Hi, just wondering if any of you have configured some clever flow to watch for "unexpected visitors" to your network. I just saw a Swedish TV program "You Are Hacked" where a team of hackers got the task to hack into an unaware family home network & take control of their home automation system (and basically the rest). Needless to say, they succeeded!!
I thought of regularly check the arp table and compare with a white list but there might be better ways?
I do a periodic network scan and I save that to a file, a file-based Node-RED global variable as well as publish to MQTT.
The data can be enriched with some additional information which I do via a uibuilder page that shows it as a table with some editable fields. So I can add real names and descriptions to the raw MAC and IP addresses, last seen, etc.
It would be easy enough to use something like this to monitor and alert on unknown devices coming onto the network.
I used to use the ARP scan/ping but switched to NMAP because it seems to be a lot more reliable. You have to run it as sudo though, I add it to the sudo crontab and it runs every 15 minutes.
Here is the script:
#! /usr/bin/env bash
# Fast scan the local network for live devices and record
# to /tmp/nmap.xml which can be used in Node-RED
#
# To run manually:
# sudo /home/home/nrmain/system/nmap_scan.sh
#
# To run via cron:
# sudo crontab -e
# 01,16,31,46 * * * * /home/home/nrmain/system/nmap_scan.sh
# Run the scan
nmap -sn --oX /tmp/nmap.xml --privileged -R --system-dns --webxml 192.168.1.0/24
# Make sure ownership & ACLs on the output are secure
chown root:home /tmp/nmap.xml
chmod --silent 640 /tmp/nmap.xml
# Trigger the Node-RED update
#curl --silent --output /dev/null 'http://localhost:1880/localnetscan' > /dev/null
#curl --insecure -I 'https://localhost:1880/localnetscan'
curl -I 'http://localhost:1880/localnetscan'
Brilliant!! Thanks, time to implement!
EDIT: Is a lot of stuff in the network!! I did put together a simple flow based on ideas from your script and putting the result into a dashboard view. Green entries are recognized, red are unknown and will notify me if detected. Each is matched against local references of known ip & mac addresses. Works nice, runs on a RPi3!
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy
