Errors that occurred during upgrades to 23.01 and 23.05 RC
-
So before turning off logging the GUI errors into the system log, the system log was getting flooded with this one abnormal line:
May 8 19:14:28 pfSense nginx: 2023/05/08 19:14:28 [error] 92632#100298: *9036 open() "/usr/local/www/ubus" failed (2: No such file or directory), client: x.x.x.x, server: , request: "POST /ubus HTTP/1.1", host: "y.y.y.y."x.x.x.x = recently built new desktop ipv4 address that I typically use to log into pfsense
y.y.y.y = pfsense internal ipv4 addressHere is the most recent nginx log with addresses replaced:
Some of the info in the log may not be errors, but their frequency has me wondering about constant write activity. The one line in particular that does look to be an error is:
May 12 21:24:41 pfSense nginx: <internal pfs ipv4>52 - - [12/May/2023:21:24:41 -0400] "POST /ubus HTTP/1.1" 404 146 "-" "-"Thanks!
-
@sorjal That is that local device requesting /ubus from the web server. Is there a probe or scanner running on it? Quick search, looks openwrt related?
https://duckduckgo.com/?q=http+%2Fubus&t=iphone&anon_safari_group=9&ia=webOptions are to get it to stop, or block its IP by firewall rule to This Firewall port 80/443.
-
What could be generating those requests or how can I figure this out? The only new pieces of software that are on this system after upgrading the hardware and migrating everything using Laplink's PCMover are:
Laplink's PCMover
Gigabyte Control Center
Lian Li L-Connect 3
MSI Afterburner (direct from MSI site, not 3rd party)
Riva Tuner Statistics Server (goes with Afterburner)
Intel's Killer Network SuiteI also recently replaced the WiFi router (in AP mode) with a TP-Link Archer AXE300 from an Orbi mesh system that was being temperamental with smart outlets and apple's homekit. It's possible that this might be related because I hadn't checked the logs until recently and they only go back a few days given the turnover.
(in case this isn't obvious, this is home network)
Thanks
-
@sorjal Nothing openwrt related? Is the Pc Windows? Log out and if it stops, itโs running as the user (as opposed to background service).
-
Did something else have the pfSense LAN address previously? If it was some other router it might have been running Openwrt even if it wasn't obvious. Something appears to be trying to query it.
-
Nothing that I'm aware of is openwrt related, but who knows what the developers may be using. With that pc hibernating, I logged in from a macbook to check the nginx log and see what showed up. I found one line at 4am from another local pc (I haven't woken things up to confirm which, likely my wife's desktop). Then it's a lot of various lines with the client ip address of the macbook.
I've attached a txt copy of this portion of the log from the errors around the time I shutdown the desktop to recent.
-
So far I've gotten rid of:
Laplink's PCMover - no change
Riva Statistics Server - no changeI then used netstat -ab and netstat -aon in different command prompt windows and ended up witnessing a very large number of ports in the 95xxx range waiting with a process ID of 0. As I haven't a clue on how to determine what process might be opening these without a PID being displayed (I'm a home user and slowly teaching myself) I went with the next uninstall and removed the Killer Intelligence software and UWD installs as that does offer things like monitoring wifi channels, etc. After rebooting, I haven't seen that POST /ubus HTTP/1.1 line in the past 10 minutes, so something in there appears to be the cause.
Now I have to wonder was it generating that because I have some bad or missing configuration information, something in the Killer Suite software that needs to be configured (it was pretty devoid of actual configuration options other than turning features on and off) or is there a problem in that software itself that is generating those requests.
For now, I'm planning on leaving it along for a while to give it more time to see if the problem returns before changing anything else. Hopefully something in here is helpful to someone else, and I'll poke around later to see what else I can find.
Thanks!
-
Is your pfSense internal interface using 192.168.1.1? It's a very common address for routers and very likely this is just something trying to query a default address.
The Killer Suite looks to have all sorts of functionality, could well be that. I've never used it.
-
@stephenw10 Actually no, its in the 10.x.x.x range. While I do try and stay within what you're supposed to use for home network IP ranges, I try to switch away from 192.x.x.x often as it sometimes reveals when other devices aren't being configured properly, some internal configuration, etc. but it also reveals little bits here and there to learn about (such as not being to access some cable modems without being in that subnet, etc.). Again I tend to poke around to try and learn more about things casually which may point me to topics I want to learn more about.
-
@Sorjal said in Errors that occurred during upgrades to 23.01 and 23.05 RC:
I try to switch away from 192.x.x.x
A good idea in most cases.
