Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Logging / Alerts when inbound port mapping occurs

    Scheduled Pinned Locked Moved General pfSense Questions
    logging alerti
    4 Posts 2 Posters 266 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      172pilot
      last edited by

      Hi - Sorry if this has already been asked and answered, but I haven't been able to find it with various searches..

      I'm a long time pfSense user, and the only feature I really would like, but havent found a way to implement is to get some sort of active alert, probably an email, based on an inbound NAT rule being triggered. The use case I'm most concerned with is that I have ssh exposed (on non-standard port, but still exposed..) and I'd like to get an email whenever that port is hit, which may indicate to me that someone is trying to brute force into my system. I know I could forward and scan logs on a separate system, but I'd love to have it all built-in so that as long as the firewall is up, I know the monitoring system is up.

      A huge Bonus would be if I could specify a threshold rate, such as more than "x" attempts in "y" seconds, so that I may ignore the occasional random scan, while alerting immediately if a genuine brute force is underway.

      Is this something people generally do, or am I being paranoid, and should just handle it with logging and/or alerting on the host being SSH'd into?

      Thanks in advance!!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Logging is going to be your best bet. The new sshguard logs will give you pretty close to what you want.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • 1
          172pilot
          last edited by

          Never heard of sshguard before.. At first glance, that does seem like a pretty good solution.. thanks! I'll check it out. I kind of wish it was more generic than ONLY guarding ssh (maybe it is, - I haven't looked into docs yet) but at least for now ssh is going to be my only exposed service

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            It will log ssh and webgui attempts.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.