Share your data

The more data, the better! Sharing the traffic that was blocked on your firewall, to display it on the map, is completely free! A small tutorial explains how to set it up on a (free) pfSense firewall. Steps:

  • Send us your source address information
  • Setup an IP Port Alias: Commonly_Attacked_Ports Alias
  • Add a WAN firewall rule to block Commonly_Attacked_Ports and enable log
  • Activate remote logging for Firewall Events to our remote syslog host

1. Send us your source address information

In order to allow your incoming logs, we will need to know the IP address or hostname (dynamic DNS) that will send us the logs. This is your public WAN IP provided by your ISP. When you have a dynamic IP address (most residential connections), please provide us the host record of your dynamic DNS provider, such as dynu.net.

Contact us: cyberattackmaps@gmail.com

2. Setup an IP Port Alias: Commonly_Attack_Ports

Our maps only shows 25 of the most commonly attacked and scanned ports. For maximum efficiency, only attacks on these ports should be send to our logs.

Go to Firewall -> Aliases -> Ports and click Add.

Name and description can be Commonly_Attacked_Ports.

This is our current list of ports:

PortDescription
22SSH
23Telnet
25SMTP
80http
81http alternative
110POP3
135EPMAP
135http alternative
137NetBIOS
139NetBIOS
443https
445SMB
1080Socks Proxy
1194OpenVPN
1433SQL Server
2323Telnet alternative
2967Symantec
3306MySQL
3389Remote Desktop
4899Radmin
5060SIP
5900vnc
5901vnc alternative
7547TR069 remote management
8080http alternative

After adding the ports, click Save.

3. Add a WAN firewall rule to block Commonly_Attacked_Ports and enable log

By defFault, the WAN will block every port but not log this. Therefor, after all allowed rules, a rule should be added to block the Commonly_Attacked_Ports with logging enabled.

Go to Firewall -> Rules -> WAN and click Add (arrow down). Insert these settings:

ActionBlock
Interface WAN
Address FamilyIPV4+IPV6
ProtocolUDP/TCP
SourceAny
DestinationAny
Destination Port Rangeother: Commonly_Attacked_Ports (your created alias)
LogEnable Log Packets
DescriptionCommon Attacks from World

Click Save

4. Activate remote logging for Firewall Events to our remote syslog host

Go to Status -> System Logs -> Settings and configure as specified above.

Click Save. You are done!

Watchout: Since our syslog server uses a dynamic IP address, we will provide a hostname for the “Remote Log Servers” field and not an IP address. When the unterlying IP address changes, you will need to press “Save” again for the logs to be send to the new IP address. This happens every few months. We are looking into solution to do this automatically by a cron job, or by getting a static IP.

Warning: The data sent by pfsense is unencrypted and might be intercepted. Make sure to not send us sensitive information that cannot be shared.