Multiple unexpected login "beeps"...

IanMcLeish

Can anyone give me some advice please? I have been running a community pfsense, installed on a 4 port protectli vault for about 2 years now. I never had an issue.

I installed the pfsense to use as a router, because the Starlink router wouldn't play nice with the 5 other routers I have, all in AP mode! to get wifi around my strange house. Very bad wifi strengths without multiple routers! All was well.

I am not a "homelabber" as such, but I did set up an Unraid box to replace a very old Windows Home Server which was dying- can't complain, it was running for over a decade, but I didn't want to lose all, so I went with Unraid, on another Protectli box- a bad choice as all disks are attached through an external cage over usb C 3.1 I think.

Anyhoo, I was at work today and noticed some uploading on the unraid, and I couldn't find out why. I was logged into it remotely, over tailscale, but it was doing about 20MbitPS up.

I looked online to see if PfSense had a way of monitoring traffic by client and found a video about ntopng, which I installed and configured, I think.

It was a bit bamboozling to me, but there was some traffic I didn't recognise. An upload to an ip address which wasn't my VPS or anything else I could think about.

When I got home, doing some more investigating, my pfsense box beeped, which it does when someone logs in. I went looking for logs but can't really say if I found anything. As this was strange, and I DID install ntopng with the same password, I thought that must be it, so I uninstalled the package.

Still getting unexpected pings from the pfsense.

I disconnected the internet and changed the password to the pfsense, and I then re-enabled the internet. It may have settled down now, but there were a couple of unexpected "login" beeps even after the password change.

Long story short, have I been hacked somehow? Is there a way to check in the logs who was logging in? Maybe it was my computer (local) reauthenticating, but not on my part, and I have never heard this happen before today.

Any advise would be gratefully recieved.

Thank you.
Ian

Community latest version 2.7.2-RELEASE (amd64)

It just beeped again!

SteveITS

@IanMcLeish The console and system log should show user logins.

Mar 27 16:22:54 php-fpm 99362 /index.php: Successful login for user 'admin' from: ______ (Local Database)

stephenw10

Yup, it would be logged. Both in the System log and the Authentication log.

[2.7.2-RELEASE][admin@t70.stevew.lan]/root: grep login /var/log/auth.log 
Feb 15 16:54:31 t70 php-fpm[98161]: /index.php: Successful login for user 'admin' from: 172.21.16.8 (Local Database)
Mar  4 13:09:10 t70 php-fpm[2495]: /index.php: Successful login for user 'admin' from: 172.21.16.8 (Local Database)
Mar 17 00:51:09 t70 php-fpm[32432]: /index.php: Successful login for user 'admin' from: 172.21.16.8 (Local Database)
Mar 28 01:15:58 t70 php-fpm[18718]: /index.php: Successful login for user 'admin' from: 172.21.16.8 (Local Database)

IanMcLeish

@stephenw10 said in Multiple unexpected login "beeps"...:

Successful login for user 'admin' from:

Thank you both, I looked at the logs and there are so many attacks, but I don't see any unauthorised access. Don't know why it is beeping.

Maybe it doesn't only beep on a successful login, but that was my experience until now.

I recently had fibre installed and 2 days later a car took out all the fibre lines! So until Tuesday I was perhaps less exposed to these attacks, behind Starlink's CGNAT, but now I have a public static ip address.

Didn't realise how many attacks a router would need to defend against!

Thanks again, I'll keep an eye on those logs!

johnpoz

@IanMcLeish said in Multiple unexpected login "beeps"...:

Didn't realise how many attacks a router would need to defend against!

Not sure I would call noise "attacks" yes there will lots of attempts to see if you have ports open, sure there will be brute force attempts to login to exposed ssh or ftp, etc

But I wouldn't call your firewall dropping packets that are not allowed "attacks" - do you have ssh exposed to the public internet, or other services? All the common ports, ssh, ftp, rdp, sql, etc.. will always see lots of noise.

So like in the last 24 hours - 96 hits to ssh (22).. None of those would actually get to attempt to login in because I don't have 22 even allowed.. But most of them wouldn't be allowed even if I had 22 open because I block most of those are IPs, I don't allow because they are known scanners (shodan, etc), not coming from US ips - or just noise producers like digital ocean - nothing good will ever talk to you from a DO ip ;)

See that last one there must be a US IP, and not in my known scanners list or DO block - so if was open he would be allowed.

But yeah if your behind a cgnat - you wouldn't see any unsolicited inbound traffic - calling them attacks sure if you want ;)

The internet is a noisy place. I sure wouldn't expose ssh to the public internet - vpn in if you need remote access. Or if you must use something like ssh, whitelist to known good IPs and for sure only allow public key auth.

stephenw10

@IanMcLeish said in Multiple unexpected login "beeps"...:

I looked at the logs and there are so many attacks

What exactly are you seeing? Failed login attempts? If so that's bad, you should not have the firewall webgui open to the internet.

If it's just firewall logs on WAN then, yes, that's pretty much expected if you have a public IP.

Gertjan

@IanMcLeish said in Multiple unexpected login "beeps"...:

Is there a way to check in the logs who was logging in?

That's what this log is all about : Status > System Logs > Authentication > General

GUI logins are very recognizable :

and normally, only the admin user can login from a LAN - or whatever you decide - network.
WAN is normally impossible of course.
Possible that a package also beeps, as its a system call or a simple shells script.

edit : .... didn't saw the reply of everybody else

johnpoz

@stephenw10 said in Multiple unexpected login "beeps"...:

you should not have the firewall webgui open to the internet.

QFT

IanMcLeish

@johnpoz said in Multiple unexpected login "beeps"...:

@stephenw10 said in Multiple unexpected login "beeps"...:

you should not have the firewall webgui open to the internet.

QFT

I just made a new post about this before reading this. It is open to the internet, and I do not know for the life of why it is or how it got to be.

And I don't know how to set it to not be available!!

johnpoz

@IanMcLeish well what are your firewall rules on your wan - the only way it would be open to the internet is if you have a rule that allows it. Remove such a rule - post up your wan rules.

IanMcLeish

@johnpoz said in Multiple unexpected login "beeps"...:

@IanMcLeish well what are your firewall rules on your lan - the only way it would be open to the internet is if you have a rule that allows it. Remove such a rule - post up your wan rules.

|I got it sorted out on the other post, it was all down to my stupidity, unsurprisingly.

All my bad. But yes, checking my firewall rules sorted out my problem, so thanks for the suggestion.

Ian

stephenw10

You must have a firewall rule allowing it since all traffic inbound is blocked by default.

So check the WAN firewall rules. If there's nothing there check for interface groups or floating rules.

Post some screenshots if you're unsure.

Edit: Ooops hit post after like 2hrs.