Set up mail alerts for intruders / if hacked
is it possible to set up mail alerts when unknown devices want to join the network? I have set up system \ advanced \ notifications so that an email can be sent, tested and this also works but I cannot figure out yet how to receive alerts by mail if a strange device wants to enter the network.
I have installed various items via the package manager (Suricata and Snort) but I do not find a mail option there.
Thanks in advance! Jeroen
Gertjan last edited by
For the mail part, not complicated :
#!/usr/local/bin/php -q <?php require_once("/etc/inc/notices.inc"); /* do here what you need to do to declare your system hacked */ /* The message - or result - should be stored in $the_message */ notify_all_remote($the_message); ?>
call the file /root/test-hacked.php
and call it like this :
php -a /root/test-hacked.php
Btw : how do you test if a system is hacked ??
What is the big deal if some unknown device connect to one of your LANs ? That doesn't mean it can actually threaten any other device on that LAN.
For example : pfSense uses firewall rules to permit access, or not.
Trusted networks, like the first 'real' LAN should not be made accessible to non trusted devices.
AndyRH last edited by
We do something similar on our protected networks, but the network switch blocks access and phones it in. If you are trying to protect the systems on a network the firewall will simply keep them from going out, but will not protect the systems inside.
Remember security is like an ogre (or an onion), it has layers.
Gertjan last edited by
it has layers
If a 'nasty player' has already access to your physical LAN (the wires) or your non protected Wifi then he is among your other users - who could suffer. Again : your pfSense is under your control.
It's not your role to protect the LAN users - and if it is : start protecting the physical access to your network : wall in the wires, take down that wifi. Use back to back fibre links, these are pretty temper proof.
You can use the arpwatch package to alert you via email when a new device connects to your network. I use my cellular carriers sms email alias so I can send out text alerts. This will not work if rogue devices mimic existing MAC addresses or if allowed devices are configured with dynamic “private” MAC addresses.