Which software to use for bot detection over Lan

OpenWifi · Apr 3, 2019, 5:44 AM

I have a newly installed pfsense box and it has been running smoothly but over the past few days i have been blacklisted by about 4 blocklists on mxlookup for spamming.Kindly advise which packages can i use to monitor port 25 and how to detect which Ip on the network is sending out the spam and block it.Thank you

Rico · Apr 3, 2019, 6:23 AM

Set you clients to only use Port 465 SSL/TLS for SMTP in their mail appliaction.
After that block & log Port 25 to check for any noise.

-Rico

OpenWifi · Apr 3, 2019, 6:26 AM

@Rico thank you.Could you show me how to do it via rules,atleast a setup from Wan or Lan.Thank you

Rico · Apr 3, 2019, 6:39 AM

pfSense sees traffic as it enters an Interface. You want to monitor your LAN Clients so put the Firewall Rule on top of your LAN Rules.
login-to-view

-Rico

NogBadTheBad · Apr 3, 2019, 7:34 AM

Snort would work as well.

Rico · Apr 3, 2019, 8:31 AM

Maybe overkill to just check for Clients using Port 25?
Personally I like out of the box stuff if possible. :-)

-Rico

OpenWifi · Apr 3, 2019, 8:44 AM

@NogBadTheBad how do i configure snort to do that?You have a link

NogBadTheBad · Apr 3, 2019, 10:26 AM

https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users?page=1

NogBadTheBad · Apr 3, 2019, 10:03 AM

@Rico said in Which software to use for bot detection over Lan:

Maybe overkill to just check for Clients using Port 25?
Personally I like out of the box stuff if possible. :-)

-Rico

Yup normally I'd say its overkill, but looks like he has a few bad clients on the LAN.

Gertjan · Apr 3, 2019, 1:42 PM

@Rico said in Which software to use for bot detection over Lan:

pfSense sees traffic as it enters an Interface. You want to monitor your LAN Clients so put the Firewall Rule on top of your LAN Rules.
login-to-view

-Rico

This rule should be nearly default : block outgoing "port 25 TCP" communication. This port is used by is a mail server to communicate with other mail servers.
Outgoing - and incoming connections on port 25 TCP makes sense when you host a mail server on your LAN.

Btw :
Only accepts trusted devices on your LAN (the easy option)
Or
Use the firewall to lock down now trusted devices - and learn to use to work with tools like snort and other IDS/IPS tools (far more complicated)

OpenWifi · Apr 3, 2019, 1:42 PM

@Rico i do not have a mail server..Wondering....why my network is getting blacklisted over spam flow..Does the spam originated from the clients mails or where is it originating and destined and i really appreciate the help

stephenw10 · Apr 3, 2019, 1:46 PM

Yes, probably something with malware on your LAN sending spam. That rule will block it log what clients are trying to send it.

Steve

Gertjan · Apr 3, 2019, 2:42 PM

@OpenWifi said in Which software to use for bot detection over Lan:

Wondering

Why should you wonder ??
You administer a firewall/router so you have all the whistles and bells to determine what goes in and out.

I have a rule like this
login-to-view
in place on a LAN network that I do not trust - my captive portal network.
"Not trust" because I do not control the connected devices.

With such a rule in place you can see in the firewall log what happens => who could be blamed - who is using the outgoing port 25. It's a real "click and done" solution.

The counter in front of the rule states that some devices wanted to connect to the outside world using port "25".
In my network, that is a no go. It means often that a mail client isn't setup the right way.
These days : for retrieving mail, a client should use POP or IMAP, using port 110 / 995 or 143 / 993.
Sending mails is done over 487 or port 465. Sending must be done the authenticated way, anonymous send (== 25 port) should never be allowed.

edit => LOL => if you run a @OpenWifi it's pure madness NOT to block outgoing SMTP connection. From your Wi-Fi access unknown people could : try to steal those nuclear launch codes, break into the NSA etc etc and all this will happen with you being responsible for this IP.

OpenWifi · Apr 3, 2019, 2:47 PM

@Gertjan but the first rule on my lan is allowing port 433 and 80 and the anti-lock out rule.I fear getting locked out of the webgui when i change that rule to block SMTP.So how do i go about it.Thank you

OpenWifi · Apr 3, 2019, 2:49 PM

@Gertjan login-to-view

NogBadTheBad · Apr 3, 2019, 2:53 PM

Rules are read from the top down.

You cant place a rule above the anti lockout rule.

OpenWifi · Apr 3, 2019, 2:57 PM

@NogBadTheBad login-to-view .Will this work,just changed it now

Gertjan · Apr 3, 2019, 2:58 PM

The order is ok.

This isn't :
login-to-view

Ditch that WAN_DHCP reference.

Gertjan · Apr 3, 2019, 3:00 PM

@OpenWifi said in Which software to use for bot detection over Lan:

@NogBadTheBad login-to-view .Will this work,just changed it now

Ok - now, wait until this one :

login-to-view

starts counting.
You will find the notices in the firewall log - and know who - you will have his LAN IP - was trying to use the "25 port".

OpenWifi · Apr 3, 2019, 3:24 PM

Thank you everyone for your help.Already configured the rule to block smtp port 25.I believe this means clients on the lan would not be able to send mail!!