Lots of nginx errors in logs after upgrade
-
Whatever it is, I don't like it. I'll see if I can switch my users off Avast and determine whether that makes a difference. I believe they also both use the same VPN service, but I don't know which one offhand. I'll ask them about that too. Does anyone else seeing these log entries use a VPN service?
-
My VPN comment was a red herring; I don't want to waste anyone's time. I can confirm that both of the machines exhibiting this behavior on my network were running Avast. Whatever it is, Avast seems to be somehow responsible.
-
My VPN comment was a red herring; I don't want to waste anyone's time. I can confirm that both of the machines exhibiting this behavior on my network were running Avast. Whatever it is, Avast seems to be somehow responsible.
At the same time , users who run such things as Avast, generally require them for a reason, in other words the workstation might encounter objects which are specifically designed to create havok, in one way or another.
The type of behavior in the above logs, could be easily reconciled with destructive behavior, and as well more than likely, would flag many different means of intrusion prevention.
Just think of the chatter this is clogging the network up with alone.
/spork on standby
-
Avast has lots of modules, you can enable/disable them one by one. Moreover, when you install Avast (free edition), you can choose during setup, which modules you want to instal. I always use only the "File protection" module, I don't even install the rest…
-
Here's another crumb of information explicitly linking Avast to nefarious-looking activity logged in pfSense: https://www.reddit.com/r/PFSENSE/comments/2s40uz/pfsense_ca/cnm4x87 Specifically:
Turns out my gf's laptop has Avast and its "home network security" module runs exploit tests against your network, which can look bad
I should also clarify that this activity is far from constant. Rather, it seems to occur periodically at roughly 24 hour intervals. I'm going to see if I can have my users disable Avast's "Home Network Security" module and will report back whether the activity still occurs.
-
Just wanted to report back that it's definitely Avast. Disabling the Home Network Security module eliminates the log entries in pfSense.
-
Interesting, thanks for the feedback. What a dumb feature.. Like scanning your gateway IP daily for old versions of openwebmail among a variety of other things you'll almost certainly never find on a gateway is doing anything useful.
-
@cmb:
Interesting, thanks for the feedback. What a dumb feature.. Like scanning your gateway IP daily for old versions of openwebmail among a variety of other things you'll almost certainly never find on a gateway is doing anything useful.
I guess they are attempting to find potential vulnerabilities on typical home routers, where people would have their TP-Link, D-Link, NetGear… home device with old firmware and never realize that it is now open to some (external or internal) attack vector. Of course then there is the question "what can the home user do about it?" - after a couple of [months|years] the manufacturers stop putting out new firmware to close security holes. So the home user is stuck with their perfectly good hardware but out-of-date firmware, and AVAST will tell them about it every week.
-
I guess they are attempting to find potential vulnerabilities on typical home routers, where people would have their TP-Link, D-Link, NetGear… home device with old firmware and never realize that it is now open to some (external or internal) attack vector. Of course then there is the question "what can the home user do about it?" - after a couple of [months|years] the manufacturers stop putting out new firmware to close security holes. So the home user is stuck with their perfectly good hardware but out-of-date firmware, and AVAST will tell them about it every week.
True, if it were doing something that looked like it was trying to identify a vulnerable router, I'd understand. That might be a useful feature for typical home users (though yeah, as you noted, they probably wouldn't have any idea what to do if it detected a problem). But I don't think it's looking for anything you'd find on any router. Looks like things that are specific to web servers only, and a short list of uncommon things at that.
-
They haven't really thought trough the value and practicality of that feature. Instead of helping to find any real threats it is going to cause more people freak out because there's an unknown scanner probing at multiple hosts on the local network for seemingly random web pages just like a real malware would be.
-
@kpa:
They haven't really thought trough the value and practicality of that feature. Instead of helping to find any real threats it is going to cause more people freak out because there's an unknown scanner probing at multiple hosts on the local network for seemingly random web pages just like a real malware would be.
I would like to know what exact version is being used which is probing ports and directories, if anyone can supply me with this info that would be great. I want to see this for myself. Before I find a gator.
Here is a thought about such probing, considering what has been shown here as far as the locations scanned, any basic server admin would have preventative measures in place to prevent such activities, even if it's only fail2ban. Rendering the utility useless.
-
I'll check with my users, but I think they're running the latest release (and I'm sure this feature is in the latest release), which seems to be 11.2.2262.
-
I have the same problem, and I have win7, using Firefox 64bit, and I have avast antivirus installed.
So whats the conclusion on this matter, if its avast antivirus thats doing the scanning, can it be concidered normal or is a clean install of pfsense recommended?Also, is nginx a legit part of the pfsense install? Or how did this end up on my pfsense?
-
Everything so far says that it is in fact Avast that does the scanning. See if you can turn off the module/service in Avast that does the scanning. Yes, Nginx is now the web server in pfsense that implements the webgui and other related services. It used to be lighttpd in pfSense 2.2.* but was changed for 2.3.*.
-
Interesting how this just started to be noticed in the logs. Or no one has bothered to look before now in this scenario.
-
I can confirm that you can disable this module in Avast - they call it Home Networking Security - and the log entries stop. I wish I could provide detailed steps, but I don't run it myself and I was unable to easily find steps to do so. I only know it's responsible because I had one of my users turn it off. I'd bet it's fairly straightforward in the GUI though.
-
By the way, is this nginx program written as opensource?
-
By the way, is this nginx program written as opensource?
http://nginx.org/en/
Yes it is.
-
I can confirm that you can disable this module in Avast - they call it Home Networking Security - and the log entries stop. I wish I could provide detailed steps, but I don't run it myself and I was unable to easily find steps to do so. I only know it's responsible because I had one of my users turn it off. I'd bet it's fairly straightforward in the GUI though.
Sounds as if I'll be needing that crocodile.
Thanks for confirming. -
Interesting how this just started to be noticed in the logs. Or no one has bothered to look before now in this scenario.
Before 2.3, the 404 logs from the web GUI's web server went to /dev/null. So I'm sure it was happening for quite some time, people just didn't have the logs to notice until more recently.
