System Log Settings

JonH

Running v24.03
In System Log settings -> Local logging, Disable writing to local disk, there is a warning " This will also disable Login Protection!"

Exactly what is that warning referring to? How does not writing logs to pfSense box disable login protection?

I'm trying to minimize writes to my SG-5100 and am writing logs to a remote device so I would like to disable the local logging but I cannot find any specific reference to exactly what this means. I searched the docs and didn't see anything.

thanks

SteveITS

@JonH per https://docs.netgate.com/pfsense/en/latest/monitoring/logs/settings.html
"When checked, local logs are not retained. They are not written to disk nor are they kept in memory. While this saves on disk writes, it necessitates the use of remote logging so that information is not lost."

I would assume, there is nothing for the login protection process to monitor for failed logins.

How minimized (writes)? A RAM disk will help quite a lot, as will not logging a few standard things like logging the default block rules or IGMP blocks, or various package log settings.

JonH

@SteveITS said in System Log Settings:

A RAM disk will help quite a lot

My 5100 has 4MB memory and I typically am at 50% usage but I suppose it goes higher now and then. When my eMMC failed I installed an m2. Sata. Could I use part of the m2 for a ram disk?

And the check box for local logging says "WARNING: This will also disable Login Protection!" This is what I am asking about. What login protection am I disabling?

SteveITS

@JonH it's this:
https://docs.netgate.com/pfsense/en/latest/config/advanced-admin.html#login-protection

It looks at the logs but if there are no logs it can't find any login attempts.

Of course that would usually be on internal interfaces since you don't want to expose pfSense on WAN.

re: RAM disk, if you have a SSD I would not worry much about writes. Netgate has a list of packages with high disk writes, https://www.netgate.com/supported-pfsense-plus-packages. You can use a RAM disk...its size depends on what you're doing. For our clients on a 4 GB router we usually set 512 and 1024 MB for tmp and var, and they are usually way less. Other usage may be different, for instance the UT1 adult feed in pfBlocker takes over 1 GB to extract. In recent pfSense versions the RAM disk is not preallocated in memory.

JonH

@SteveITS thanks, I need to review that advanced admin doc. Simply searching the doc's for login protection didn't get any hits and so I came here. This is exactly what I was looking for.

Gertjan

@JonH said in System Log Settings:

Disable writing to local disk, there is a warning " This will also disable Login Protection

See here : System > Advanced > Admin Access and scroll down to

These settings control the process "sshguard" :

sshguard reads the logs - for example the authentication log, for failed login attempts.
If there are 'to many', then the offending IP is added to an alias, and this alias is used in a blocking firewall rule.

You have a 5100, and you've MAXimized it, don't bother of protecting the SSD drive.
I've chosen the 4100 MAX version for the same reason :
Lots of log space, if needed, as a detailed log over a xx days span is part of the the security : logs shows what happens to the system. I also remote 'syslog' my logs, for backup purposes, to a NAS.
A big SSD also permits you to use the ZFS based "System > Boot Environments" which will eliminate 99;9 % of all update / upgrade issues. It will also permit you to test settings, and if needed, to go back to the previous state with 'one click'.

@JonH said in System Log Settings:

Could I use part of the m2 for a ram disk

Like swap memory ? Disk storage access time is a more then a thousand times slower as RAM access. Imho : never ever use that method.

But I get it : You've lost a 'disk' (the emmc) ones, but now you've a sata drive (aka : the 5100 MAX). It won't happen again ^^
he SSD might die again, but no hassle, they always do, like the hard disks we use before. Easy to change, and after a "couple of years" you'll upgrade the entire device anyway ^^

stephenw10

That^. sshguard monitors the logs for login attempts and blocks IPs based on failures. But it requires log entries to be created to see that.

JonH

@Gertjan said in System Log Settings:

You have a 5100, and you've MAXimized it, don't bother of protecting the SSD drive.
I've chosen the 4100 MAX version for the same reason :
Lots of log space, if needed, as a detailed log over a xx days span is part of the the security : logs shows what happens to the system. I also remote 'syslog' my logs, for backup purposes, to a NAS.

Last week I started writing to remote syslog on NAS and see my pfSense logs still going so that is why I asked about disabling local logging.

But I get it : You've lost a 'disk' (the emmc) ones, but now you've a sata drive (aka : the 5100 MAX). It won't happen again ^^
he SSD might die again, but no hassle, they always do, like the hard disks we use before. Easy to change, and after a "couple of years" you'll upgrade the entire device anyway ^^

Thanks. The SSD is 64gb so hopefully at my age it will last long enough that I won't need to upgrade. But I seem to say that about every piece of hardware I buy.