A lightweight system for monitoring authentication events on pfSense firewalls with email and Gotify notifications, including SSH connections and SSHGuard blocking events.
This project provides two shell scripts that work together to:
- Monitor the pfSense authentication log file (
/var/log/auth.log) for successful and failed login attempts - Track SSH connections and SSHGuard blocking activities
- Send notifications via:
- Email (using pfSense's built-in notification system)
- Gotify push notifications
- Track successful and failed login attempts
- Monitor SSH connections to your pfSense system
- Receive alerts when SSHGuard blocks suspicious IP addresses
- Send email notifications using your pfSense SMTP settings
- Send push notifications via Gotify
- Keep track of processed log entries to avoid duplicate notifications
- Configurable for your environment
- A pfSense firewall with shell access
- Gotify server (optional but recommended)
- SMTP configuration set up in pfSense System > Advanced > Notifications
-
Create a directory for the scripts:
mkdir -p /root/Scripts -
Create the
check_pfsense_login.shscript:vi /root/Scripts/check_pfsense_login.shCopy the contents from the file in this repository
-
Create the
gotify_auth_alert.shscript:vi /root/Scripts/gotify_auth_alert.shCopy the contents from the file in this repository
-
Make both scripts executable:
chmod +x /root/Scripts/check_pfsense_login.sh chmod +x /root/Scripts/gotify_auth_alert.sh -
Edit the
gotify_auth_alert.shscript to update:- Your Gotify server address
- Your Gotify application token
-
Set up a cron job to run the monitoring script periodically. Add the following to System > Cron:
- Command:
/root/Scripts/check_pfsense_login.sh - Schedule:
*/5 * * * *(runs every 5 minutes)
- Command:
In gotify_auth_alert.sh, update these variables:
# Gotify Configuration
GOTIFY_SERVER="http://your-gotify-server:8070" # Your Gotify server address
GOTIFY_TOKEN="YourGotifyApplicationToken" # Your application tokenThe script uses pfSense's built-in notification system, so make sure your SMTP settings are correctly configured in pfSense at:
System > Advanced > Notifications > E-Mail
check_pfsense_login.shscans the auth.log file for new entries since the last check- The script detects different types of events:
- Standard authentication successes and failures
- SSH connection attempts
- SSHGuard blocking actions
- When it finds an event, it extracts the relevant information (username, IP address)
- It calls
gotify_auth_alert.shwith these details gotify_auth_alert.shsends notifications to both Gotify and email
The system now monitors and alerts on:
- Authentication Success: Successful logins to the pfSense web interface
- Authentication Failure: Failed login attempts to the pfSense web interface
- SSH Connection: When someone connects to your pfSense system via SSH
- SSHGuard Block: When SSHGuard detects and blocks suspicious IP addresses
You can customize the scripts to:
- Change notification priorities
- Add geo-location information for IP addresses
- Filter out specific users or IP addresses
- Adjust the notification format
Check the system logs for error messages:
tail -f /var/log/system.log | grep pfsense_auth_alert
MIT License - See LICENSE file for details.
Contributions are welcome! Please feel free to submit a Pull Request.
Give the project a ⭐ on GitHub and spread the word!