• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Shutdown pfSense remotely with a Linux/Bash Script

Scheduled Pinned Locked Moved webGUI
5 Posts 5 Posters 4.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    afasoas
    last edited by Oct 18, 2015, 5:43 PM

    I thought some of you might appreciate this.

    I'm using a UPS which is connected to my home server via USB connection. I wanted to make the home server shutdown my pfSense firewall and my managed switch before powering off the the home server itself. It's taken me a couple of hours to work it out, mainly due to  CSRF Magic.

    Step 1)
    Set-up a new user with User Manager. Note the user name and password.

    Step 2)
    Give the user the following privilege:
    WebCfg - Diagnostics: Halt system page

    Step 3)
    Take a copy of my script, available from GitHub => https://github.com/biscuitNinja/bash/blob/master/shutdownPfSense and save it on the machine from which you want to run it. Make sure it's set to be executable. I'd suggest not making it world readable.

    Step 4)
    Edit the script changing the first three variables to appropriate values. Obviously the usr and pwd values are those which you noted down in step 1.

    Step 5)
    Test the script.

    As an aside, I have a similar script for backing up my pfSense configuration. In version 2.2.2 that doesn't seemed to be protected by CSRF Magic. Is this intentional?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Oct 20, 2015, 2:48 PM

      That's very over-engineered. It'll work, but there are simpler ways like using ssh directly.

      • Add a user
      • Grant user shell access
      • On your home server, generate an ssh key for the user without a passphrase (or, better, figure out a way to use ssh-agent for the client)
      • Paste the public SSH key into the pfSense user's account
      • Install sudo package
      • Grant user sudo access to /etc/rc.halt

      Then just run something like:

      ssh myuser@x.x.x.x sudo /etc/rc.halt
      

      No hardcoded passwords, a bit more secure, and no csrf/cookie song-and-dance.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      A 1 Reply Last reply Aug 3, 2019, 12:31 PM Reply Quote 0
      • A
        automate @jimp
        last edited by Aug 3, 2019, 12:31 PM

        @jimp So I've done exactly this and it just does not work.

        ssh nsautomate@192.168.1.254 sudo /etc/rc.halt
        sudo: no tty present and no askpass program specified

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz Aug 3, 2019, 1:53 PM Aug 3, 2019, 1:50 PM

          Just tested this, and works exactly how jimp stated..

          Let's see what you did exactly.. Because what I have learned over the years is users say they did X, when it ends up they really did Y.

          You set in sudo for no password checkbox right? and /etc/rc.halt as the command they can run

          testhalt.png

          [2.4.4-RELEASE][testhalt@pf1.sitea.lan]/home/testhalt: sudo /etc/rc.halt
          Shutdown NOW!
          shutdown: [pid 51717]
                                                                                         
          *** FINAL System shutdown message from testhalt@pf1.sitea.lan ***            
          
          System going down IMMEDIATELY                                                  
          
                                                                                         
          
          System shutdown time has arrived
          [2.4.4-RELEASE][testhalt@pf1.sitea.lan]/home/testhalt: 
          

          I didn't bother testing it with just cmd line for the whole thing, but if can ssh with the account using public key and doesn't ask me for password to run the cmd, then could sent it all at once..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 1
          • H
            happynewguy
            last edited by Jul 25, 2021, 10:52 AM

            Many many thanks for this tutorial!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received