Can't access 3100 appliance



  • @stephenw10 I agree with the firewall to restrict access to the GUI, and I think my rules are already set for exactly that. But my current problem is that I can't access the GUI myself so I can't get in to even verify that. And if it wasn't set, why would I have access for 15 or so min. after the reboot? I didn't have this issue before the reload so the settings shouldn't have changed.


  • Netgate Administrator

    15mins is suspiciously like an ARP timeout. Maybe you have some IP conflict and something else is responding to ARP when it times out breaking your connection.

    If you are inadvertently connecting to something else that might explain why your password seems to stop working.
    The SSH key would be different though, the SSH client should warn you about that when you try to connect.

    If you restart php and the webgui at the console (menu options 16+11) do you get connectivity back?

    Steve



  • @stephenw10 I haven't connected since Friday but when I went to it today, it connected just fine. I've been logged on for over 30 min. now. I can move around all the menus and options normally. It loads fast. I can make changes.

    However, if I make a change and hit save it stalls out saying it's sending request. But if I then click off to another menu and come back, the change has been saved. And I can't access the Dashboard at all. It just says Waiting for xxx.xxx.xxx.xxx... but never loads. Not sure if this is related to the same issue or if this should be a new thread.



  • @stephenw10 I left it trying to load that page and came back later. The page had loaded at some point so I went off of that page to another page then back to the Dashboard. It's still trying to load the Dashboard again.

    I also see it loaded a new version about 45 min. ago.


  • Netgate Administrator

    That sounds more like a general connectivity issue. When you go to the dashboard depending on which widgets you have there, it reaches out to check several things on the internet, the firmware update check for example.
    If it cannot connect to those they have to timeout. The dash will be much slower to load in that situation than other pages.
    If you have ACB configured then it tries to save a backup everytime you make any chnage to the firewall and that can be a problem if there is no connectivity.
    Make sure all your configured DNS servers are responding in Diag > DNS Lookup.
    Make sure it can ping out in Diag > Ping.

    Steve



  • @stephenw10 The page loaded instantly this morning. I went to the Diag > DNS Lookup and did some lookups. They came back with 6-11ms return times. I'm on fiber and haven't seen any connectivity issues on any of the servers.

    Yesterday when I'd try to load the Dashboard and it would eventually complete, it showed the "Netgate Services and Support" as just a spinning star as if it was trying to get an update. Today it loads with the rest of the page so that's different. I didn't make any changes however.

    Today it appears to be running fine.


  • Netgate Administrator

    Mmm, some IP conflict would tie in with that if whatever device it was has now been removed or given a new IP.

    I would expect to see something logged in pfSense reporting another device using the same IP though.

    Steve



  • @stephenw10 And these are all fixed IPs and no changes to any of them during this time.



  • I think you should edit the subject of your first post to remove the word "hacked".



  • @cdsJerry said in Can't access 3100 appliance - hacked:

    @stephenw10 And these are all fixed IPs and no changes to any of them during this time.

    Are you 100% sure, though, that another transient device is not getting connected to the network and then later removed, and this transient device happens to have the same IP address as your pfSense box? The symptoms you describe have the hallmarks of a duplicate IP address on the local network. This transient device could be a wireless device or a wired device (someone's laptop maybe).



  • @NollipfSense Thanks for the suggestion. That is a "hot" word. It does appear that someone did get into our network as they connected to the computer used to do our shipping and they shut down several VM machines. It looks like they booted themselves out when they shut down the machine they were using to access our network. The point is.. they got past the firewall somehow and when we went to look at the firewall we found the password appears to have been changed so we think we were indeed "hacked".



  • @bmeeks said in Can't access 3100 appliance - hacked:

    @cdsJerry said in Can't access 3100 appliance - hacked:

    @stephenw10 And these are all fixed IPs and no changes to any of them during this time.

    Are you 100% sure, though, that another transient device is not getting connected to the network and then later removed, and this transient device happens to have the same IP address as your pfSense box? The symptoms you describe have the hallmarks of a duplicate IP address on the local network. This transient device could be a wireless device or a wired device (someone's laptop maybe).

    There is no wireless access to any fixed IPs or device that has dhcp to any fixed IPs. The only way to access those IPs would be to connect to the managed switch, or the pfSense appliance itself. In our tiny company I'm the only one with access to those pieces of equipment. I didn't make any changes except I swapped out our old pfSense for the appliance while I rebuilt the appliance. The old pfsense and the appliance are not on the same WAN IP so there shouldn't have been a conflict there. And both devices were never both connected at the same time for that matter.

