Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense rebooted by root?

    Scheduled Pinned Locked Moved General pfSense Questions
    29 Posts 7 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by stephenw10

      Check your logs for logins.

      It could also have been someone at the console.

      Steve

      1 Reply Last reply Reply Quote 0
      • RyanMR
        RyanM
        last edited by

        It was definitely not someone at the physical console.

        All of my recent logins look legitimate:

        Nov 10 13:51:23 router php-fpm[77178]: /index.php: Successful login for user 'admin' from: 192.168.1.100 (Local Database)
        Nov 10 20:05:42 router php-fpm[62086]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
        Nov 12 08:38:58 router php-fpm[49422]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
        Nov 17 19:52:04 router php-fpm[62086]: /index.php: Successful login for user 'admin' from: 192.168.1.161 (Local Database)
        Nov 19 22:52:31 router login: login on ttyv0 as root
        Nov 19 22:53:14 router php-fpm[72550]: /index.php: Successful login for user 'admin' from: 192.168.1.161 (Local Database)
        Nov 20 11:58:18 router php-fpm[72550]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
        Nov 20 17:54:16 router php-fpm[342]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
        Nov 20 17:55:46 router sshd[97425]: user root login class  [preauth]
        Nov 20 17:55:46 router sshd[97425]: user root login class  [preauth]
        Nov 20 17:55:46 router sshd[97425]: user root login class  [preauth]
        
        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Is the console physically protected then?

          Steve

          RyanMR 1 Reply Last reply Reply Quote 0
          • RyanMR
            RyanM @stephenw10
            last edited by

            @stephenw10 said in pfSense rebooted by root?:

            Is the console physically protected then?

            Steve

            Yes, it is in my crawlspace at my home and it is just me and my wife here. There was no one else in the home when this happened.

            I wasn't sure if this was an indication that I was hacked somehow.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Hmm, hard to say then.
              Hard to imagine some hacker logged into your box (somehow), removed the logs of logging in but not the reboot.

              You have packages installed?

              Watchdog enabled?

              Steve

              1 Reply Last reply Reply Quote 0
              • RyanMR
                RyanM
                last edited by

                Have 2 packages installed: iperf and pfBlockerNG. I don't believe I have Watchdog enabled.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Does that box have IPMI or any other out of band access like that?
                  That could only really have been caused by some script that ran or something at the console directly since they apparently didn't login.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • T
                    tman222
                    last edited by

                    Do you have any internet facing services enabled or is the WAN interface completely locked down from the outside? If you do have services open to the broad internet, what are they, and have you checked their access logs?

                    Also, can you elaborate on the first line in your logs, what is "root@buildbot3" trying to do?

                    Hope this helps.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      That's not doing anything it's first logged output from the kernel. Buildbot3 is our internal buildbox that built the kernel.

                      Steve

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        tman222 @stephenw10
                        last edited by

                        @stephenw10 - thanks for the clarification, just looked a bit suspicious to me at first glance. ☺

                        1 Reply Last reply Reply Quote 0
                        • RyanMR
                          RyanM
                          last edited by

                          My machine does not support IPMI. A fuller copy of the log is available here: https://docs.google.com/spreadsheets/d/1JC-8D-RQ44JRlXGF4PXnRid32aUxdZ8RrHdE7Z4GQnk/edit?usp=sharing

                          I had avoided posting the whole thing because I didn't want to cleanse it.

                          The reboot is on row 549.

                          I do have some open ports on the WAN with forwarding rules:
                          Port - Description
                          80, 81 - HTTP
                          2222 - SSH
                          1194, 1196 - OpenVPN
                          8080 - Docker / Rancher
                          32400, 32444 - Plex

                          1 Reply Last reply Reply Quote 0
                          • chpalmerC
                            chpalmer
                            last edited by

                            Is port 2222 just to your firewall?

                            Triggering snowflakes one by one..
                            Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Nothing looks very out of place. Something on your network (192.168.1.4) is trying to open pages on the firewall that don't exist:

                              Nov 15 16:37:48	***REMOVED_ROUTER_HOSTNAME***		nginx: 2018/11/15 16:37:48 [error] 20989#100149: *217580 "/usr/local/www/JNAP/index.php" is not found (2: No such file or directory), client: 192.168.1.4, server: , request: "POST /JNAP/ HTTP/1.1", host: "192.168.1.1"
                              Nov 15 16:37:48	***REMOVED_ROUTER_HOSTNAME***		nginx: 2018/11/15 16:37:48 [error] 20989#100149: *217578 "/usr/local/www/HNAP1/index.php" is not found (2: No such file or directory), client: 192.168.1.4, server: , request: "GET /HNAP1/ HTTP/1.1", host: "192.168.1.1"
                              

                              But that's pretty common, probably just something misconfigured on the client.

                              You could certainly make it more secure by setting ssh to key only and restricting gui access to limited source IPs. If that's not already the case.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • RyanMR
                                RyanM
                                last edited by

                                Port 2222 actually goes to an internal Ubuntu server.

                                192.168.1.4 is a Linksys 4200v2 WiFi router configured as a bridge/access point.

                                I will look into using Key only and restricting the GUI access.

                                B 1 Reply Last reply Reply Quote 0
                                • B
                                  biggsy @RyanM
                                  last edited by

                                  @ryanm

                                  Assuming that only you should have SSH access to that server, not the whole Internet, would it not be better to use OpenVPN to pfSense and then SSH to the Ubuntu server?

                                  1 Reply Last reply Reply Quote 0
                                  • RyanMR
                                    RyanM
                                    last edited by

                                    I may have to look into this a bit deeper. My router just rebooted again on it's own today:

                                    Nov 28 12:01:59	syslogd		kernel boot file is /boot/kernel/kernel
                                    Nov 28 12:01:00	syslogd		exiting on signal 15
                                    Nov 28 12:01:00	reboot		rebooted by root
                                    Nov 28 12:00:00	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                                    Nov 28 12:00:00	php		[pfBlockerNG] Starting cron process.
                                    Nov 28 11:00:00	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
                                    Nov 28 11:00:00	php		[pfBlockerNG] Starting cron process.
                                    

                                    Could this be caused by some kind of scheduled job trying to reboot my router periodically?

                                    1 Reply Last reply Reply Quote 0
                                    • RyanMR
                                      RyanM
                                      last edited by

                                      Ok, I just locked down some ports, included SSH (port 2222). Still, this feels like something on the router and causing causing it to reboot. Either a scheduled process, or something causing a fault that results in a reboot.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        ssh is not port 2222, 22 yes not 2222

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          They are forwarding port 2222 to ssh here. I assume you locked it down to known source IPs only.

                                          Has it rebooted again since?

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • RyanMR
                                            RyanM
                                            last edited by

                                            Yes, my isp blocks port 22 so I was forwarding port 2222 from wan to port 22 to the internal machine. I turned this off. The router rebooted another 2.5 hours later. I don’t think it has rebooted since.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.