pfsense 2.6 attack? ngix failed (2: No such file or directory) from unknown client

vez727

Hi, just noticed A LOT of entries like the following in my system log from unknown external clients. It looks like someone is running a scanner of some sort...my IP is "216.181.xxx.xxx". Clients have different IP's and they keep trying to get the same files over and over.

Is there anything i need to worry about or check to make sure they don't get in?

May 3 02:22:08 nginx 2023/05/03 02:22:08 [error] 85788#100550: *674758 open() "/usr/local/www/portal/redlion" failed (2: No such file or directory), client: 192.241.236.34, server: , request: "GET /portal/redlion HTTP/1.1", host: "216.181.xxx.xxx"
May 3 02:22:40 nginx 2023/05/03 02:22:40 [error] 85715#100509: *674789 open() "/usr/local/www/actuator/health" failed (2: No such file or directory), client: 192.241.223.29, server: , request: "GET /actuator/health HTTP/1.1", host: "216.181.xxx.xxx"
May 3 05:55:36 nginx 2023/05/03 05:55:36 [error] 85788#100550: *687582 "/usr/local/www/geoserver/web/index.php" is not found (2: No such file or directory), client: 64.62.197.58, server: , request: "GET /geoserver/web/ HTTP/1.1", host: "216.181.xxx.xxx"
May 3 06:11:40 nginx 2023/05/03 06:11:40 [error] 85788#100550: *688545 open() "/usr/local/www/boaform/admin/formLogin" failed (2: No such file or directory), client: 87.121.221.49, server: , request: "POST /boaform/admin/formLogin HTTP/1.1", host: "216.181.xxx.xxx:80", referrer: "http://216.181.xxx.xxx:80/admin/login.asp"
May 3 06:23:33 nginx 2023/05/03 06:23:33 [error] 85788#100550: *689270 open() "/usr/local/www/client/get_targets" failed (2: No such file or directory), client: 159.65.8.169, server: , request: "GET /client/get_targets HTTP/1.1", host: "216.181.xxx.xxx"
May 3 06:23:34 nginx 2023/05/03 06:23:34 [error] 85788#100550: *689273 "/usr/local/www/geoip/index.php" is not found (2: No such file or directory), client: 159.65.8.169, server: , request: "GET /geoip/ HTTP/1.1", host: "216.181.xxx.xxx"

I scanned through the topics and didn't find anyone else reporting the same issue externally. Thanks for any guidance/help.

michmoor

@vez727 Do you have your pfsense GUI exposed to the internet?
Post both any floating rules and your WAN rules

vez727

@michmoor thanks for helping...

michmoor

@vez727 Your allow OpenVPN rule is permitting all sources to connect to your firewall on all ports....Please modify this rule ASAP.
Put destination port "1154" for example or whatever port you are using for OpenVPN.

vez727

@michmoor. FIXED. THANKS.

Should I install pfBlockerNG

michmoor

@vez727 One of the use cases for pfBlockerNG would be to do GeoIP blocking. So if you have a service such as OpenVPN thats accessible from the internet, you can create GeoIP rules that limit from what countries an OpenVPN connection can come from. Not fool proof as anyone can spoof an IP or use Tor or a VPN service to come in from your allowed countries but at least it slows people down.

Moral of the story here: Please please please do not expose your WAN address on port 80/443 to the internet.....

vez727

@michmoor Yeah...i can't believe i missed that, I received a new modem from my provider a month ago and changed my setup...before I simply had the old modem as my first level as defence with everything blocked.

THANKS AGAIN!