pfsense 2.6.0 sshguard @ web gui bug/crash
-
Huh, that's interesting. The disks widget is there by default on on 2.6 installs so I would have expected many more reports of similar behaviour.
Do you have an unusual disk setup?
Is there anything logged in the nginx or system logs when this happens?Steve
-
@stephenw10 Hi, only disk setup I have are 2x 60GB Solid State Drives in a mirror, nope nothing in the logs, would it be possible to post a video so you can see it? It's strange ain't it.
-
Sure post a video, or link to it. I'd like to see it.
I have systems with dual ZFS disks in a mirror but they are smaller.
Steve
-
@violetdragon said in pfsense 2.6.0 sshgaurd @ web gui bug/crash:
@stephenw10 Hi, only disk setup I have are 2x 60GB Solid State Drives in a mirror, nope nothing in the logs, would it be possible to post a video so you can see it? It's strange ain't it.
Is this a gmirror setup that's been upgraded over time or a ZFS mirror?
I have several ZFS mirrors and the disk widget works fine there but I don't think I have any gmirror setups on 2.6 currently.
Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!
Need help fast? Netgate Global Support!
Do not Chat/PM for help!
-
No problems on the test box I use for this:
-
Probably not related, but :
@violetdragon said in pfsense 2.6.0 sshguard @ web gui bug/crash:2020/09/08 04:19:59 [error] 4127#100429: *20842 upstream timed out (60: Operation timed out) while reading response header from upstream, client: 192.168.1.9, server: , request: "POST /acme/acme_certificates.php HTTP/2.0", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "violetdragon.ddns.net:10443", referrer: "https://violetdragon.ddns.net:10443/acme/acme_certificates.php"
Who is accessing what from where ?
Why is a LAN based client using "violetdragon.ddns.net" (the WAN IP ?? )- why not using the LAN IP of pfSense host name, which is 192.168.1.1 ?
Or is your pfsense really called "violetdragon" and your domain set to "ddns.net" ? So "violetdragon.ddns.net" is 192.168.1.1 (looks very wrong to me).No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
It's unusual but it should work fine that way. The disks widget shouldn't care.
-
Sure thing.
It looked to me as if the request came from the 'outside' which means he opened up the GUI to the outside world. And that opens up a can of worms. -
@gertjan If you look at the logs carefully, you will see that the 1.9 IP is my workstation, violetdragon.ddns.net was the DDNS Hostname of the firewall and I was internally wrapping it inside meaning, I was using the DDNS Hostname with DNS Resolver it is not unusual to do, I moved to two Static IPs for Ha on my WAN so now i am using a proper FQDN with DNS Resolver & Haproxy with SSL Offloading for Lets Encrypts for both Internal Services and External Services, I guess your not familiar with this kind of setup, and yes I have moved the IP of the Firewall from 1.1 this is what you do in the CCNA world. Web Gui is not publicly exposed I am not that dumb to publicly expose the Web Gui same with SSH on everything, for External use I use my FQDN and OpenVPN/IPsec for offsite Servers.
-
@jimp Hi, it is a ZFS Mirror.
-
Mmm, not seeing any issues on systems with ZFS mirrors here.
Hopefully the video should clarify things.Steve
-
@stephenw10 I will get the video to you in a few hours, I have had a busy weekend with it being bank holiday. Sorry for the delays.
-
No worries, I'm glad you were able to narrow down the cause this far already.
-
@stephenw10 Hi, Just to report back. Even after removing the Disk Widget the problem is still there cannot access the web gui at all then it starts working but can access different tabs. This is weird.
-
@stephenw10 Hi, Here is the Video, I had to put it on one of my Servers, Hopefully you will be able to play it. This is from one of my Firewalls in a different location, I have another with the same issue as well. (https://cloud.violetdragonscloudnetwork.co.uk/s/iCKFFgmqQ8jLQ5a)
-
What happens when you use the 'admin' user ?
Jack is fine, but that's probably not an 'admin'.
Dome info collected by the dashboard GUI page need 'admin' rights.Why creating a user like Jack ? pfSense is a router firewall, not some file server.
-
@gertjan Security, admin is a easy username to guess. Admin user does the exact same. But I have a ton of PHP-FPM processes when this happens. I've also triggered the problem by attempting brute-forces via SSH. I have va feeling that maybe something is going on.
-
@violetdragon said in pfsense 2.6.0 sshguard @ web gui bug/crash:
Security, admin is a easy username to guess.
Yeah, but who cares ?
Normally, the GUI should only be accessible from the LAN interface.
The other LAN ( OPT1 OPT2 OPT3 ) interfaces are meant to be used for you local network.
This allows you to even completely disconnect the LAN interface when you don't need the GUI access. That what security is.Easy user names and passwords are a thing on a public network.
Your LAN is not a public network.I've changed a user called '001' so it has admin privilges, like this :
Now I can login with '001' and the dashboard shows up in half a second.
What happens when you remove all or most of the the widgets ?
Login again to try again. -
Ah, OK so something you have on your dashboard is taking an age to timeout before even rendering.
We can't see what widgets you have showing there but can I assume it's the disks widget causing it? If you remove it then the dash displays in the expected time?
And does that only happen with user 'Jack'? If you login as admin do you still see the delay?Steve
-
@stephenw10 Hi, it happens on both users, admin and jack, Widgets i have on the home page I have also removed them then tested again but issue is still there, disabling ssh does not fix the problem, but there is loads of php-fpm in the logs.
Picture,
System Information,
Interfaces,
Services Status,
Installed Packages,
NTP Status,
pfBlockerNG,
Gateways,
UPS Status,
Firewall Logs,
Interface Statistics,
Thermal Sensors,
SMART Status,
Haproxy,
Snort Alerts,
Traffic Graphs.I have notice a something though, when this happens it's always from 12am to 5:30am when this happens. But i can trigger it though, false logins via SSH. But there's nothing in the logs about Brute Force attacks but there is something triggering it though because sshguard is being triggered and logs are full of sshguard every few minutes, disabling ssh in general does not fix the problem neither so it is either maybe a bug? or maybe someones inside the network.
Saying the time when this happens, I have noticed it's being triggered again but the Web Gui is still working, the logs are full of,
Apr 20 15:59:00 sshguard 84660 Now monitoring attacks. Apr 20 15:59:00 sshguard 11578 Exiting on signal. Apr 20 16:33:00 sshguard 85149 Now monitoring attacks. Apr 20 16:33:00 sshguard 84660 Exiting on signal. Apr 20 17:12:00 sshguard 57530 Now monitoring attacks. Apr 20 17:12:00 sshguard 85149 Exiting on signal. Apr 20 17:51:00 sshguard 26088 Now monitoring attacks. Apr 20 17:51:00 sshguard 57530 Exiting on signal. Apr 20 17:54:00 sshguard 34895 Now monitoring attacks. Apr 20 17:54:00 sshguard 26088 Exiting on signal.
