Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which software to use for bot detection over Lan

    Scheduled Pinned Locked Moved General pfSense Questions
    21 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      OpenWifi
      last edited by

      I have a newly installed pfsense box and it has been running smoothly but over the past few days i have been blacklisted by about 4 blocklists on mxlookup for spamming.Kindly advise which packages can i use to monitor port 25 and how to detect which Ip on the network is sending out the spam and block it.Thank you

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Set you clients to only use Port 465 SSL/TLS for SMTP in their mail appliaction.
        After that block & log Port 25 to check for any noise.

        -Rico

        O 1 Reply Last reply Reply Quote 0
        • O
          OpenWifi @Rico
          last edited by

          @Rico thank you.Could you show me how to do it via rules,atleast a setup from Wan or Lan.Thank you

          1 Reply Last reply Reply Quote 0
          • RicoR
            Rico LAYER 8 Rebel Alliance
            last edited by Rico

            pfSense sees traffic as it enters an Interface. You want to monitor your LAN Clients so put the Firewall Rule on top of your LAN Rules.
            pfSense_Reject_25.png

            -Rico

            GertjanG 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad
              last edited by

              Snort would work as well.

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              O 1 Reply Last reply Reply Quote 0
              • RicoR
                Rico LAYER 8 Rebel Alliance
                last edited by

                Maybe overkill to just check for Clients using Port 25?
                Personally I like out of the box stuff if possible. :-)

                -Rico

                NogBadTheBadN 1 Reply Last reply Reply Quote 1
                • O
                  OpenWifi @NogBadTheBad
                  last edited by

                  @NogBadTheBad how do i configure snort to do that?You have a link

                  1 Reply Last reply Reply Quote 0
                  • NogBadTheBadN
                    NogBadTheBad
                    last edited by NogBadTheBad

                    https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users?page=1

                    Andy

                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                    1 Reply Last reply Reply Quote 0
                    • NogBadTheBadN
                      NogBadTheBad @Rico
                      last edited by

                      @Rico said in Which software to use for bot detection over Lan:

                      Maybe overkill to just check for Clients using Port 25?
                      Personally I like out of the box stuff if possible. :-)

                      -Rico

                      Yup normally I'd say its overkill, but looks like he has a few bad clients on the LAN.

                      Andy

                      1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @Rico
                        last edited by

                        @Rico said in Which software to use for bot detection over Lan:

                        pfSense sees traffic as it enters an Interface. You want to monitor your LAN Clients so put the Firewall Rule on top of your LAN Rules.
                        pfSense_Reject_25.png

                        -Rico

                        This rule should be nearly default : block outgoing "port 25 TCP" communication. This port is used by is a mail server to communicate with other mail servers.
                        Outgoing - and incoming connections on port 25 TCP makes sense when you host a mail server on your LAN.

                        Btw :
                        Only accepts trusted devices on your LAN (the easy option)
                        Or
                        Use the firewall to lock down now trusted devices - and learn to use to work with tools like snort and other IDS/IPS tools (far more complicated)

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        O 1 Reply Last reply Reply Quote 0
                        • O
                          OpenWifi @Gertjan
                          last edited by

                          @Rico i do not have a mail server..Wondering....why my network is getting blacklisted over spam flow..Does the spam originated from the clients mails or where is it originating and destined and i really appreciate the help

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes, probably something with malware on your LAN sending spam. That rule will block it log what clients are trying to send it.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • GertjanG
                              Gertjan @OpenWifi
                              last edited by Gertjan

                              @OpenWifi said in Which software to use for bot detection over Lan:

                              Wondering

                              Why should you wonder ??
                              You administer a firewall/router so you have all the whistles and bells to determine what goes in and out.

                              I have a rule like this
                              d72973c8-739e-48bc-9d69-766d68e24c10-image.png
                              in place on a LAN network that I do not trust - my captive portal network.
                              "Not trust" because I do not control the connected devices.

                              With such a rule in place you can see in the firewall log what happens => who could be blamed - who is using the outgoing port 25. It's a real "click and done" solution.

                              The counter in front of the rule states that some devices wanted to connect to the outside world using port "25".
                              In my network, that is a no go. It means often that a mail client isn't setup the right way.
                              These days : for retrieving mail, a client should use POP or IMAP, using port 110 / 995 or 143 / 993.
                              Sending mails is done over 487 or port 465. Sending must be done the authenticated way, anonymous send (== 25 port) should never be allowed.

                              edit => LOL => if you run a @OpenWifi it's pure madness NOT to block outgoing SMTP connection. From your Wi-Fi access unknown people could : try to steal those nuclear launch codes, break into the NSA etc etc and all this will happen with you being responsible for this IP.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              O 2 Replies Last reply Reply Quote 0
                              • O
                                OpenWifi @Gertjan
                                last edited by

                                @Gertjan but the first rule on my lan is allowing port 433 and 80 and the anti-lock out rule.I fear getting locked out of the webgui when i change that rule to block SMTP.So how do i go about it.Thank you

                                1 Reply Last reply Reply Quote 0
                                • O
                                  OpenWifi @Gertjan
                                  last edited by

                                  @Gertjan IMG_20190403_174839_027.JPG

                                  1 Reply Last reply Reply Quote 0
                                  • NogBadTheBadN
                                    NogBadTheBad
                                    last edited by

                                    Rules are read from the top down.

                                    You cant place a rule above the anti lockout rule.

                                    Andy

                                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                    O 1 Reply Last reply Reply Quote 0
                                    • O
                                      OpenWifi @NogBadTheBad
                                      last edited by

                                      @NogBadTheBad IMG_20190403_175637_869.JPG .Will this work,just changed it now

                                      GertjanG 1 Reply Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan
                                        last edited by

                                        The order is ok.

                                        This isn't :
                                        2f593929-a98c-493a-8e59-d205bf5107c2-image.png

                                        Ditch that WAN_DHCP reference.

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • GertjanG
                                          Gertjan @OpenWifi
                                          last edited by

                                          @OpenWifi said in Which software to use for bot detection over Lan:

                                          @NogBadTheBad IMG_20190403_175637_869.JPG .Will this work,just changed it now

                                          Ok - now, wait until this one :

                                          1dcb881f-f951-478c-a16c-69e5cdbc9ae0-image.png

                                          starts counting.
                                          You will find the notices in the firewall log - and know who - you will have his LAN IP - was trying to use the "25 port".

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          1 Reply Last reply Reply Quote 0
                                          • O
                                            OpenWifi
                                            last edited by

                                            Thank you everyone for your help.Already configured the rule to block smtp port 25.I believe this means clients on the lan would not be able to send mail!!

                                            GertjanG 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.