Which software to use for bot detection over Lan

Rico

Maybe overkill to just check for Clients using Port 25?
Personally I like out of the box stuff if possible. :-)

-Rico

OpenWifi

@NogBadTheBad how do i configure snort to do that?You have a link

NogBadTheBad

https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users?page=1

NogBadTheBad

@Rico said in Which software to use for bot detection over Lan:

Maybe overkill to just check for Clients using Port 25?
Personally I like out of the box stuff if possible. :-)

-Rico

Yup normally I'd say its overkill, but looks like he has a few bad clients on the LAN.

Gertjan

@Rico said in Which software to use for bot detection over Lan:

pfSense sees traffic as it enters an Interface. You want to monitor your LAN Clients so put the Firewall Rule on top of your LAN Rules.

-Rico

This rule should be nearly default : block outgoing "port 25 TCP" communication. This port is used by is a mail server to communicate with other mail servers.
Outgoing - and incoming connections on port 25 TCP makes sense when you host a mail server on your LAN.

Btw :
Only accepts trusted devices on your LAN (the easy option)
Or
Use the firewall to lock down now trusted devices - and learn to use to work with tools like snort and other IDS/IPS tools (far more complicated)

OpenWifi

@Rico i do not have a mail server..Wondering....why my network is getting blacklisted over spam flow..Does the spam originated from the clients mails or where is it originating and destined and i really appreciate the help

stephenw10

Yes, probably something with malware on your LAN sending spam. That rule will block it log what clients are trying to send it.

Steve

Gertjan

@OpenWifi said in Which software to use for bot detection over Lan:

Wondering

Why should you wonder ??
You administer a firewall/router so you have all the whistles and bells to determine what goes in and out.

I have a rule like this

in place on a LAN network that I do not trust - my captive portal network.
"Not trust" because I do not control the connected devices.

With such a rule in place you can see in the firewall log what happens => who could be blamed - who is using the outgoing port 25. It's a real "click and done" solution.

The counter in front of the rule states that some devices wanted to connect to the outside world using port "25".
In my network, that is a no go. It means often that a mail client isn't setup the right way.
These days : for retrieving mail, a client should use POP or IMAP, using port 110 / 995 or 143 / 993.
Sending mails is done over 487 or port 465. Sending must be done the authenticated way, anonymous send (== 25 port) should never be allowed.

edit => LOL => if you run a @OpenWifi it's pure madness NOT to block outgoing SMTP connection. From your Wi-Fi access unknown people could : try to steal those nuclear launch codes, break into the NSA etc etc and all this will happen with you being responsible for this IP.

OpenWifi

@Gertjan but the first rule on my lan is allowing port 433 and 80 and the anti-lock out rule.I fear getting locked out of the webgui when i change that rule to block SMTP.So how do i go about it.Thank you

OpenWifi

@Gertjan

NogBadTheBad

Rules are read from the top down.

You cant place a rule above the anti lockout rule.

OpenWifi

@NogBadTheBad .Will this work,just changed it now

Gertjan

The order is ok.

This isn't :

Ditch that WAN_DHCP reference.

Gertjan

@OpenWifi said in Which software to use for bot detection over Lan:

@NogBadTheBad .Will this work,just changed it now

Ok - now, wait until this one :

starts counting.
You will find the notices in the firewall log - and know who - you will have his LAN IP - was trying to use the "25 port".

OpenWifi

Thank you everyone for your help.Already configured the rule to block smtp port 25.I believe this means clients on the lan would not be able to send mail!!

Gertjan

@OpenWifi said in Which software to use for bot detection over Lan:

I believe this means clients on the lan would not be able to send mail!!

Again, you admin a firewall. There is no such thing as "Wondering" and "Believing". Things happens because you let them happen. And things that you do not want, you stop. You are the boss.
A boss doesn't "trust" or "believe".

Maybe this is new to you :
Mail clients like Outlook Express, Outlook (Office) or Thunderbird should not use port 25 to send mail.
They are set up to use (as stated) above : port 587 or port 465. These two port permit some one to send mails, if they can authenticity themselves first == have an account at that mail server.

Like : you can not send mail using mail.gmail.com on port 25 : gmail does not allow this. gmail is not an open relay. You should use 587, no, better : port 465.

For historical reasons, ISP's allow that you use their mail servers so you can send your (not your unkown visitors !!) send mail to some one. This is an exception. Do understand that the ISP knows who you are : you are using their "land line" to connect to their services.