Plex mdlna offline

[marcevan]

Posting in plugins for now, but could be networking...

Getting this in my security emails:

>pid 99426 (Plex DLNA Server), uid 972: exited on signal 3

along with

>pid 99415 (python), uid 972: exited on signal 3
>pid 69533 (Plex Media Scanner), uid 972: exited on signal 6

9.2.1.2 has been getting progressively worse as days go on:
1. Transmission suddenly gets a 500 error and cannot turn off plugin nor see in Plugins tree
2. Multiple network issues like the Plex one for jails

> ifa_del_loopback_route: deletion failed
> Freed UMA keg (udp_inpcb) was not empty (20 items). Lost 2 pages of memory.
> Freed UMA keg (udpcb) was not empty (336 items). Lost 2 pages of memory.
> Freed UMA keg (tcptw) was not empty (100 items). Lost 2 pages of memory.
> Freed UMA keg (tcp_inpcb) was not empty (20 items). Lost 2 pages of memory.
> Freed UMA keg (tcpcb) was not empty (16 items). Lost 4 pages of memory.
> hhook_vnet_uninit: hhook_head type=1, id=1 cleanup required
> hhook_vnet_uninit: hhook_head type=1, id=0 cleanup required
> epair4a: link state changed to DOWN
> epair4b: link state changed to DOWN
> epair2a: Ethernet address: 02:48:45:00:0c:0a
> epair2b: Ethernet address: 02:48:45:00:0e:0b
> epair2a: link state changed to UP
> epair2b: link state changed to UP
> epair2a: promiscuous mode enabled

 

[dlavigne]

Does the system happen to have Intel i217LM NIC, using the em driver?

 

[marcevan]

I'll check tonight... I don't permit SSH to my freenas (you should see the security log when I do!) but it's definitely an Intel PCI-e NIC.

 

[cyberjock]

I'll check tonight... I don't permit SSH to my freenas (you should see the security log when I do!) but it's definitely an Intel PCI-e NIC.

Umm.. why is that? FreeNAS should NEVER face the internet so you should not ever have a problem with SSH. The fact that your security log has any problems when you enable SSH tells me you have bigger networking configuration problems than you realize...

 

[marcevan]

Intel NIC model is:


EXPI9301CTBLK


Now I do not do ssh, because in a week that it was on, the morning email security had about 1000 lines of attacks from various IPs trying to login with failed password. That was daily. Why expose my server to that?

Moreover, I had to delete Plex as the upgrade failed and I just downloaded the newer one, and it's up and running...so far.

 

[gpsguy]

Is your FreeNAS server wide open to everyone on the Internet?



Sent from my phone

 

[marcevan]

I doubt it. I have no port forwarding to it, the main IP of the freeNAS machine.

I give it a static IP from my router, and the router has some firewall and basic security features.

CIFs is given to IP addresses only, as is NFS and those machines are firewalled pretty good and internal on same network.

Would be interested to hear if you have some specifics to share on buttoning it up more.

 

[gpsguy]

If the SSH attacks were coming from IP's outside your network, it sounds like you are allowing SSH through your firewall/router.

Check to see if firmware updates are available for your router. A piece of malware named TheMoon was recently discovered.


Sent from my phone

 

[marcevan]

I'll turn off ssh at the router for sure and see if there's firmware. It's Verizon Fios, so maybe.

 

[cyberjock]

Is your FreeNAS server wide open to everyone on the Internet?

That's a definite affirmative.

I doubt it. I have no port forwarding to it, the main IP of the freeNAS machine.

There is no doubt.. your system WAS available to the world. Frankly, I'm surprised you didn't immediately stop and ask yourself WTF was going on. Anyone that has even a conscience with regards to network security should have been asking themselves 'WTF is going on!?'.

If the SSH attacks were coming from IP's outside your network, it sounds like you are allowing SSH through your firewall/router.

Exactly.. You just stated again what I had already determined. The box was absolutely available to the internet. ;)

 

[gpsguy]

My response was to emphasize what you'd already said and an effort to get the OP to see the obvious.

Exactly.. You just stated again what I had already determined

Sent from my phone

 

[marcevan]

Home now. Checking FIOS Router. There is zero enablement of remote access or administration and ssh is off.

Security logs show no intrusion attempts for last 30 days. Firewall is at maximum.

So how is it when I enable SSH on my freenas I get tons of failed passwords from outside IPs?

 

[cyberjock]

Home now. Checking FIOS Router. There is zero enablement of remote access or administration and ssh is off.

Security logs show no intrusion attempts for last 30 days. Firewall is at maximum.

