Set up mail alerts for intruders / if hacked
-
Dear,
is it possible to set up mail alerts when unknown devices want to join the network? I have set up system \ advanced \ notifications so that an email can be sent, tested and this also works but I cannot figure out yet how to receive alerts by mail if a strange device wants to enter the network.
I have installed various items via the package manager (Suricata and Snort) but I do not find a mail option there.Thanks in advance! Jeroen
-
Hi,
For the mail part, not complicated :
#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); /* do here what you need to do to declare your system hacked */ /* The message - or result - should be stored in $the_message */ notify_all_remote($the_message); ?>
call the file /root/test-hacked.php
and call it like this :php -a /root/test-hacked.php
Btw : how do you test if a system is hacked ??
What is the big deal if some unknown device connect to one of your LANs ? That doesn't mean it can actually threaten any other device on that LAN.
For example : pfSense uses firewall rules to permit access, or not.
Trusted networks, like the first 'real' LAN should not be made accessible to non trusted devices. -
We do something similar on our protected networks, but the network switch blocks access and phones it in. If you are trying to protect the systems on a network the firewall will simply keep them from going out, but will not protect the systems inside.
Remember security is like an ogre (or an onion), it has layers. -
@andyrh said in Set up mail alerts for intruders / if hacked:
it has layers
If a 'nasty player' has already access to your physical LAN (the wires) or your non protected Wifi then he is among your other users - who could suffer. Again : your pfSense is under your control.
It's not your role to protect the LAN users - and if it is : start protecting the physical access to your network : wall in the wires, take down that wifi. Use back to back fibre links, these are pretty temper proof. -
You can use the arpwatch package to alert you via email when a new device connects to your network. I use my cellular carriers sms email alias so I can send out text alerts. This will not work if rogue devices mimic existing MAC addresses or if allowed devices are configured with dynamic “private” MAC addresses.