Strange logs on pfSense - most probably somebody has found a way to hack partially the box
-
@stephenw10 said in Strange logs on pfSense - most probably somebody has found a way to hack partially the box:
Because the webgui on the WAN interface was open to the internet.
You can see the requests they were making were all failing because the pages don't exist in pfSense. And even if they guessed an existing page they would not have been able to access it without logging in. But you should never open the webgui to public access.
Sure, it was unintentional. Most probably testing something and the rule was enabled.
The point is the message logged. I have seen those kind of messages only on bugged wordpress php plugins so that's why i openend this discussion.
No idea what kind of requests they have made to trigger it. Tomorrow will check the config of nginx on pfsense if i can see better what is logged.
-
Those logs are expected if you open the webgui to random connection attempts. It's not an indication of any sort of compromise.
You can test it yourself, just try to access some page before you login and you will see those logs:
Apr 5 22:02:16 nginx 2023/04/05 22:02:16 [error] 47504#100318: *72304 open() "/usr/local/www/somenonexistentpage.htm" failed (2: No such file or directory), client: 172.21.16.8, server: , request: "GET /somenonexistentpage.htm HTTP/2.0", host: "4100.stevew.lan"
