API Login Failure Warning... Without an API token active

twinobelisks · May 10, 2025, 4:50am

Hi all,

I’ve run into an odd issue with my main TrueNAS server. The hardware isn’t the problem here, but something to note is that I’m running the official Nginx Proxy Manager container, and have moved the webgui to port 2080 so that it can run on port 80. That may be relevant.

A week or so ago I woke up to the following warning:

4 API login failures in the last 24 hours: (username=truenas_admin,session_id=xxxx-yyyy-zzzz-aaaa-bbbb,address=172.16.2.2) [times 4]

I immediately revoked the API token I was using for my selfhosted dashboard to get basic drive health and alert popups, and assumed my server was compromised. However on closer inspection, the IP address above was the same as Nginx Proxy Manager, and the session IDs corresponded to active sessions on my desktop PC. Checking the audit log itself revealed the only API token accesses were from my homepage, with no failed authentication attempts. No matter where I checked, I could not find evidence of a failed API authentication attempt, much less four. I chalked it up to my desktop PC having the incorrect time set (which also caused my TOTP codes to be out of sync), and moved on.

Things were fine for a week, but I woke up again today to the same problem:

1 API login failures in the last 24 hours: (username=truenas_admin,session_id=xxxx-yyyy-zzzz-aaaa-bbbb,address=172.16.2.2)

Once again, the same issue. The session ID corresponds to my desktop, the IP is Nginx proxy manager, nothing in any audit log or /var/log. However, this time I don’t have any API keys active. After revoking them last time, I never created new ones, and yet I was still getting a failed API authentication error.

This server is not exposed to the internet; It sits behind a firewall and the only way to access it is using a VPN. Besides, these missed authentication events are coming from the same session ID as my desktop, and they’re not even showing up in any logs, just in the notifications. I really have no idea what’s going on.

TL;DR: How can I have an API authentication error, with a session ID matching my desktop PC and an IP matching my own server’s reverse proxy, that doesn’t show up in any logs, without any active API token?

awalkerix · May 10, 2025, 11:17am

The webui also authenticates to the TrueNAS backend through its API. This may just be a cached browser authentication token that has expired. You can look at the audit entries to see what’s going on.

twinobelisks · May 10, 2025, 2:20pm

The issue here is that, while there are audit entries for my desktop with the same session ID as the errors, there are no audit entries that show an API authentication error. The only failed auth attempts I see are with a mistyped password or a TOTP token that was stale-- Nothing that corresponds to a failed API attempt. But based on your answer this does not sound like a security issue or threat actor?

awalkerix · May 11, 2025, 12:07am

The TOTP / mistyped password would present as an API login failure. The webui logs into the backend of TrueNAS via its API.

twinobelisks · May 11, 2025, 12:29am

Interesting. I looked closer at my logs and observed the following behavior:

When failing to log into TrueNAS for the first time with a new session ID, failures are logged as .UNAUTHENTICATED but do not generate alerts.
When failing to log into TrueNAS after a session has been established with the same session ID (i.e. your login timed out in a tab and you fail the password or TOTP challenge when trying to log back in the same tab), failures are logged under your username and API alerts are generated.

With this behavior, the 4 warnings on one day and the 1 warning yesterday can be accounted for in the logs. Thank you for the clarification!