Monitoring my pfSense box
-
Love PfSense but have always found that it's monitoring features were less than robust out of the box.
After some research, this is what I have setup so that I can get a daily report on anything that I need to follow up on - otherwise I can ignore the FW and let it do it's thing.
- Download and install the mailreports package
- Ensure you have your email setup for alerts in System / Advanced / Notifications
- In my case I have pfBlockedNG (setup with FireHOL lists) and Suricata setup
- Create the following reports in mailreports (Title - Included Logs - Filter):
-- VPN Connections - OpenVPN - "Connection reset, restarting" (Monitors people attempting to login remotely - if I see 'remotevpn' in the log, I know my VPN has been compromised if I did not login, otherwise I just see failed attempts).
-- Possible Compromised Systems - Firewall - <names of your pfBlockerNG aliases - separate with '|')
I have setup pfBlockerNG to only block outbound using the FireHOL lists as all malicious inbound is blocked by default. I want to know about systems internally that are possibly compromised and are attempting to connect with malicious sites externally.
-- New Devices - DNCP - DHCPOFFER (quick scan for IPs in your DHCP range. All my devices are set to static IPs)
For Suricata, I use included commands instead of included logs:
-- Suricata - Display Alerts - tail /var/log/suricata/<your Suricata instance>/alerts.log
-- Suricata - Display Blocks - tail /var/log/suricata/<your Suricata instance>/block.logThat's it. Set them all up to run daily and I have a set of reports to look at every morning that takes me less than a minute to run through and ensure that my network is safe (hopefully - does not address everything I have running on endpoints internally).
If anyone has any useful additions for daily monitoring please feel free to add them to this post. Thanks!
-
Change the Possible Compromised Systems to use included commands instead of included logs - allows for the elimination of whatever items (such as dropped broadcast) that you want to exclude. Here is an example:
date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/pfblockerng/ip_block.log | grep "pfB_PFBL" | grep -v "224.0.0|255.255.255|239.255.255"
This will pull from the pfblockerng log yesterday's entries for the aliases I want and exclude any broadcast items.
-
Changed the new devices to use commands so I can isolate to just the new systems (assuming you assign static IPs to all devices and your DHCP range is 100 - 199.
New Devices - date -v-1d '+%b %-d' | grep -f /dev/stdin /var/log/dhcpd.log | grep -E "([0-9]{1,3}[.]){3}[1-9]{3}" | grep "DHCPOFFER"
-
This post is deleted!