• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Monitoring my pfSense box

Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
4 Posts 1 Posters 604 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mlines
    last edited by mlines Apr 7, 2019, 4:22 PM Apr 5, 2019, 5:10 PM

    Love PfSense but have always found that it's monitoring features were less than robust out of the box.

    After some research, this is what I have setup so that I can get a daily report on anything that I need to follow up on - otherwise I can ignore the FW and let it do it's thing.

    1. Download and install the mailreports package
    2. Ensure you have your email setup for alerts in System / Advanced / Notifications
    3. In my case I have pfBlockedNG (setup with FireHOL lists) and Suricata setup
    • Create the following reports in mailreports (Title - Included Logs - Filter):

    -- VPN Connections - OpenVPN - "Connection reset, restarting" (Monitors people attempting to login remotely - if I see 'remotevpn' in the log, I know my VPN has been compromised if I did not login, otherwise I just see failed attempts).

    -- Possible Compromised Systems - Firewall - <names of your pfBlockerNG aliases - separate with '|')

    I have setup pfBlockerNG to only block outbound using the FireHOL lists as all malicious inbound is blocked by default. I want to know about systems internally that are possibly compromised and are attempting to connect with malicious sites externally.

    -- New Devices - DNCP - DHCPOFFER (quick scan for IPs in your DHCP range. All my devices are set to static IPs)

    For Suricata, I use included commands instead of included logs:

    -- Suricata - Display Alerts - tail /var/log/suricata/<your Suricata instance>/alerts.log
    -- Suricata - Display Blocks - tail /var/log/suricata/<your Suricata instance>/block.log

    That's it. Set them all up to run daily and I have a set of reports to look at every morning that takes me less than a minute to run through and ensure that my network is safe (hopefully - does not address everything I have running on endpoints internally).

    If anyone has any useful additions for daily monitoring please feel free to add them to this post. Thanks!

    1 Reply Last reply Reply Quote 1
    • M
      mlines
      last edited by mlines Apr 5, 2019, 7:40 PM Apr 5, 2019, 7:40 PM

      Change the Possible Compromised Systems to use included commands instead of included logs - allows for the elimination of whatever items (such as dropped broadcast) that you want to exclude. Here is an example:

      date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/pfblockerng/ip_block.log | grep "pfB_PFBL" | grep -v "224.0.0|255.255.255|239.255.255"

      This will pull from the pfblockerng log yesterday's entries for the aliases I want and exclude any broadcast items.

      1 Reply Last reply Reply Quote 0
      • M
        mlines
        last edited by Apr 7, 2019, 4:21 PM

        Changed the new devices to use commands so I can isolate to just the new systems (assuming you assign static IPs to all devices and your DHCP range is 100 - 199.

        New Devices - date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/dhcpd.log | grep -E "([0-9]{1,3}[.]){3}[1-9]{3}" | grep "DHCPOFFER"

        1 Reply Last reply Reply Quote 0
        • M
          mlines
          last edited by Apr 7, 2019, 4:39 PM

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received