Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Set up mail alerts for intruders / if hacked

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 4 Posters 763 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jhorsten
      last edited by

      Dear,
      is it possible to set up mail alerts when unknown devices want to join the network? I have set up system \ advanced \ notifications so that an email can be sent, tested and this also works but I cannot figure out yet how to receive alerts by mail if a strange device wants to enter the network.
      I have installed various items via the package manager (Suricata and Snort) but I do not find a mail option there.

      Thanks in advance! Jeroen

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Jhorsten
        last edited by

        Hi,

        For the mail part, not complicated :

        #!/usr/local/bin/php -q
<?php
	require_once("/etc/inc/notices.inc");
	/* do here what you need to do to declare your system hacked */
	/* The message - or result - should be stored in $the_message */
	notify_all_remote($the_message);
?>

        call the file /root/test-hacked.php
        and call it like this :

        php -a /root/test-hacked.php

        Btw : how do you test if a system is hacked ??

        What is the big deal if some unknown device connect to one of your LANs ? That doesn't mean it can actually threaten any other device on that LAN.
        For example : pfSense uses firewall rules to permit access, or not.
        Trusted networks, like the first 'real' LAN should not be made accessible to non trusted devices.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • AndyRHA
          AndyRH
          last edited by

          We do something similar on our protected networks, but the network switch blocks access and phones it in. If you are trying to protect the systems on a network the firewall will simply keep them from going out, but will not protect the systems inside.
          Remember security is like an ogre (or an onion), it has layers.

          o||||o
          7100-1u

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @AndyRH
            last edited by

            @andyrh said in Set up mail alerts for intruders / if hacked:

            it has layers

            If a 'nasty player' has already access to your physical LAN (the wires) or your non protected Wifi then he is among your other users - who could suffer. Again : your pfSense is under your control.
            It's not your role to protect the LAN users - and if it is : start protecting the physical access to your network : wall in the wires, take down that wifi. Use back to back fibre links, these are pretty temper proof.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • P
              plfinch
              last edited by

              You can use the arpwatch package to alert you via email when a new device connects to your network. I use my cellular carriers sms email alias so I can send out text alerts. This will not work if rogue devices mimic existing MAC addresses or if allowed devices are configured with dynamic “private” MAC addresses.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.