So how is it when I enable SSH on my freenas I get tons of failed passwords from outside IPs?

Not a clue. That's a question you're going to have to solve by testing your hardware and firewall settings. Clearly though, something is horribly wrong with your firewall if you enable SSH and without forwarding a port you start getting failed attempts to access the server.

Frankly, this sounds like a bigger problem as your other machines on the network may not be as protected by your firewall as you might think.

 

[panz]

Home now. Checking FIOS Router. There is zero enablement of remote access or administration and ssh is off.

Security logs show no intrusion attempts for last 30 days. Firewall is at maximum.

So how is it when I enable SSH on my freenas I get tons of failed passwords from outside IPs?

Your security logs show "no intrusion attempts" because they're considering those attempts legitimate. You've an open network, man! :)

 

[Yatti420]

You must have SSH forwarded to the NAS box or something.. You only see those ssh messages when you have an internet facing NAS.. It's one of the reasons I installed denyhosts in a jail.. Probably even more messages if you use the standard ssh port..

If you point freenas to the outside world it's a completely different game and could open you up to security issues.. That's why it's not advised..

 

[marcevan]

I appreciate all the responses, but I don't see much in the way of concrete "check this" or "do this".

There is no ssh port forwarded from my router to my freenas box. Not now, not ever. When I had ssh on in the past I only accessed it within the LAN, never outside.

I know my router's public IP address, and I cannot ssh to it, telnet to it, sftp to it, etc.

I have a couple of port forwards for plugins (plex, transmission), but thats for their jails, not the freeNAS box IP.

I think we seriously need a "Security" forum.

 

[panz]

I don't know your network configuration, so let's start some checks because you didn't provide much information. Please:

1) describe your network (WAN, LAN, associated IPs, DHCP, etc.);

2) post (using the "code" button in the formatting bar) the output of your firewall state table;

 

[marcevan]

Thanks Panz.

I can give you the basics now, then when home follow up on the firewall state table.

WAN: FIOS internet gives me a public IP address; I use no-ip to forward some webcams and in the router I port forward those to the webcams. They are all wired cams. I have repeatedly tried telnet, ssh, sftp, http to get to that IP address and I always get denied or timed out. Validates when I am home and see no ports for remote access are open on the router.

LAN: I use 192.168.1.0/254 and reserve everything .2 - .60 for wired connections, and DHCP begins at .61 for ipads and phones and guests. Most of my house is wired from FIOS router to HTPC (win 7 pro 64), one camera, and one long ethernet drop to a basement switch where I hard wire a camera, 3 PCs, a printer, a VOIP box, and the freeNAS box. There's also an ethernet drop upstairs from FIOS router to a smaller switch where there's one wired PC.

Port forwarding. I do some cameras as mentioned above and freeNAS jails get some for transmission and for PLEX.

So I'll followup with firewall state table tonight below here...

 

[gpsguy]

You might want to run a port scan against your public IP address. NMAP is a great tool. Either install it on a machine or boot a Live CD like Knoppix and run it.


Sent from my phone

 

[panz]

Thanks Panz.

I can give you the basics now, then when home follow up on the firewall state table.

WAN: FIOS internet gives me a public IP address; I use no-ip to forward some webcams and in the router I port forward those to the webcams. They are all wired cams. I have repeatedly tried telnet, ssh, sftp, http to get to that IP address and I always get denied or timed out. Validates when I am home and see no ports for remote access are open on the router.

LAN: I use 192.168.1.0/254 and reserve everything .2 - .60 for wired connections, and DHCP begins at .61 for ipads and phones and guests. Most of my house is wired from FIOS router to HTPC (win 7 pro 64), one camera, and one long ethernet drop to a basement switch where I hard wire a camera, 3 PCs, a printer, a VOIP box, and the freeNAS box. There's also an ethernet drop upstairs from FIOS router to a smaller switch where there's one wired PC.

Port forwarding. I do some cameras as mentioned above and freeNAS jails get some for transmission and for PLEX.

So I'll followup with firewall state table tonight below here...

So, just to be sure: you typed 192.168.1.0/254 - you meant /24 right?

@gpsguy suggested a scan with Nmap, which is difficult to use in my opinion. Let's try a basic and simple remote scan done by Steve Gibson "ShieldsUp!" utility. Go to

https://www.grc.com/x/ne.dll?bh0bkyd2

accept by clicking the gray button "Proceed"

and do some tests like file sharing, common ports, all service ports and finally choose the big orange box at the top of the page named "GRC's Instant UPnP Exposure Test".

Then post the results here.