The more data, the better! Sharing the traffic that was blocked on your firewall, to display it on the map, is completely free! A small tutorial explains how to set it up on a (free) pfSense firewall. Steps:
- Send us your source address information
- Setup an IP Port Alias: Commonly_Attacked_Ports Alias
- Add a WAN firewall rule to block Commonly_Attacked_Ports and enable log
- Activate remote logging for Firewall Events to our remote syslog host
1. Send us your source address information
In order to allow your incoming logs, we will need to know the IP address or hostname (dynamic DNS) that will send us the logs. This is your public WAN IP provided by your ISP. When you have a dynamic IP address (most residential connections), please provide us the host record of your dynamic DNS provider, such as dynu.net.
Contact us: firstname.lastname@example.org
2. Setup an IP Port Alias: Commonly_Attack_Ports
Our maps only shows 25 of the most commonly attacked and scanned ports. For maximum efficiency, only attacks on these ports should be send to our logs.
Go to Firewall -> Aliases -> Ports and click Add.
Name and description can be Commonly_Attacked_Ports.
This is our current list of ports:
|7547||TR069 remote management|
After adding the ports, click Save.
3. Add a WAN firewall rule to block Commonly_Attacked_Ports and enable log
By defFault, the WAN will block every port but not log this. Therefor, after all allowed rules, a rule should be added to block the Commonly_Attacked_Ports with logging enabled.
Go to Firewall -> Rules -> WAN and click Add (arrow down). Insert these settings:
|Destination Port Range||other: Commonly_Attacked_Ports (your created alias)|
|Log||Enable Log Packets|
|Description||Common Attacks from World|
4. Activate remote logging for Firewall Events to our remote syslog host
Go to Status -> System Logs -> Settings and configure as specified above.
Click Save. You are done!
Watchout: Since our syslog server uses a dynamic IP address, we will provide a hostname for the “Remote Log Servers” field and not an IP address. When the unterlying IP address changes, you will need to press “Save” again for the logs to be send to the new IP address. This happens every few months. We are looking into solution to do this automatically by a cron job, or by getting a static IP.
Warning: The data sent by pfsense is unencrypted and might be intercepted. Make sure to not send us sensitive information that cannot be shared.