Failed Login Alerts via e-mail notification

Visseroth · Jan 25, 2016, 11:48 AM

This is a feature that would notify if someone is trying to break into the firewall if there are to many failed login attempts within x amount of seconds.
For those running multiple firewalls at multiple locations this would be EXTREMELY handy because having the firewall push syslogs to a central site just isn't practical unless those logs are also being filtered.
My thought was that this would include Web GUI and SSH failed login attempts.
Heck, if you could just set, "If you see this string then execute this action", that would even work. Because then the notifications could be customized for all sorts of stuff! Downed link(s), errors, ect.

Thoughts? Anyone willing to donate? I am! I'm not rich but I'd be willing to send $50+

haddock · Jan 26, 2016, 3:51 PM

Any sensible user would firewall down management of the firewall to start with.

In my world centralized syslog with triggers/filters would be the way to go. I can recommend the ELK-stack to solve that.

Visseroth · Jan 26, 2016, 4:54 PM

I completely agree, on a enterprise or network where there is always IT staff, but the firewalls I have in place are managed by me, I'm a 1 man crew 99% of the time managing multiple small networks which don't have syslog servers.

haddock · Feb 2, 2016, 8:57 AM

Well, even a 1 man army can register a dynamic DNS.

Here, have a free tip on me:

Register a free dyndns service of your choice (I can recommend https://freedns.afraid.org/ ).

Create an alias in each of your managed pfsense installs with the FQDN of your DNS.

Create a firewall rule to allow external management of your firewalls using your newly created alias as source adress.

Delete any other external management rules that you may have created.

Now configure the site where you spend most of your time to update your dyndns record.

If you are on any other site and need to manage any of the pfsense installs, VPN to your primary site (either push default route there, or just push routes to your managed firewalls.)

Boom! A much more secure setup and no more failed login attempts.

jimp · Feb 2, 2016, 1:38 PM

As others have said, do not expose the GUI and SSH to the world – ssh may be OK using key-based auth, not password auth, but even so it's best to use a VPN.

While knowing about failed login attempts is good, being reactionary to that is bad. The system will automatically shut out bad attempts from an IP address after a few failures, but it's best not to expose it at all. Using a distributed system it could still be possible for someone to brute force things, especially if you use weak passwords.

Spend a couple moments per site to setup a proper VPN that you can use to remote in and manage and you'll be much better off. DynDNS filtering for a rule is OK but not as secure as a VPN.

dcol · Oct 4, 2017, 3:31 PM

It would be nice if we were notified about anything. There is no documentation anywhere stating which alerts trigger an email. Also, there should be a GUI letting us choose which alerts to turn on/off, if there are any.

jimp · Oct 4, 2017, 3:35 PM

Please keep your posts in a single, relevant thread. Spamming across a half dozen threads is not going to win anyone over. Locking this.