Watching your network for unwanted visitors

Hi, just wondering if any of you have configured some clever flow to watch for "unexpected visitors" to your network. I just saw a Swedish TV program "You Are Hacked" where a team of hackers got the task to hack into an unaware family home network & take control of their home automation system (and basically the rest). Needless to say, they succeeded!!

I thought of regularly check the arp table and compare with a white list but there might be better ways?

I do a periodic network scan and I save that to a file, a file-based Node-RED global variable as well as publish to MQTT.

The data can be enriched with some additional information which I do via a uibuilder page that shows it as a table with some editable fields. So I can add real names and descriptions to the raw MAC and IP addresses, last seen, etc.

It would be easy enough to use something like this to monitor and alert on unknown devices coming onto the network.

I used to use the ARP scan/ping but switched to NMAP because it seems to be a lot more reliable. You have to run it as sudo though, I add it to the sudo crontab and it runs every 15 minutes.

Here is the script:

#! /usr/bin/env bash
# Fast scan the local network for live devices and record
# to /tmp/nmap.xml which can be used in Node-RED
# To run manually:
#   sudo /home/home/nrmain/system/
# To run via cron:
#   sudo crontab -e
#       01,16,31,46 * * * * /home/home/nrmain/system/

# Run the scan
nmap -sn --oX /tmp/nmap.xml --privileged -R --system-dns --webxml
# Make sure ownership & ACLs on the output are secure
chown root:home /tmp/nmap.xml
chmod --silent 640 /tmp/nmap.xml
# Trigger the Node-RED update
#curl  --silent --output /dev/null 'http://localhost:1880/localnetscan' > /dev/null
#curl --insecure -I 'https://localhost:1880/localnetscan'
curl -I 'http://localhost:1880/localnetscan'

Brilliant!! Thanks, time to implement!

EDIT: Is a lot of stuff in the network!! I did put together a simple flow based on ideas from your script and putting the result into a dashboard view. Green entries are recognized, red are unknown and will notify me if detected. Each is matched against local references of known ip & mac addresses. Works nice, runs on a RPi3!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.