pfSense rebooted by root?

RyanM

It was definitely not someone at the physical console.

All of my recent logins look legitimate:

Nov 10 13:51:23 router php-fpm[77178]: /index.php: Successful login for user 'admin' from: 192.168.1.100 (Local Database)
Nov 10 20:05:42 router php-fpm[62086]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
Nov 12 08:38:58 router php-fpm[49422]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
Nov 17 19:52:04 router php-fpm[62086]: /index.php: Successful login for user 'admin' from: 192.168.1.161 (Local Database)
Nov 19 22:52:31 router login: login on ttyv0 as root
Nov 19 22:53:14 router php-fpm[72550]: /index.php: Successful login for user 'admin' from: 192.168.1.161 (Local Database)
Nov 20 11:58:18 router php-fpm[72550]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
Nov 20 17:54:16 router php-fpm[342]: /index.php: Successful login for user 'admin' from: 192.168.1.230 (Local Database)
Nov 20 17:55:46 router sshd[97425]: user root login class  [preauth]
Nov 20 17:55:46 router sshd[97425]: user root login class  [preauth]
Nov 20 17:55:46 router sshd[97425]: user root login class  [preauth]

stephenw10

Is the console physically protected then?

Steve

RyanM

@stephenw10 said in pfSense rebooted by root?:

Is the console physically protected then?

Steve

Yes, it is in my crawlspace at my home and it is just me and my wife here. There was no one else in the home when this happened.

I wasn't sure if this was an indication that I was hacked somehow.

stephenw10

Hmm, hard to say then.
Hard to imagine some hacker logged into your box (somehow), removed the logs of logging in but not the reboot.

You have packages installed?

Watchdog enabled?

Steve

RyanM

Have 2 packages installed: iperf and pfBlockerNG. I don't believe I have Watchdog enabled.

stephenw10

Does that box have IPMI or any other out of band access like that?
That could only really have been caused by some script that ran or something at the console directly since they apparently didn't login.

Steve

tman222

Do you have any internet facing services enabled or is the WAN interface completely locked down from the outside? If you do have services open to the broad internet, what are they, and have you checked their access logs?

Also, can you elaborate on the first line in your logs, what is "root@buildbot3" trying to do?

Hope this helps.

stephenw10

That's not doing anything it's first logged output from the kernel. Buildbot3 is our internal buildbox that built the kernel.

Steve

tman222

@stephenw10 - thanks for the clarification, just looked a bit suspicious to me at first glance.

RyanM

My machine does not support IPMI. A fuller copy of the log is available here: https://docs.google.com/spreadsheets/d/1JC-8D-RQ44JRlXGF4PXnRid32aUxdZ8RrHdE7Z4GQnk/edit?usp=sharing

I had avoided posting the whole thing because I didn't want to cleanse it.

The reboot is on row 549.

I do have some open ports on the WAN with forwarding rules:
Port - Description
80, 81 - HTTP
2222 - SSH
1194, 1196 - OpenVPN
8080 - Docker / Rancher
32400, 32444 - Plex

chpalmer

Is port 2222 just to your firewall?

stephenw10

Nothing looks very out of place. Something on your network (192.168.1.4) is trying to open pages on the firewall that don't exist:

Nov 15 16:37:48	***REMOVED_ROUTER_HOSTNAME***		nginx: 2018/11/15 16:37:48 [error] 20989#100149: *217580 "/usr/local/www/JNAP/index.php" is not found (2: No such file or directory), client: 192.168.1.4, server: , request: "POST /JNAP/ HTTP/1.1", host: "192.168.1.1"
Nov 15 16:37:48	***REMOVED_ROUTER_HOSTNAME***		nginx: 2018/11/15 16:37:48 [error] 20989#100149: *217578 "/usr/local/www/HNAP1/index.php" is not found (2: No such file or directory), client: 192.168.1.4, server: , request: "GET /HNAP1/ HTTP/1.1", host: "192.168.1.1"

But that's pretty common, probably just something misconfigured on the client.

You could certainly make it more secure by setting ssh to key only and restricting gui access to limited source IPs. If that's not already the case.

Steve

RyanM

Port 2222 actually goes to an internal Ubuntu server.

192.168.1.4 is a Linksys 4200v2 WiFi router configured as a bridge/access point.

I will look into using Key only and restricting the GUI access.

biggsy

@ryanm

Assuming that only you should have SSH access to that server, not the whole Internet, would it not be better to use OpenVPN to pfSense and then SSH to the Ubuntu server?

RyanM

I may have to look into this a bit deeper. My router just rebooted again on it's own today:

Nov 28 12:01:59	syslogd		kernel boot file is /boot/kernel/kernel
Nov 28 12:01:00	syslogd		exiting on signal 15
Nov 28 12:01:00	reboot		rebooted by root
Nov 28 12:00:00	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Nov 28 12:00:00	php		[pfBlockerNG] Starting cron process.
Nov 28 11:00:00	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Nov 28 11:00:00	php		[pfBlockerNG] Starting cron process.

Could this be caused by some kind of scheduled job trying to reboot my router periodically?

RyanM

Ok, I just locked down some ports, included SSH (port 2222). Still, this feels like something on the router and causing causing it to reboot. Either a scheduled process, or something causing a fault that results in a reboot.

johnpoz

ssh is not port 2222, 22 yes not 2222

stephenw10

They are forwarding port 2222 to ssh here. I assume you locked it down to known source IPs only.

Has it rebooted again since?

Steve

RyanM

Yes, my isp blocks port 22 so I was forwarding port 2222 from wan to port 22 to the internal machine. I turned this off. The router rebooted another 2.5 hours later. I don’t think it has rebooted since.

RyanM

I just updated to 2.4.4-RELEASE-p1. I will continue to monitor and see if this makes a difference.