    It's still working OK. I've had it open all day today and no glitches in spite of no changes.



  • @cdsJerry What you described seems more internal...like a disgruntled employee who knew the network administrator's password and paid back...shame on the network administrator indeed!



  • @NollipfSense There are only two of us and I'm the only one with access. I use secure passwords and have never shared those passwords with anyone. I use a password manager (Dashlane) to keep track of them because I use comlex passwords that are never used in more than one place. My one employee has zero access to pfsense.



  • @cdsJerry At least, you know it was the shipping computer that was used; however, it still puzzling because a complex password is not easy to change on a firewall, much lest a robust firewall such as pfSense. So, do you know what IP address was used, the time and date and the ISP the IP address came from? Is your password manager configured to change the password after a period elapsed? Do you have any idea why you were targeted?

    I have never used a password manager on a firewall. I still think you should remove "hacked" until you're absolutely sure with a preponderance of substantiable evidence.



  • @NollipfSense I do not know what IP address was used. The shipping computer is connected to the LAN and has no WAN IP. It's behind pfsense and behind another router. I can only guess at the time based on when I noticed an attempt to log into our FTP server (from the shipping computer). They may have been inside for a while before that of course.

    The password manager doesn't change the password on pfsense, nor is it connected to it. Dashlane is simply an encrypted password management program that creates and stores secure passwords. Google it, it's really handy. To change the PW on pfsense I'd still need to log into it via the GUI. Dashlane just allows me to use longer more secure passwords without trying to remember them all.

    I have no idea why I'd be targeted. Our domain name gets a lot of hits but we're a small company. There are no financial fortunes here to discover. But a hacker wouldn't know that until he gets in.

    And I did remove "hacked" from the subject already based on your first suggestion.



  • @cdsJerry said in Can't access 3100 appliance:

    And I did remove "hacked" from the subject already based on your first suggestion.

    Cool...I didn't notice as I was at the bottom of the thread...thank you!

    I got to say though the shipping computer with no WAN IP made me scratch my head...so, what the router in front of it but behind the pfSense box do?



  • @NollipfSense My pfsense is in pass through mode. It doesn't issue IPS etc. It just makes sure the traffic coming in is "clean" and controls what ports are open etc. The WAN IPs all pass through it to their destinations which then control the traffic from that point forward.


  • Netgate Administrator

    Given that someone was able to shutdown VMs and that your firewall is in pass thoughmode with public IPs internally, is it possible 'they' created a new VM on the same IP as pfSense? Or altered the IP of existing VM?

    Steve



  • @stephenw10 There weren't any new VMs. We only have a few running so it would have been easy to spot. And the VMs aren't on the same WAN IP as pfsense. They pass through pfsense but you can't access pfsense from them as they are not the WAN assigned to pfsense. Pfsense is the only thing using that IP. The VM host uses a LAN IP for it's access. It is connected to the WAN in order to pass those WAN addresses over to the virtual NIC cards in the VMs but none of those WAN IPs are assigned to the NIC on the host (Proxmox). None of the IPs on the VMs have been altered.



  • @cdsJerry said in Can't access 3100 appliance:

    @NollipfSense My pfsense is in pass through mode. It doesn't issue IPS etc. It just makes sure the traffic coming in is "clean" and controls what ports are open etc. The WAN IPs all pass through it to their destinations which then control the traffic from that point forward.

    Okay, I remember reading your response earlier where you mentioned the above. I don't know what to say...


  • Netgate Administrator

    I'm assuming you've gone back through the pfSense logs and there are no reports of: 'xxxxxx is using my IP!' ?

    Because it really looks like that might have happened from everything you describe.

    Steve



  • @stephenw10 The short answer would be no we didn't. I didn't see anything that jumped out at me when I was looking in the logs but I didn't know what I was looking for. In pass-through mode would that error even show up?

    When we couldn't get the password to reset and we couldn't get into pfSense via the GUI we ended up re-loading the entire thing from a backup just to make sure that none of the rules or aliases had been altered, so everything was reset at that point to try and secure the network again.


  • Netgate Administrator

    pfSense will log that if it sees some other device using it's IP so broadcast messages from that IP or something else responding to ARP. I would see that traffic in a bridged setup still.

    Steve



  • @stephenw10 I don't see anything like that in the logs. And it's still working fine today. Nothing on the network has changed but it's all operating as expected for several days now.


  • Netgate Administrator

    Hmm, well that's a public IP so it could have been some issue at your provider. They mistakenly issued your IP to another client perhaps and have now corrected that. Hard to say at this point.


Log in to reply