Shutdown pfSense remotely with a Linux/Bash Script



  • I thought some of you might appreciate this.

    I'm using a UPS which is connected to my home server via USB connection. I wanted to make the home server shutdown my pfSense firewall and my managed switch before powering off the the home server itself. It's taken me a couple of hours to work it out, mainly due to  CSRF Magic.

    Step 1)
    Set-up a new user with User Manager. Note the user name and password.

    Step 2)
    Give the user the following privilege:
    WebCfg - Diagnostics: Halt system page

    Step 3)
    Take a copy of my script, available from GitHub => https://github.com/biscuitNinja/bash/blob/master/shutdownPfSense and save it on the machine from which you want to run it. Make sure it's set to be executable. I'd suggest not making it world readable.

    Step 4)
    Edit the script changing the first three variables to appropriate values. Obviously the usr and pwd values are those which you noted down in step 1.

    Step 5)
    Test the script.

    As an aside, I have a similar script for backing up my pfSense configuration. In version 2.2.2 that doesn't seemed to be protected by CSRF Magic. Is this intentional?


  • Rebel Alliance Developer Netgate

    That's very over-engineered. It'll work, but there are simpler ways like using ssh directly.

    • Add a user
    • Grant user shell access
    • On your home server, generate an ssh key for the user without a passphrase (or, better, figure out a way to use ssh-agent for the client)
    • Paste the public SSH key into the pfSense user's account
    • Install sudo package
    • Grant user sudo access to /etc/rc.halt

    Then just run something like:

    ssh myuser@x.x.x.x sudo /etc/rc.halt
    

    No hardcoded passwords, a bit more secure, and no csrf/cookie song-and-dance.



  • @jimp So I've done exactly this and it just does not work.

    ssh nsautomate@192.168.1.254 sudo /etc/rc.halt
    sudo: no tty present and no askpass program specified


  • LAYER 8 Global Moderator

    Just tested this, and works exactly how jimp stated..

    Let's see what you did exactly.. Because what I have learned over the years is users say they did X, when it ends up they really did Y.

    You set in sudo for no password checkbox right? and /etc/rc.halt as the command they can run

    testhalt.png

    [2.4.4-RELEASE][testhalt@pf1.sitea.lan]/home/testhalt: sudo /etc/rc.halt
    Shutdown NOW!
    shutdown: [pid 51717]
                                                                                   
    *** FINAL System shutdown message from testhalt@pf1.sitea.lan ***            
    
    System going down IMMEDIATELY                                                  
    
                                                                                   
    
    System shutdown time has arrived
    [2.4.4-RELEASE][testhalt@pf1.sitea.lan]/home/testhalt: 
    

    I didn't bother testing it with just cmd line for the whole thing, but if can ssh with the account using public key and doesn't ask me for password to run the cmd, then could sent it all at once..


Log in to reply