User called “internet”

stephenw10

Hmm, seems suspect. What permissions does it have?

I'm not aware of any package that adds that. Any idea how long it's been there?

Phonix66

@stephenw10
Hey @stephenw10 , thanks for the quick answer.
It's NOT A member of the admins group.
I've disabled it before deleting.

I'm really interested to know how it got there, I hope to exclude any security issue...

stephenw10

Check the available backup configs. If it was added in the last 30 changes you'd be able to see when and who added it.

If you have ACB enabled then you can check the last 100 changes.

Gertjan

@Phonix66 said in User called “internet”:

I'm really interested to know how it got there, I hope to exclude any security issue...

pfSense itself, and none of the packages you can add, creates such a user - that name, or another.
That said, I can't confirm for 100 %, as there are packages that I never installed.
The fastest end easiest way out : change your admin password.
Never ever share it anymore with some one else.
Done, no more new users.

Btw : look at the /etc/passwd file.
Package can craete system user accounts, I - ad you - have several of them :

avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
nut:*:316:316:Network UPS Tools user:/nonexistent:/usr/sbin/nologin
freeradius:*:133:133:FreeRADIUS Daemon:/nonexistent:/usr/sbin/nologin
polkitd:*:565:565:Polkit Daemon User:/var/empty:/usr/sbin/nologin
snmpd:*:344:344:Net-SNMP Daemon:/nonexistent:/usr/sbin/nologin

Packages like Avahi, NUT, Freeradius etc. run under their own user ID (and not root) for safety.

But not pfSense "GUI User Manager users".

johnpoz

@Phonix66 is this some pfsense you took over? As already mentioned, I am not aware of any package that would create such a user, nor have I ever seen a package create a user that would show up in the user manager gui.. As @Gertjan mentions some users can be created to run packages under - but have never seen one create one that would be listed in pfsense gui.

If you took this over - someone else might of created that for some use.. What permissions did it have in the gui if not a member of admin group.

Have you installed any 3rd party packages - ie outside the pfsense repo?

Phonix66

@Gertjan thanks. yeah, one of the first things I did was to change my administrator account password

I'm really curious about the root cause, I'm using Pfsense for many years now and I'm very positive about the solid secure design of pfsense, so I'm quite positive it had something to do with what I did, or alternatively one of the 3rd party packages.

@johnpoz, thank you too. the answer is NO, I didn't inherit my pfsense from anyone.
I suspect the ntopng package, I didn't login for a while and tried now to login with the "internet" user, but couldn't, nighter with my Administrator account.

Thanks @Gertjan, luckily the internet"user is not root or even privilege, so I'm less worried then I was in my initial reaction.

Edit: found the login credentials for ntopng, it wasn't that!

johnpoz

@Phonix66 said in User called “internet”:

alternatively one of the 3rd party packages.

Again have you installed anything out side the repo as far as a package goes.. Like something available for freebsd, but not included in pfsense repo? Or there are some packages about that people have put together to install stuff, crowdstrike the latest example of this that I recall seeing.. But there are for sure others. I do recall a while back someone put together a way to install the unifi controller software on your pfsense, etc.

You have not played with any such sort of packages..

My guess is you at one point created it, maybe when testing out captive portal or something and forgot about it.

Phonix66

@johnpoz, sorry, missed the question, the answer is NO, absolutely nothing outside of the official packages from the repo, nighter any custom configuration.

ebcdic

Did the user have a home directory? Was there anything in it? Did it have a password?

Phonix66

@ebcdic I don't know where to check for the directory.
here are the details from the /etc/passwd:
internet:*:2000:65534::/home/internet:/sbin/nologin

nologin would probably mean no home directory, am I right ?

ebcdic

@Phonix66 said in User called “internet”:

here are the details from the /etc/passwd:
internet:*:2000:65534::/home/internet:/sbin/nologin

nologin would probably mean no home directory, am I right ?

The home directory is specified as /home/internet. /sbin/nologin should mean that the user can't log in.

2000/65534 are the user and group id you would get the first time you created a user through the user manager page. The directory /home/internet would then contain files called .hushlogin, .profile, .shrc, and .tcshrc.

I think the most likely explanation is that at some point you inadvertently created the user yourself, perhaps mistaking the page you were on in the user interface.

tedquade

@Phonix66 Possibly an OpenVPN roadwarrior account you set up at some point.

Ted

Phonix66

@tedquade I guess it could be the case. actually I don't have any idea since the PFsense is installed for quite a while now.
I'll just remove the stale user and I have changed the admin password already.
So I guess that ok. I'll keep an eye on the users for a while, just to make sure.

Thanks everyone, really appreciate that.

dennypage

@Phonix66 said in User called “internet”:

I suspect the ntopng package, I didn't login for a while and tried now to login with the "internet" user, but couldn't, nighter with my Administrator account.

The ntopng package does not create such a user. What made you suspect it?

[Edit: You can ignore this -- I just saw that you subsequently determined that it wasn't ntopng]