associated with the compromised API token
- Either delete the user or reset their authentication credentials
- Generate a new API token if needed for legitimate use cases
- Consider implementing more restrictive firewall rules to limit API access to specific IP addresses
- Enable two-factor authentication for administrative access
- Update pfSense to the latest version to ensure all security patches are applied
- Review and minimize the permissions granted to API users