Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Investigating how did I locked myself out of pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 571 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      scotrod
      last edited by

      Greetings,

      I have pfsense 24.11 VM acting as my router and FW for ~2 years now. Few days ago I was setting OpenVPN and ntopng, and while doing so, I locked myself out of the web interface. This happened shortly after installing ntopng, setting the admin password (for ntopng, not for pfsense) and observing the collected data. Suddendly, I couldn't logon to the dashboard from my PC, so I tried logging in from my smartphone, again, without success.

      I rebooted the system, and I still couldn't logon. So what I did was to reset the admin password from the console access I had (pfsense is hosted on my esxi home server).

      I started checking OpenVPN logs - nothing unusual besides my own logons. I went and checked the Configuration History. This is where it gets interesting, since the last two events before the event that I generated while reseting the admin account password from console are marked as "Unknown" (refer to the attached screenshot)screenshot.png

      I enabled SSH access and downloaded the whole /var/log directory so I can investigate this further. I opened an old config of mine to check the hash of the admin password. Unfortunately, the format was different on my old config (sha512-hash) while the new one seems to be bcrypt-hash.

      I further checked the system.log downloaded from pfsense and noticed that both my PC and smartphone had been blocked by pfsense, noted in the following events:

      Jan  7 12:14:22 PFSENSE_HOSTNAME php-fpm[88815]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.2.32
Jan  7 12:14:22 PFSENSE_HOSTNAME sshguard[45238]: Attack from "192.168.2.32" on service unknown service with danger 10.
Jan  7 12:14:26 PFSENSE_HOSTNAM Ephp-fpm[88815]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.2.32
Jan  7 12:14:26 PFSENSE_HOSTNAME sshguard[45238]: Attack from "192.168.2.32" on service unknown service with danger 10.
Jan  7 12:14:31 PFSENSE_HOSTNAME php-fpm[91835]: /index.php: webConfigurator authentication error for user 'admin' from: 192.168.2.32
Jan  7 12:14:31 PFSENSE_HOSTNAME sshguard[45238]: Attack from "192.168.2.32" on service unknown service with danger 10.
Jan  7 12:14:31 PFSENSE_HOSTNAME sshguard[45238]: Blocking "192.168.2.32/32" for 120 secs (3 attacks in 9 secs, after 1 abuses over 9 secs.)

      I have also checked all events from 12:06 (the first change marked as "Unkown" until 12:36 (the admin account password reset that I did). Besides some noise, here is the only notable event:

      Jan  7 12:07:17 PFSENSE_HOSTNAME php-fpm[72992]: /pkg_edit.php: Configuration Change: 
Jan  7 12:07:17 PFSENSE_HOSTNAME check_reload_status[542]: Syncing firewall

      It looks like I haven't entered the correct password, which I am quite sure is not true, as I've been using that password for quite a lot of time on this device.

      Unfortunately I no longer have access to all of the config changes I have screenshotted, because I had the default limiter of 30, and I didn't downloaded them all back then.

      Is there anything further that I can look up to?

      Thanks.

      stephenw10S 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator @scotrod
        last edited by

        Check the config diffs for each change in the history. See if it's actually setting a different password somewhere.

        Also I assume you were able to access the login screen still? Just unable to login successfully there?

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          scotrod @stephenw10
          last edited by

          @stephenw10 Hey and thanks for the suggestion.

          Unfortunately the default limiter of 30 that I had left had already rotated so I no longer can do these cross-checks directly on pfsense. Luckily, in the heat of the situation back then I downloaded 3 configs around the "Unknown" changes.

          The bcrypt-hash values from the 3 versions were different. That got me worried additionally, because neither of them had the same values as my current hash value. This was unexpected, because when I did the PW reset, I pasted the same old password. So, I expected the same hash value. I have it-tools installed locally so I was able to cross check my password against the two set of hash values - success. I guess what happened is that every time PW reset/change is done, the hash is salted. Or at least that would explani the difference.

          Now for the real problem. I grabbed the three hash values, and cross-checked them versus the OpenVPN user PW that I set that day - again, success. What happened was that I resetted my admin account PW, instead of my VPN user PW (that was not vanilla VPN setup. I had that an year ago, I just disabled it and now re-enabled it).

          TL;DR: Wrong account PW reset.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Ah, OK so you think you just set the wrong account rather than some backend bug?

            S 1 Reply Last reply Reply Quote 0
            • S Offline
              scotrod @stephenw10
              last edited by scotrod

              That would be the simplest solution, yes. The two account fields are next to each other, so it's completely possible that I clicked on the admin account menu, instead of my VPN user. That, plus the fact that I compared the bcrypt-hash from the admin account, with the password value from my own VPN account, and they matched. I really do think what happened was a simple user error.

              I think the last piece of the puzzle would be someone to confirm whether the b-crypt-hash value is supposed to be different every time one changes account password, even if the new password is the same as the old one.

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                bcrypt includes salting so I'd expect a different hash every time it is generated even from the same password.

                S 1 Reply Last reply Reply Quote 0
                • S Offline
                  scotrod @stephenw10
                  last edited by scotrod

                  That settles is then. The only thing that's bugging me, is that 30 row config history doesn't include the password change for my admin account.

                  I just changed my admin password (again, to my old password) and the following entry was populated in the config history
                  322a475d-a04f-4273-8025-fa99b9fa4f1f-image.png

                  This is not visible in my previous history, and the simplest explination again would be rotation. I may have done that change before the earliest visible event (10:09:36). Are you aware of changing the admin PW from the web interface gets logged anywhere? That would solve it.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    I'd certainly expect it to be shown like that because you are editing the admin user. The page is correctly setup to pass a config change string so it is logged.

                    'Unknown' is shown when a page/script does not pass a string back to the config write.

                    S 1 Reply Last reply Reply Quote 0
                    • S Offline
                      scotrod @stephenw10
                      last edited by

                      Thanks. Is that event logged somewhere? I pulled all the logs from /var/log so if its logged, I could find the exact event.

                      S 1 Reply Last reply Reply Quote 0
                      • JonathanLeeJ Offline
                        JonathanLee
                        last edited by

                        I see unknown when you make changes to packages sometimes.

                        Make sure to upvote

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          scotrod @scotrod
                          last edited by scotrod

                          Okay, as expected, this event is tracked in the system.log. After resetting the admin password today, I checked and can confirm that event is recorded there. Unfortunately I couldn't find such event in my previous logs. Log retention is not a problem since the system.log goes back to Oct'24.

                          That really doesn't make sense, because at some point I had different admin password. The hash proves it (I compared one of the hashes from my admin password with the password of my other VPN user. This is where I accidentally changed the admin PW instead of my VPN user PW; so, for a short period of time my admin password had the password of my VPN user). At the end there may be a backend bug here. I had a different admin password at some point and I'm not seeing any notable events at least in the system.log

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.