Logging / Alerts when inbound port mapping occurs

  • Hi - Sorry if this has already been asked and answered, but I haven't been able to find it with various searches..

    I'm a long time pfSense user, and the only feature I really would like, but havent found a way to implement is to get some sort of active alert, probably an email, based on an inbound NAT rule being triggered. The use case I'm most concerned with is that I have ssh exposed (on non-standard port, but still exposed..) and I'd like to get an email whenever that port is hit, which may indicate to me that someone is trying to brute force into my system. I know I could forward and scan logs on a separate system, but I'd love to have it all built-in so that as long as the firewall is up, I know the monitoring system is up.

    A huge Bonus would be if I could specify a threshold rate, such as more than "x" attempts in "y" seconds, so that I may ignore the occasional random scan, while alerting immediately if a genuine brute force is underway.

    Is this something people generally do, or am I being paranoid, and should just handle it with logging and/or alerting on the host being SSH'd into?

    Thanks in advance!!

  • LAYER 8 Netgate

    Logging is going to be your best bet. The new sshguard logs will give you pretty close to what you want.

  • Never heard of sshguard before.. At first glance, that does seem like a pretty good solution.. thanks! I'll check it out. I kind of wish it was more generic than ONLY guarding ssh (maybe it is, - I haven't looked into docs yet) but at least for now ssh is going to be my only exposed service

  • LAYER 8 Netgate

    It will log ssh and webgui attempts.

Log in to reply