Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NGINX error - iPhone sending request

    General pfSense Questions
    3
    11
    941
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newberger last edited by

      Hi - I was checking my System log and noticed a number of nginx errors that look like they are generated by a request coming from one of our iPhone's IP address. I'm not sure exactly when it started, but it's within the last 3-4 weeks max.

      They all are almost all identical to this (except the *632, which increases each time):

      Dec 1 09:34:06	pfsense.localdomain		nginx: 2018/12/01 09:34:06 [error] 85794#100144: *632 open() "/usr/local/www/cgi-bin/authLogin.cgi" failed (2: No such file or directory), client: 192.168.1.145, server: , request: "GET /cgi-bin/authLogin.cgi? HTTP/1.1", host: "xx.xxx.x.xxx"
      

      I'm not familiar with nginx and, of course did some searches, but couldn't find anything that was applicable. The host is my external WAN IP address. The only forum post mentioned Avast, which I don't run. Thanks for any assistance!

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        Something running on your iphone is trying to access that page at what it sees as it's public IP address, the pfSense WAN.
        That request is allowed through the firewall by default as it comes from LAN but that page doesn't exist in pfSense so nginx shows that error trying to serve the request.

        The question is why is your iphone doing that?

        Steve

        1 Reply Last reply Reply Quote 0
        • N
          newberger last edited by

          Hi Steve - thanks for the reply, that is a helpful explanation. Yes, I am also wondering why it's trying to do that. I'll see if I can narrow down which app is sending the request via trial and error.

          I wonder if an app (or even the phone) is trying to verify some account login information? If I can identify the app, it may clarify what's going on.

          1 Reply Last reply Reply Quote 0
          • T
            tim.mcmanus last edited by

            Are you running services on your internal network that are accessible to the internet, like a mail server? If you do not have internal DNS mapping to internal IP addresses, the DNS lookup will return your internet-facing IP address, and that might be causing this situation.

            1 Reply Last reply Reply Quote 1
            • stephenw10
              stephenw10 Netgate Administrator last edited by

              Yes, there's a good chance it's that. In which case:

              https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html

              Steve

              1 Reply Last reply Reply Quote 0
              • N
                newberger last edited by

                Tim, thanks for the reply, but no, I don't have anything on the internal system that's available to the internet - definitely not running a mail server.

                Steve - I looked at the article and none of my NAT settings are enabled as described in the document. However, I haven't installed anything that would require these changes and this nginx error is fairly new.

                Also the error is listing the IP of the iPhone?

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  You have no portforwards setup?

                  What it looks like is you had something running on you internal network that is resolved to your external WAN address, with dyndns maybe. Your phone was connecting to it externally and now it's inside the network it's still trying.

                  Steve

                  N 1 Reply Last reply Reply Quote 0
                  • N
                    newberger @stephenw10 last edited by

                    Hi Steve - sorry, I do have two port forwards: one external port forward setup, so I can access a specific device (ISY Home Control device) and one internal port forward (NUT control).

                    However, the iPhone that is sending this request does not have the ISY control app installed.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10
                      stephenw10 Netgate Administrator last edited by

                      @newberger said in NGINX error - iPhone sending request:

                      /usr/local/www/cgi-bin/authLogin.cgi

                      That looks most likely to be a QNAP login page. Do you have a QNAP device?

                      If not it also appears to be known exploit vector that something may be attempting to use. Maybe spoofing the IP of your iphone.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • N
                        newberger last edited by

                        Steve - Yes, I do have a QNAP NAS. The phone does backup to the QNAP via the QFile app, but the app was not running when these requests were sent.

                        The requests are only occurring when the phone is in the home, on wifi, so I don't think it's another device spoofing.

                        I didn't see anything in online search results that indicated that this is QNAP-related. However, after your post, when I search online for only "authLogin.cgi", I see the exploit you are describing. I had just run QNAPs malware scanner yesterday (due to a different email) and the NAS showed to be clean.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10
                          stephenw10 Netgate Administrator last edited by

                          Ok, if your phone is backing up to the QNAP it's likely legitimate traffic rather than something trying to exploit the NAS.
                          However it's running at the wrong time then as it's trying to connect via what the QNAP sees as it's external address and instead hitting the pfSense GUI.
                          It's probably harmless but you could block access to the WAN address on port 443 from the LAN subnet to prevent it.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post