Monitoring my pfSense box

  • Love PfSense but have always found that it's monitoring features were less than robust out of the box.

    After some research, this is what I have setup so that I can get a daily report on anything that I need to follow up on - otherwise I can ignore the FW and let it do it's thing.

    1. Download and install the mailreports package
    2. Ensure you have your email setup for alerts in System / Advanced / Notifications
    3. In my case I have pfBlockedNG (setup with FireHOL lists) and Suricata setup
    • Create the following reports in mailreports (Title - Included Logs - Filter):

    -- VPN Connections - OpenVPN - "Connection reset, restarting" (Monitors people attempting to login remotely - if I see 'remotevpn' in the log, I know my VPN has been compromised if I did not login, otherwise I just see failed attempts).

    -- Possible Compromised Systems - Firewall - <names of your pfBlockerNG aliases - separate with '|')

    I have setup pfBlockerNG to only block outbound using the FireHOL lists as all malicious inbound is blocked by default. I want to know about systems internally that are possibly compromised and are attempting to connect with malicious sites externally.

    -- New Devices - DNCP - DHCPOFFER (quick scan for IPs in your DHCP range. All my devices are set to static IPs)

    For Suricata, I use included commands instead of included logs:

    -- Suricata - Display Alerts - tail /var/log/suricata/<your Suricata instance>/alerts.log
    -- Suricata - Display Blocks - tail /var/log/suricata/<your Suricata instance>/block.log

    That's it. Set them all up to run daily and I have a set of reports to look at every morning that takes me less than a minute to run through and ensure that my network is safe (hopefully - does not address everything I have running on endpoints internally).

    If anyone has any useful additions for daily monitoring please feel free to add them to this post. Thanks!

  • Change the Possible Compromised Systems to use included commands instead of included logs - allows for the elimination of whatever items (such as dropped broadcast) that you want to exclude. Here is an example:

    date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/pfblockerng/ip_block.log | grep "pfB_PFBL" | grep -v "224.0.0|255.255.255|239.255.255"

    This will pull from the pfblockerng log yesterday's entries for the aliases I want and exclude any broadcast items.

  • Changed the new devices to use commands so I can isolate to just the new systems (assuming you assign static IPs to all devices and your DHCP range is 100 - 199.

    New Devices - date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/dhcpd.log | grep -E "([0-9]{1,3}[.]){3}[1-9]{3}" | grep "DHCPOFFER"

  • This post is deleted!

Log in to reply