PFS Calling Home??



  • Hi all,

    I fitted a new disk and upgraded to latest 4.0 release a few days ago.

    Checking the Monitoring/WAN traffic graph yesterday I noted that PFS had made contact somewhere, overnight whilst nothing else was powered up,  and made a download.  I checked the System Logs/System and noted a somewhat cryptic log which suggested the download may have been legitimate and was possibly connected with the add on's packages.

    Last night, again with nothing else powered up,  another download has taken place and this time there is nothing in the System Logs to suggest this is/was  a legitimate action.    The earlier versions, up to 2.3.4,  of PFS only called out and downloaded the bogons files once a month - a known event.

    So, as a precaution, I have replaced and am now using the disk with version 2.3.4 loaded.    Question is, has my latest install been compromised?  I checked the install download with the SHA256 checksum and it looked OK.

    Does anyone know if the latest version calls out for anything other than the monthly bogons update,  and if so to where, what for, and how often?  A quick look at the New Features and Changes  gives me no clue.

    Version 2.3.4 has around 107 running processes, version 4.0 has 125.  Is this an indication that I have some virus type process running?

    J.



  • Not sure about 2.40, but 2.3.x had under System>Advanced>Misc

    Installation Feedback

    Netgate Device ID
    Check/Uncheck
    Do NOT send Netgate Device ID with user agent Enable this option to not send Netgate Device ID to pfSense as part of User-Agent header.

    That is NOT ENABLED by default.

    Not sure about calling home otherwise


  • Galactic Empire

    @jack290:

    Hi all,

    I fitted a new disk and upgraded to latest 4.0 release a few days ago.

    Checking the Monitoring/WAN traffic graph yesterday I noted that PFS had made contact somewhere, overnight whilst nothing else was powered up,  and made a download.  I checked the System Logs/System and noted a somewhat cryptic log which suggested the download may have been legitimate and was possibly connected with the add on's packages.

    Can you show us the log?

    @jack290:

    Last night, again with nothing else powered up,  another download has taken place and this time there is nothing in the System Logs to suggest this is/was  a legitimate action.    The earlier versions, up to 2.3.4,  of PFS only called out and downloaded the bogons files once a month - a known event.

    So, as a precaution, I have replaced and am now using the disk with version 2.3.4 loaded.    Question is, has my latest install been compromised?  I checked the install download with the SHA256 checksum and it looked OK.

    Does anyone know if the latest version calls out for anything other than the monthly bogons update,  and if so to where, what for, and how often?  A quick look at the New Features and Changes  gives me no clue.

    Version 2.3.4 has around 107 running processes, version 4.0 has 125.  Is this an indication that I have some virus type process running?

    J.

    Again with no logs, screenshots or any context we can't help.


  • Rebel Alliance Developer Netgate

    Also please list any packages you have installed, and which cron jobs are enabled on the firewall (install the Cron package to check, or look at /etc/crontab)



  • Hi

    The install is defaults with backup config file restored from 2.3.4.  2.3.4 has no problems of this nature.

    Will have to replace the disk in a machine to look at the crontab.  Will now be tomorrow.

    The RRD-Summary package is the only installed addition.

    The first logs will be a long way back in the logfile,  since the install has been rebooted a couple of times and left trying for a PPP connection which it could not make because the WAN was disconnected.    From memory it was two lines reading something like updating 4.0 to 4.0-1  Yes, I should have taken a screenshot, but at the time I thought it was part of the initial installation setup and would not repeat.

    There was nothing in the system logfile after the second  "call out".  The log only indicated (ended at) the previous evenings admin logout.

    J



  • Hi

    Herewith the result of cat /etc/crontab

    /etc/crontab - root's crontab for FreeBSD

    $FreeBSD$

    SHELL=/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin

    #minute hour mday month wday who command

    #*/5 * * * * root /usr/libexec/atrun

    Save some entropy so that /dev/random can re-seed on boot.

    #*/11 * * * * operator /usr/libexec/save-entropy

    Rotate log files every hour, if necessary.

    #0 * * * * root newsyslog

    Perform daily/weekly/monthly maintenance.

    #1 3 * * * root periodic daily
    #15 4 * * 6 root periodic weekly
    #30 5 1 * * root periodic monthly

    Adjust the time zone if the CMOS clock keeps local time, as opposed to

    UTC time.  See adjkerntz(8) for details.

    #1,31 0-5 * * * root adjkerntz -a

    pfSense specific crontab entries

    Created: October 20, 2017, 8:01 am

    1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
    1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
    */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update
    */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables
    0 */4 * * * root /etc/rc.backup_rrd.sh
    */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout
    1 0 * * * root /usr/bin/nice -n20 /etc/rc.update_pkg_metadata

    If possible do not add items to this file manually.

    If done so, this file must be terminated with a blank line (e.g. new line)

    J.


  • Rebel Alliance Developer Netgate

    So it's just the pkg metadata cache updating, which might also trigger an update to the pfSense repo configuration data. Assuming you meant 2.4.0 when you said "4.0", that's normal and expected.

    You might also check the output of "ps uxaww | grep minicron" to see what other smaller cron jobs are running, there are some for updating things like Alias table data, expiring old accounts, pinging IPsec hosts, pruning captive portal databases, etc. Depends on what features you have enabled.

    The bogons update, pkg metadata, and perhaps the support widget (if you have it) are the only things that might request info from us periodically on 2.4 (or 2.3.5).

    You can always disable the support widget, disable the packages widge, disable the dashboard update check, and remove the cron jobs if you don't want those to call back to our servers.



  • Hi -

    The dashboard update check is disabled.  I'm happy with the predictable monthly bogons update, but would prefer to disable the packages widget (packages metadata?) .  What's the way to disable this?  I don't think I have the support widget,  but would prefer it to be disabled if I have.

    Do I have to manually remove the line in the crontab or will this happen on re-boot?  I see the crontab updated or created when I booted up this morning to have a look at the contents - will entries re-appear on reboot if I manually remove it?.

    J.


  • Rebel Alliance Developer Netgate

    The cron job is in the default config and added on upgrade. If you remove it, for example with the cron pkg, then it should not return.

    It will still update the package metadata but only once at boot time or when you specifically request it (e.g. visiting the package page)



  • Thanks for the help.

    Couple of thoughts,  trying to be helpful:-

    If this is a new feature should it be added to the Features Notes?    Should any "call out"  perhaps leave a note in the log file?

    Thanks again,

    J


Log in to reply