E-Mail on Failed Login Attempts (Again) (SOLVED)



  • I've posted this before, and I'll post it again. Is there a way to email on failed login attempts? Or when a IP has been blocked do to failed login attempts? Be it on a local subnet or otherwise?
    I just noticed that apparently back in November there was an attempt to break in to my firewall. I'm not sure if it was this last year or the year before. I only know this now because I noticed a LONG list of IPs in my Alias BlockList, "Attempt to login on 11-16". 2 /24 subnets, 0-255 on each, one IP right after the other attempted. It is possible that this happen with my previous piece of hardware during some kind of a system/software lockup that allowed SSH access to the web, I don't really know. I don't expose SSH to the web and I use Snort to block sniffing (among other things) of the firewall to avoid letting anyone know what ports I do have open and I don't have many open, that includes NTP, SSH and DNS.
    It was said before that I should setup a syslog server for Alerts, and while I don't disagree, I don't have the expertise to setup a syslog server. I've tried a couple of them and without success and not everyone can setup a syslog server and why should everyone setup a syslog server for such trivial notifications that one would think would be just about a standard?
    Heck, even a package that parses the logs and sends a email on match of a set rule would be handy. I don't know how simple or complex it would be, but it would create some flexibility in email notifications.
    Heck, truthfully I don't even know where PfSense is configured to add a IP to a Alias when that IP fails to authenticate to many times.



  • Hi,

    I'll propose you a possible solution that is much simpler as setting up a syslog server **
    Slide in an extra NIC, and use this interface for your non-trusted devices. One or two clever firewall rule and you're done with these login attempts.

    My info : WAN is already secured.
    LAN is only for trusted devices.
    OPT is for your friends, enemies or worse : family. You express your laws there with your rules.

    ** Btw : the last time I installed a Kiwi-syslogger, it opened the needed firewall on my Windows box. That part was simple.
    On pfSense I had to enter the IP of this Windows PC, and done.

    I could also use my Synology Diskatation with the syslog package, less flexible but the setup is very similar.


  • LAYER 8 Global Moderator

    So you get pounded with 1000's of hits to your ssh server… You want 1000's emails?

    Sending your logs to syslog which most have alerting features in can be set to parse for say X number of alerts in Y number of minutes fire off an email, etc.

    Why would you want to get bothered with shit your firewall is dropping.. Would be like door bell going off every time a car drove by your house.

    If you have ports open, guess what they are going to see noise.. SSH, FTP, HTTPS, SQL, RDP are going to see nothing but loads and loads of NOISE... Wanting an email on something like that is just freaking nuts..



  • Gertjan: Agreed. Something I have yet to do is create a management network for managing devices on my network that's only accessible to those that need access.
    As for Kiwi logs, that would require another machine running (I don't like my electrical bill any higher than it is) or a VM. I should likely spend some more time looking into Kiwi-syslogger. Last time I looked into it there was something about it I didn't like. I don't recall what that was right now.

    Johnpoz: Doesn't have to be 1000's of emails, could be a email after every lockout attempt or after every 3 failed attempts, something to say, "Hey stupid! somethings messed up and you're getting pounded!" Heck the firewall emails when the gateway goes down, or if there's a error, why not email and notify on a lockout???

    Why wouldn't I want to get bothered? LOL Do you like having a dummy light in your car when your oil is critically low? I'm not asking for a email EVERY failed attempt, or after every dropped packet. Just something to say, "HEY STUPID!"

    And yes, I have some open ports, SSH, FTP, HTTPS, SQL, RDP, DNS, Ect. are NONE of them. I do not expose my firewall's SSH to the WWW. I have a couple open ports to devices that need them open, nothing else.

    My point was that for some reason SSH was getting attacked, why? I don't know! No clue. There must have been some kind of lockup, malfunction, I don't know, that was quite a while back. Point is it sure would have been nice to get a email so that I could have responded in a timely manner to resolve the issue before getting 510 IPs blacklisted.

    Even a simple notification saying, "Attempted login blocked 2-26" would suffice.

    Why is everyone so dead set against a email notification on failed login attempts? I don't get it!

    Don't misunderstand me, I'm not wanting emails for ALL the noise! Just important ones! Is it not important to know that for some reason someone has been trying to log into your firewall, either it be on the local network or WWW?????


  • Banned

    Use an RSA key for ssh login and disable password login, and those "attacks" are nothing to worry about.


  • LAYER 8 Global Moderator

    "Is it not important to know that for some reason someone has been trying to log into your firewall"

    If its important - then look at the log daily… create a mail report to send you that portion of the log every day at 9am or something.

    If you need ssh open to the public, it for sure should be public key only.  If you want lower log spam, then move it to a odd port.

    Lets say you get an email that 1.2.3.4 hit your ssh server - what are you going to do with this info?  Block 1.2.3.4 from trying it again, tmrw or 20 minutes later 4.5.6.7.. What good is the email going to do?  This is going to be a constant stream of emails..

    From your lan - why would it even be exposed to a network that say guests would use?

    But if that is what you want it should be simple enough to run a script with cron, and then have mail report package send that out.  Sounds like moving your log spam to email spam though.

    If you put a service on the public net - it is a given that it will be attempted to be logged into.. Why anyone would want an email every time someone hits your ssh server and attempts a brute force is going to do nothing but fill up your mail box.



  • @Visseroth : people are trying to logging from where ?


  • LAYER 8 Global Moderator

    "before getting 510 IPs blacklisted."

    I wanted to bring this up before, and forget - how is it you have that many IPs in the sshlockout table?  It should be clearing every hour..  Your saying you had 510 IPs hit you in an hour?

    https://doc.pfsense.org/index.php/Sshlockout

    Entries that exist in this table, that are equal to or older than 3600 seconds, will be expired every hour.

    Did you mess with your cron jobs, are they not running - this cron is schedule to run every 60 minutes

    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout

    So the onlything that should be in the lockout is IPs that have been locked out in the last hour.



  • I don't know. I assumed maybe PfBlocker put it in the BlockList Alias that I have, but I really don't know how fast I was hit or really when exactly it happened or really how it was put in the BlockList. That's kind of the idea behind having a notification. I never knew how or when it happened.

    No I didn't mess with the cron job regarding sshlockouts, and never have. I've added cron jobs, like checking SMART and initiating a scrub, but that's it.

    According to the IP description listed in the BlackList Alias they were added on 11-16. That's all I know, because I had no other notification.

    On a side note!!! A resolution has been submitted by loonylion and has been submitted to an OP for submission to give a notification on the notification pop up and email (if applicable) upon a failed login.

    As a side note, this will NOT create any additional noise if there isn't a problem and if no one is trying to log into your firewall.

    So, No Noise (no login failures) = No notification
    Failed Login = Notification of event

    Solved: https://forum.pfsense.org/index.php?topic=144593.0


Log in to reply