Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to figure out what happened.

    General pfSense Questions
    3
    4
    723
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Techsanity
      last edited by

      Sunday morning my network lost connection to the internet and I'm trying to figure out what happened. I couldn't access my network via my OpenVPN setup on Pfsense, Once I go home I couldn't access the GUI either. So I manually reset the device and upon restarting everything is working correctly.

      I just looked in the logs and noticed this
      May 15 10:29:00 sshguard 85214 Now monitoring attacks.
      May 15 10:29:00 sshguard 22713 Exiting on signal.
      May 15 07:38:00 sshguard 22713 Now monitoring attacks.
      May 15 07:38:00 sshguard 46068 Exiting on signal.
      May 15 04:48:00 sshguard 46068 Now monitoring attacks.
      May 15 04:48:00 sshguard 32721 Exiting on signal.
      May 15 01:27:00 sshguard 32721 Now monitoring attacks.
      May 15 01:27:00 sshguard 42981 Exiting on signal.
      May 14 21:47:00 sshguard 42981 Now monitoring attacks.
      May 14 21:47:00 sshguard 50788 Exiting on signal.
      May 14 18:47:00 sshguard 50788 Now monitoring attacks.
      May 14 18:47:00 sshguard 21908 Exiting on signal.
      May 14 15:02:00 sshguard 21908 Now monitoring attacks.
      May 14 15:02:00 sshguard 15549 Exiting on signal.
      May 14 11:25:00 sshguard 15549 Now monitoring attacks.
      May 14 11:25:00 sshguard 70021 Exiting on signal.
      May 14 07:34:00 sshguard 70021 Now monitoring attacks.
      May 14 07:34:00 sshguard 90793 Exiting on signal.
      May 14 04:02:00 sshguard 90793 Now monitoring attacks.
      May 14 04:02:00 sshguard 2155 Exiting on signal.

      Then this is when I rebooted
      May 15 13:23:18 kernel ---<<BOOT>>---
      May 15 13:23:18 syslogd kernel boot file is /boot/kernel/kernel

      Is this someone trying to gain access to my netwok? or should i be looking some where else in the logs for what happened?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        This coming from the new log rotation process. It is an "artifact" of the new compression and rotation scheme put in place in pfSense 2.6.0 and pfSense Plus 22.01. You are not being hacked. There is some discussion of it in other threads here, and I also believe there is a Redmine issue on the problem.

        You can reduce the number of logged messages by reducing the size of the system log by reducing what is logged, or you can increase the allowable size of a log file before rotation (if you have enough free disk space). Either of those will reduce the number of times you see the messages above, but it will not totally eliminate them.

        T 1 Reply Last reply Reply Quote 1
        • T
          Techsanity @bmeeks
          last edited by

          @bmeeks ok, thanks, guess it just locked up for some other reason I guess.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            https://redmine.pfsense.org/issues/12747

            If you don't normally see that it implies something was causing one of the other logs to fill and be rotated more frequently that normal which could be a clue. Looks like every 3hrs which is not that fast for the default log size. A ddos attack would log far more for example.

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.