pfSense rebooted by root?
-
I noticed this evening that I lost my internet connectivity for a few minutes. I looked at my pfSense router and noticed it had been rebooted.
This is all that I see in the logs:
Nov 19 22:51:59 kernel root@buildbot3:/crossbuild/ce-244/obj/amd64/WvDslnYb/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/sys/pfSense amd64 Nov 19 22:51:59 kernel FreeBSD 11.2-RELEASE-p3 #17 e6b497fa0a3(RELENG_2_4_4): Thu Sep 20 09:04:45 EDT 2018 Nov 19 22:51:59 kernel FreeBSD is a registered trademark of The FreeBSD Foundation. Nov 19 22:51:59 kernel The Regents of the University of California. All rights reserved. Nov 19 22:51:59 kernel Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 Nov 19 22:51:59 kernel Copyright (c) 1992-2018 The FreeBSD Project. Nov 19 22:51:59 kernel Uptime: 34d21h9m31s Nov 19 22:51:59 kernel All buffers synced. Nov 19 22:51:59 kernel Syncing disks, vnodes remaining... 0 0 done Nov 19 22:51:59 kernel Waiting (max 60 seconds) for system process `syncer' to stop... Nov 19 22:51:59 kernel Waiting (max 60 seconds) for system process `bufdaemon' to stop... done Nov 19 22:51:59 kernel Waiting (max 60 seconds) for system process `vnlru' to stop... done Nov 19 22:51:59 kernel ovpnc3: link state changed to DOWN Nov 19 22:51:59 kernel pflog0: promiscuous mode disabled Nov 19 22:51:59 syslogd kernel boot file is /boot/kernel/kernel Nov 19 22:51:00 syslogd exiting on signal 15 Nov 19 22:51:00 reboot rebooted by root Nov 19 22:00:00 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Nov 19 22:00:00 php [pfBlockerNG] Starting cron process. Nov 19 21:00:00 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Nov 19 21:00:00 php [pfBlockerNG] Starting cron process.``` It is strange that it seemed to reboot on its own. Is it possible it has been compromised?
-
Check your logs for logins.
It could also have been someone at the console.
Steve
-
It was definitely not someone at the physical console.
All of my recent logins look legitimate:
Nov 10 13:51:23 router php-fpm[77178]: /index.php: Successful login for user 'admin' from: 192.168.1.100 (Local Database) Nov 10 20:05:42 router php-fpm[62086]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database) Nov 12 08:38:58 router php-fpm[49422]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database) Nov 17 19:52:04 router php-fpm[62086]: /index.php: Successful login for user 'admin' from: 192.168.1.161 (Local Database) Nov 19 22:52:31 router login: login on ttyv0 as root Nov 19 22:53:14 router php-fpm[72550]: /index.php: Successful login for user 'admin' from: 192.168.1.161 (Local Database) Nov 20 11:58:18 router php-fpm[72550]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database) Nov 20 17:54:16 router php-fpm[342]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database) Nov 20 17:55:46 router sshd[97425]: user root login class [preauth] Nov 20 17:55:46 router sshd[97425]: user root login class [preauth] Nov 20 17:55:46 router sshd[97425]: user root login class [preauth]
-
Is the console physically protected then?
Steve
-
@stephenw10 said in pfSense rebooted by root?:
Is the console physically protected then?
Steve
Yes, it is in my crawlspace at my home and it is just me and my wife here. There was no one else in the home when this happened.
I wasn't sure if this was an indication that I was hacked somehow.
-
Hmm, hard to say then.
Hard to imagine some hacker logged into your box (somehow), removed the logs of logging in but not the reboot.You have packages installed?
Watchdog enabled?
Steve
-
Have 2 packages installed: iperf and pfBlockerNG. I don't believe I have Watchdog enabled.
-
Does that box have IPMI or any other out of band access like that?
That could only really have been caused by some script that ran or something at the console directly since they apparently didn't login.Steve
-
Do you have any internet facing services enabled or is the WAN interface completely locked down from the outside? If you do have services open to the broad internet, what are they, and have you checked their access logs?
Also, can you elaborate on the first line in your logs, what is "root@buildbot3" trying to do?
Hope this helps.
-
That's not doing anything it's first logged output from the kernel. Buildbot3 is our internal buildbox that built the kernel.
Steve
-
@stephenw10 - thanks for the clarification, just looked a bit suspicious to me at first glance.
-
My machine does not support IPMI. A fuller copy of the log is available here: https://docs.google.com/spreadsheets/d/1JC-8D-RQ44JRlXGF4PXnRid32aUxdZ8RrHdE7Z4GQnk/edit?usp=sharing
I had avoided posting the whole thing because I didn't want to cleanse it.
The reboot is on row 549.
I do have some open ports on the WAN with forwarding rules:
Port - Description
80, 81 - HTTP
2222 - SSH
1194, 1196 - OpenVPN
8080 - Docker / Rancher
32400, 32444 - Plex -
Is port 2222 just to your firewall?
-
Nothing looks very out of place. Something on your network (192.168.1.4) is trying to open pages on the firewall that don't exist:
Nov 15 16:37:48 ***REMOVED_ROUTER_HOSTNAME*** nginx: 2018/11/15 16:37:48 [error] 20989#100149: *217580 "/usr/local/www/JNAP/index.php" is not found (2: No such file or directory), client: 192.168.1.4, server: , request: "POST /JNAP/ HTTP/1.1", host: "192.168.1.1" Nov 15 16:37:48 ***REMOVED_ROUTER_HOSTNAME*** nginx: 2018/11/15 16:37:48 [error] 20989#100149: *217578 "/usr/local/www/HNAP1/index.php" is not found (2: No such file or directory), client: 192.168.1.4, server: , request: "GET /HNAP1/ HTTP/1.1", host: "192.168.1.1"
But that's pretty common, probably just something misconfigured on the client.
You could certainly make it more secure by setting ssh to key only and restricting gui access to limited source IPs. If that's not already the case.
Steve
-
Port 2222 actually goes to an internal Ubuntu server.
192.168.1.4 is a Linksys 4200v2 WiFi router configured as a bridge/access point.
I will look into using Key only and restricting the GUI access.
-
Assuming that only you should have SSH access to that server, not the whole Internet, would it not be better to use OpenVPN to pfSense and then SSH to the Ubuntu server?
-
I may have to look into this a bit deeper. My router just rebooted again on it's own today:
Nov 28 12:01:59 syslogd kernel boot file is /boot/kernel/kernel Nov 28 12:01:00 syslogd exiting on signal 15 Nov 28 12:01:00 reboot rebooted by root Nov 28 12:00:00 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Nov 28 12:00:00 php [pfBlockerNG] Starting cron process. Nov 28 11:00:00 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Nov 28 11:00:00 php [pfBlockerNG] Starting cron process.
Could this be caused by some kind of scheduled job trying to reboot my router periodically?
-
Ok, I just locked down some ports, included SSH (port 2222). Still, this feels like something on the router and causing causing it to reboot. Either a scheduled process, or something causing a fault that results in a reboot.
-
ssh is not port 2222, 22 yes not 2222
-
They are forwarding port 2222 to ssh here. I assume you locked it down to known source IPs only.
Has it rebooted again since?
Steve