Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange logs on pfSense - most probably somebody has found a way to hack partially the box

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 8 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • provelsP
      provels @albgen
      last edited by provels

      @albgen I can web to 65.109.35.164 8989 from lovely Illinois, USA. If you need to manage your FW remotely, setup VPN or just manage it locally from the LAN side.

      Peder

      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

      A 1 Reply Last reply Reply Quote 0
      • A
        albgen @provels
        last edited by

        @provels said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

        65.109.35.164 8989

        No idea why is accessible. there is no such rule that allows it...
        could it be because i have the config like this:
        internet---A>Server-B>VMpfSense->LAN

        The public IP address is at point A and B is a private IP Address

        but in any case, those logs are strange. I cannot trigger them

        provelsP 1 Reply Last reply Reply Quote 0
        • PippinP
          Pippin
          last edited by

          Still no rules posted.....
          ....

          I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
          Halton Arp

          A 1 Reply Last reply Reply Quote 1
          • A
            albgen @Pippin
            last edited by

            @pippin said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

            Still no rules posted.....

            d1008ebd-e962-4373-93b5-a8231495cf64-image.png
            cee2372a-3772-4a6d-aa2f-8779d5c220e0-image.png
            89a27690-38fb-4f89-a4b1-1c67d1fe0487-image.png

            1 Reply Last reply Reply Quote 0
            • provelsP
              provels @albgen
              last edited by

              @albgen Not exactly sure what Server B is, but Internet should go to WAN side of pfSense, then pfSense to LAN. LAN would include the host the PFSense VM is runnng on.

              Peder

              MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
              BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

              A 1 Reply Last reply Reply Quote 0
              • A
                albgen @provels
                last edited by

                @provels said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                Not exactly sure what Server B is, but Internet should go to WAN side of pfSense, then pfSense to LAN. LAN would include the host the PFSense VM is runnng on.

                A and B are just point i have inserted to make you understand what kind of IP Addresses are setup...

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  You have a rule allowing all TCP traffic on WAN. That's passing it.

                  1 Reply Last reply Reply Quote 0
                  • C
                    Cylosoft
                    last edited by Cylosoft

                    Looks like you have an allow all rule. Lots of traffic on it also. 5 GB.

                    1 Reply Last reply Reply Quote 1
                    • A
                      albgen
                      last edited by

                      yes, correct. the allow all rule was actually allowing everything :)

                      but the question remains: how have they triggered those kind of logs?

                      C 1 Reply Last reply Reply Quote 0
                      • C
                        Cylosoft @albgen
                        last edited by

                        @albgen said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                        yes, correct. the allow all rule was actually allowing everything :)

                        but the question remains: how have they triggered those kind of logs?

                        Bots or hackers just checking what you have going on. Given time they'd try a lot more things.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Because the webgui on the WAN interface was open to the internet.

                          You can see the requests they were making were all failing because the pages don't exist in pfSense. And even if they guessed an existing page they would not have been able to access it without logging in. But you should never open the webgui to public access.

                          A 1 Reply Last reply Reply Quote 0
                          • A
                            albgen @stephenw10
                            last edited by

                            @stephenw10 said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:

                            Because the webgui on the WAN interface was open to the internet.

                            You can see the requests they were making were all failing because the pages don't exist in pfSense. And even if they guessed an existing page they would not have been able to access it without logging in. But you should never open the webgui to public access.

                            Sure, it was unintentional. Most probably testing something and the rule was enabled.

                            The point is the message logged. I have seen those kind of messages only on bugged wordpress php plugins so that's why i openend this discussion.

                            No idea what kind of requests they have made to trigger it. Tomorrow will check the config of nginx on pfsense if i can see better what is logged.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by stephenw10

                              Those logs are expected if you open the webgui to random connection attempts. It's not an indication of any sort of compromise.

                              You can test it yourself, just try to access some page before you login and you will see those logs:

                              Apr 5 22:02:16 	nginx 		2023/04/05 22:02:16 [error] 47504#100318: *72304 open() "/usr/local/www/somenonexistentpage.htm" failed (2: No such file or directory), client: 172.21.16.8, server: , request: "GET /somenonexistentpage.htm HTTP/2.0", host: "4100.stevew.lan" 
                              
                              1 Reply Last reply Reply Quote 2
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.