The pfSense Store

Author Topic: How to secure and monitor pfsense  (Read 2682 times)

0 Members and 1 Guest are viewing this topic.

Offline gbtech

  • Jr. Member
  • **
  • Posts: 71
    • View Profile
How to secure and monitor pfsense
« on: May 18, 2010, 11:26:37 am »
Hi,

I installed BandwidthD and Darkstat to monitor traffic going through my pfsense firewall, I want to know how to use both tools to be able to analyze if someone trying to hack our system from external source. I check the Darkstat and there are bunch of IP address from external and when I open some IP address that I did not know to open what port is trying to access and I saw port 47741 and some other ports that I know it was being blocked in my WAN rules.

Is this means that they are already pass through to my firewall rules? although my first line rules is blacked RFC 1918 Network.

Hope for your help.

Thanks.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14935
    • View Profile
Re: How to secure and monitor pfsense
« Reply #1 on: May 19, 2010, 08:04:01 am »
Those utilities report bandwidth used, so they will only show traffic from IPs that have made connections. This does not mean they have "hacked" you, it most likely means someone inside your network has made a connection outbound to that server and requested something (e.g. web content). The port you don't recognize is probably the random client port of the connection, and the other port it shows for that same connection is likely the meaningful one.

Nothing can get in unless you let it. If you have no firewall rules on WAN, nothing can get in unsolicited. Someone on a local PC could still download something bad, but it would have to be a locally initiated connection.

If you want to know if someone is trying to get in, snort is probably a better choice to install.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline gbtech

  • Jr. Member
  • **
  • Posts: 71
    • View Profile
Re: How to secure and monitor pfsense
« Reply #2 on: May 19, 2010, 08:19:44 am »
Thanks Jimmp,

I already installed snort and I don't know how to use and configure it well. Is there an in depth documentation on how to use it to know if someone trying to get through to your firewall?

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14935
    • View Profile
Re: How to secure and monitor pfsense
« Reply #3 on: May 19, 2010, 08:26:48 am »
If there is any doc for it, it would be a sticky in the packages forum or on the doc wiki (see the link in my sig). I can't remember offhand if there is a guide.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline gbtech

  • Jr. Member
  • **
  • Posts: 71
    • View Profile
Re: How to secure and monitor pfsense
« Reply #4 on: May 19, 2010, 08:58:13 am »
I found this on my snort log, please see screenshot. How do I know if they are successfully get in or not on my system and how do I prevent it to make sure they will not be able to gain again. Do I have to out them on the blacklist in snort?
« Last Edit: May 19, 2010, 09:03:13 am by gbtech »

Offline gbtech

  • Jr. Member
  • **
  • Posts: 71
    • View Profile
Re: How to secure and monitor pfsense
« Reply #5 on: May 19, 2010, 09:15:02 am »
Also when I tried to update snort it gives me this error message.

Directory so_rules does not exist...
Error copying so_rules...

I have this version Snort 2.8.4.1_5 pkg v. 1.6

Hope for your help.

Thanks.