Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Monitoring my pfSense box

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    4 Posts 1 Posters 625 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mlines
      last edited by mlines

      Love PfSense but have always found that it's monitoring features were less than robust out of the box.

      After some research, this is what I have setup so that I can get a daily report on anything that I need to follow up on - otherwise I can ignore the FW and let it do it's thing.

      1. Download and install the mailreports package
      2. Ensure you have your email setup for alerts in System / Advanced / Notifications
      3. In my case I have pfBlockedNG (setup with FireHOL lists) and Suricata setup
      • Create the following reports in mailreports (Title - Included Logs - Filter):

      -- VPN Connections - OpenVPN - "Connection reset, restarting" (Monitors people attempting to login remotely - if I see 'remotevpn' in the log, I know my VPN has been compromised if I did not login, otherwise I just see failed attempts).

      -- Possible Compromised Systems - Firewall - <names of your pfBlockerNG aliases - separate with '|')

      I have setup pfBlockerNG to only block outbound using the FireHOL lists as all malicious inbound is blocked by default. I want to know about systems internally that are possibly compromised and are attempting to connect with malicious sites externally.

      -- New Devices - DNCP - DHCPOFFER (quick scan for IPs in your DHCP range. All my devices are set to static IPs)

      For Suricata, I use included commands instead of included logs:

      -- Suricata - Display Alerts - tail /var/log/suricata/<your Suricata instance>/alerts.log
      -- Suricata - Display Blocks - tail /var/log/suricata/<your Suricata instance>/block.log

      That's it. Set them all up to run daily and I have a set of reports to look at every morning that takes me less than a minute to run through and ensure that my network is safe (hopefully - does not address everything I have running on endpoints internally).

      If anyone has any useful additions for daily monitoring please feel free to add them to this post. Thanks!

      1 Reply Last reply Reply Quote 1
      • M
        mlines
        last edited by mlines

        Change the Possible Compromised Systems to use included commands instead of included logs - allows for the elimination of whatever items (such as dropped broadcast) that you want to exclude. Here is an example:

        date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/pfblockerng/ip_block.log | grep "pfB_PFBL" | grep -v "224.0.0|255.255.255|239.255.255"

        This will pull from the pfblockerng log yesterday's entries for the aliases I want and exclude any broadcast items.

        1 Reply Last reply Reply Quote 0
        • M
          mlines
          last edited by

          Changed the new devices to use commands so I can isolate to just the new systems (assuming you assign static IPs to all devices and your DHCP range is 100 - 199.

          New Devices - date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/dhcpd.log | grep -E "([0-9]{1,3}[.]){3}[1-9]{3}" | grep "DHCPOFFER"

          1 Reply Last reply Reply Quote 0
          • M
            mlines
            last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.