Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense 2.6 attack? ngix failed (2: No such file or directory) from unknown client

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 973 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vez727
      last edited by

      Hi, just noticed A LOT of entries like the following in my system log from unknown external clients. It looks like someone is running a scanner of some sort...my IP is "216.181.xxx.xxx". Clients have different IP's and they keep trying to get the same files over and over.

      Is there anything i need to worry about or check to make sure they don't get in?

      May 3 02:22:08 nginx 2023/05/03 02:22:08 [error] 85788#100550: *674758 open() "/usr/local/www/portal/redlion" failed (2: No such file or directory), client: 192.241.236.34, server: , request: "GET /portal/redlion HTTP/1.1", host: "216.181.xxx.xxx"
      May 3 02:22:40 nginx 2023/05/03 02:22:40 [error] 85715#100509: *674789 open() "/usr/local/www/actuator/health" failed (2: No such file or directory), client: 192.241.223.29, server: , request: "GET /actuator/health HTTP/1.1", host: "216.181.xxx.xxx"
      May 3 05:55:36 nginx 2023/05/03 05:55:36 [error] 85788#100550: *687582 "/usr/local/www/geoserver/web/index.php" is not found (2: No such file or directory), client: 64.62.197.58, server: , request: "GET /geoserver/web/ HTTP/1.1", host: "216.181.xxx.xxx"
      May 3 06:11:40 nginx 2023/05/03 06:11:40 [error] 85788#100550: *688545 open() "/usr/local/www/boaform/admin/formLogin" failed (2: No such file or directory), client: 87.121.221.49, server: , request: "POST /boaform/admin/formLogin HTTP/1.1", host: "216.181.xxx.xxx:80", referrer: "http://216.181.xxx.xxx:80/admin/login.asp"
      May 3 06:23:33 nginx 2023/05/03 06:23:33 [error] 85788#100550: *689270 open() "/usr/local/www/client/get_targets" failed (2: No such file or directory), client: 159.65.8.169, server: , request: "GET /client/get_targets HTTP/1.1", host: "216.181.xxx.xxx"
      May 3 06:23:34 nginx 2023/05/03 06:23:34 [error] 85788#100550: *689273 "/usr/local/www/geoip/index.php" is not found (2: No such file or directory), client: 159.65.8.169, server: , request: "GET /geoip/ HTTP/1.1", host: "216.181.xxx.xxx"

      I scanned through the topics and didn't find anyone else reporting the same issue externally. Thanks for any guidance/help.

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @vez727
        last edited by

        @vez727 Do you have your pfsense GUI exposed to the internet?
        Post both any floating rules and your WAN rules

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        V 1 Reply Last reply Reply Quote 0
        • V
          vez727 @michmoor
          last edited by

          @michmoor thanks for helping...

          Screen Shot 2023-05-03 at 5.08.36 PM.png

          Screen Shot 2023-05-03 at 5.10.26 PM.png

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @vez727
            last edited by

            @vez727 Your allow OpenVPN rule is permitting all sources to connect to your firewall on all ports....Please modify this rule ASAP.
            Put destination port "1154" for example or whatever port you are using for OpenVPN.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            V 1 Reply Last reply Reply Quote 0
            • V
              vez727 @michmoor
              last edited by

              @michmoor. FIXED. THANKS.

              Should I install pfBlockerNG

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @vez727
                last edited by

                @vez727 One of the use cases for pfBlockerNG would be to do GeoIP blocking. So if you have a service such as OpenVPN thats accessible from the internet, you can create GeoIP rules that limit from what countries an OpenVPN connection can come from. Not fool proof as anyone can spoof an IP or use Tor or a VPN service to come in from your allowed countries but at least it slows people down.

                Moral of the story here: Please please please do not expose your WAN address on port 80/443 to the internet.....

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                V 1 Reply Last reply Reply Quote 0
                • V
                  vez727 @michmoor
                  last edited by

                  @michmoor Yeah...i can't believe i missed that, I received a new modem from my provider a month ago and changed my setup...before I simply had the old modem as my first level as defence with everything blocked.

                  THANKS AGAIN!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.