Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Error in general log for nginx process from non-local IP

    Firewalling
    3
    7
    339
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sorjal
      last edited by Sorjal

      So I noticed the following error when I was messing around trying to learn how to possibly use some unused ports on my Protectli Vault to perhaps move IoT devices and such to a subnet and limit their access to the rest of the network devices.

      022/11/09 15:09:51 [error] 67424#100527: *1290 open() "/usr/local/www/actuator/health" failed (2: No such file or directory), client: 198.199.95.146, server: , request: "GET /actuator/health HTTP/1.1", host: ...

      My real concern is that this is an external IP address, not remotely close to the range assigned to the lan interface, nor the dhcp assigned IP of the wan interface from my isp. While I've blocked the particular IP, it doesn't really answer how that request got there. My guess is that I have something configured incorrectly.

      googl'ing /usr/local/www/actuator/health returned results for what seems to be a java request used to check the health and status of applications??

      Anyways, any help and advice would be greatly appreciated.

      <edit: forget to mention that this is for a personal home network>

      R 1 Reply Last reply Reply Quote 0
      • R
        rcoleman-netgate Netgate @Sorjal
        last edited by rcoleman-netgate

        @sorjal Is your web interface open to the world?
        If it is, get used to it...

        Looks like a call to a file that simply doesn't exist (thus the 404 error).

        Ryan
        Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
        Requesting firmware for your Netgate device? https://go.netgate.com
        Switching: Mikrotik, Netgear, Extreme
        Wireless: Aruba, Ubiquiti

        S 1 Reply Last reply Reply Quote 0
        • S
          Sorjal @rcoleman-netgate
          last edited by

          @rcoleman-netgate I had assumed that it was set such that only the lan network could access it. What do I need to do to prevent outside acess? The only thing I currently have enabled is the anti-lockout rule in the LAN rules section. On the WAN side I don't have any permit rules, only pfblocker's PRI_1 rule, block bogon and private, and some "should be redundant" blocks of individual IP's and IP nets where they are the source.

          R 1 Reply Last reply Reply Quote 0
          • R
            rcoleman-netgate Netgate @Sorjal
            last edited by

            @sorjal If you enabled 443 on the WAN interface you'll see the traffic.
            What are your WAN rules?

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            1 Reply Last reply Reply Quote 0
            • S
              Sorjal
              last edited by

              @rcoleman-netgate
              @rcoleman-netgate

              Block : any : RFC 1918 : any : any : any : any : any
              Block : any : bogon nets : any : any : any : any : any
              Block : TCP IPv4 : blocklist_ind (alias) : any : any : any : any : none
              Block : TCP IPv4 : blocklist_nets (alias) : any : any : any : any : none
              Pass(??) : TCP IPv4 : pfB_PRI1_v4 (created by pfBlocker) : any : any : any : any : none

              I haven't a clue as to why pfBlockerNG-devel would create that rule to be pass, perhaps something with it being set to Deny outbound by default (not Deny Both). The log for the rule only shows it being created and updated at the same time. I went through the table for that alias and the IP address from the error message isn't in the list (though I guess it could have been updated and removed from it since time of error). In pfBlocker I went and changed PRI1 to be deny both and it didn't change the WAN rule so I manually changed it to Block.

              re: port 443: In advanced I haven't set any port and I left it at http since I had assumed it wouldn't matter as only internal lan should have been able to access it. I do have auto NAT and UPnP enabled (xbox, pc games, etc as it's home use) but again assumed that those ports would only be opened when an internal device requested the port be opened.

              I just installed ACME and noticed at the end of the installation the following:

              ===> NOTICE:
              This port is deprecated; you may wish to reconsider installing it:
              Upstream Security Support ends on 2022-11-28.
              It is scheduled to be removed on or after 2022-11-29.

              Is there another package that could be used for certs for using HTTPS? Or will switching to HTTPS, by turning on port 443, be counterproductive and open up external access?

              Thanks for all the help btw!

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @Sorjal
                last edited by

                @sorjal said in Error in general log for nginx process from non-local IP:

                changed PRI1 to be deny both and it didn't change the WAN rule

                Did you run an Update in pfBlocker after?

                Usually I use Alias Native so I can create my own rules but the deny choices should only create the block in the selected direction and wouldn't create a pass rule.

                Note if something else in pfB is creating the pass rule, it may recreate when the next update runs.

                What is the description set to in the pass rule? If pfB created it I'd expect something like "pfB_PRI1_v4 auto rule" with those two words at the end.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                S 1 Reply Last reply Reply Quote 0
                • S
                  Sorjal @SteveITS
                  last edited by

                  @steveits
                  the description is pfB_PRI1_v4 AR (I set 'AR' in it's configuration).

                  So I went and changed pfBlocker's IP4 rule for PRI1 back to Deny outbound and updated again. It left the rule that I had reconfigured to be block in place, but removed the description. My guess is that my changed version was treated as copy of their autocreated rule.

                  I then deleted the WAN deny rule, hit save again in the IP4 section (still deny outbound) and ran update again. At the end of the updating section (before completed) it noted that there were firewall rules changes and reapplied the filter. Checking the WAN rules, there are no rules now referencing PRI1, only a reject to PRI1 in the LAN rules section.

                  Taking your advice, I switched the rule to Alias Native so I could make my own rules based off of their feeds and found it created a new ports alias for pfBlockerNG DNSBL VIP ports of 80, 443. So while I had DNSBL on at one point and later turned it off, that may have been what opened up port 443 on the WAN ?? (guess on my part). This did remove the remaining auto created rule that was in the LAN rules section, which I'll re-add manually referencing their generated alias.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post