3. Monitoring my pfSense box

Monitoring my pfSense box

  • M

    Love PfSense but have always found that it's monitoring features were less than robust out of the box.

    After some research, this is what I have setup so that I can get a daily report on anything that I need to follow up on - otherwise I can ignore the FW and let it do it's thing.

    1. Download and install the mailreports package
    2. Ensure you have your email setup for alerts in System / Advanced / Notifications
    3. In my case I have pfBlockedNG (setup with FireHOL lists) and Suricata setup
    • Create the following reports in mailreports (Title - Included Logs - Filter):

    -- VPN Connections - OpenVPN - "Connection reset, restarting" (Monitors people attempting to login remotely - if I see 'remotevpn' in the log, I know my VPN has been compromised if I did not login, otherwise I just see failed attempts).

    -- Possible Compromised Systems - Firewall - <names of your pfBlockerNG aliases - separate with '|')

    I have setup pfBlockerNG to only block outbound using the FireHOL lists as all malicious inbound is blocked by default. I want to know about systems internally that are possibly compromised and are attempting to connect with malicious sites externally.

    -- New Devices - DNCP - DHCPOFFER (quick scan for IPs in your DHCP range. All my devices are set to static IPs)

    For Suricata, I use included commands instead of included logs:

    -- Suricata - Display Alerts - tail /var/log/suricata/<your Suricata instance>/alerts.log
    -- Suricata - Display Blocks - tail /var/log/suricata/<your Suricata instance>/block.log

    That's it. Set them all up to run daily and I have a set of reports to look at every morning that takes me less than a minute to run through and ensure that my network is safe (hopefully - does not address everything I have running on endpoints internally).

    If anyone has any useful additions for daily monitoring please feel free to add them to this post. Thanks!

    1
  • M

    Change the Possible Compromised Systems to use included commands instead of included logs - allows for the elimination of whatever items (such as dropped broadcast) that you want to exclude. Here is an example:

    date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/pfblockerng/ip_block.log | grep "pfB_PFBL" | grep -v "224.0.0|255.255.255|239.255.255"

    This will pull from the pfblockerng log yesterday's entries for the aliases I want and exclude any broadcast items.

    0
  • M

    Changed the new devices to use commands so I can isolate to just the new systems (assuming you assign static IPs to all devices and your DHCP range is 100 - 199.

    New Devices - date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/dhcpd.log | grep -E "([0-9]{1,3}[.]){3}[1-9]{3}" | grep "DHCPOFFER"

    0
  • M

    This post is deleted!
    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy