Receive Email whenever new computer added to network

[dcbour]

After a little episode at one of my clients from a wireless hack, and another issue on my own network with a rogue ap and computer plugged in for p2p downloading, I wrote this little application to email whenever an unknown computer (or network device) joins the network. It uses both a scan of the syslog file for any dhcpack as well as ping broadcast to your own network, followed by an arp -a to pick up any static devices too. using a cron to run every 5 minutes, I'll know within a few minutes if anything new is there, and deal with it.

This is also a good basis to add devices to a block list until manually handled (my next step likely) to provide some form of network access control, albeit something affordable to small business.

It pulls the email from your administration settings on the Untangle server directly as well as your IP settings.

Simply rename this file to something appropriate for your system, transfer to your Untangle server and set up a cron job for it at whatever interval you wish.

If you have a large number of systems on your network, you may disable the email on the first run while it builds it's database by finding the 3rd last line "SENDMAIL" and putting a pound symbol to comment it out like "#SENDMAIL". Restore it after the first run and you'll now have a list of the machines on your network by Mac address.

THIS IS A BETA RELEASE. It doesn't make any changes to your system so should have no impact if it doesn't run on your system other than it failing itself.

The email title lists a subject ("currently DSC New Computer" or whatever client site it's at) that also contains the IP and dns name of the computer. The body also contains the mac and a lookup to the IEEE database of MAC manufactures such that I have an idea of what kind of computer or device I'm looking for.

Any questions, email me at dcbour at desktopsolutioncenter dot ca.

Thanks and hope you find it useful.
Dave

[bcording]

I will definitely check this out...

[arndawg]

This is a great idea. I would love the ability to not allow another device until it is manually approved in the network!

[mozerd]

For my clients [home networks and business networks] I strongly encourage the use of Radius access control and mac access filtering at the AP .... As a best practice unapproved devices are simply not allowed - no compromise of whatsoever nature. I have yet to have any of my clients hacked by anyone capable of doing so.

I do see the value newusermonitor from a notification perspective -- but in my situation that's too late. :-)

[KenWooD]

If you auto-add users to the block list, unless this is sending it to your switches/aps, you are only preventing them from passing traffic through you UT or get DHCP.
With a static IP, they will still have the ability to communicate with other devices. To prevent anonymous users from attacking the system, you will need to control it as close to the connection points as possible; ie: AP and switch MAC allow/deny lists.

I do like the idea of being notified of new devices connecting though. Does this send duplicate emails if a user disconnects, and then hours/days later reconnects?

[dcbour]

Ideally, a vlan redirect would be best I would agree to isolate the user but that's a little bit of coin and most clients just are not going for that. What this script does is simply track the Mac addresses and as soon as a new one is seen, sends an email along with the IP assigned. I've created a couple additional lines to actually put them on a "blocked rack" at this point too. The block rack is also my default should they try playing the IP switch game provided they don't hit an active working one. Yes, they could still access internal resources. or statically assume a working address with the issues that creates. Bottom line is it keeps the honest honest and tells me if someone is there which is way ahead of anything I had previously.

[Xhen]

WOW it would be somthing insteresting for my network
thx

[juank]

dcbour, GREAT IDEA !!!!
In my case, our UT box doesn't do DHCP so there are no DHCPACKs in the syslog. Have you seen any other reference to MAC addresses in the postgress DB? If so, I guess you can harvest that info from there and in that case, your script will serve other UT guys like me not using ut's dhcp capability. What do you think ?

[sky-knight]

For my clients [home networks and business networks] I strongly encourage the use of Radius access control and mac access filtering at the AP .... As a best practice unapproved devices are simply not allowed - no compromise of whatsoever nature. I have yet to have any of my clients hacked by anyone capable of doing so.

I do see the value newusermonitor from a notification perspective -- but in my situation that's too late. :-)

Very true, but most home users don't want or have the ability to understand let alone work with.. mac address filters.

Heck... I don't even do that.. just use WPA or better access control with a good password and you're set.

And for heavens sake... ROTATE your key every so often.

Back to the OP.. good idea I'm going to have to try this out on a customer's open network.. it would be interesting if I could get some information about the people connecting to the network to deliver in some kind of report.

[dcbour]

I use ARP -A as well as the syslog entries. The syslog is a longer term view as arp refreshes too often. If you run every minute or so, it won't matter.

I've now changed the scripts slightly to store the date first seen as well as the ip initially assigned and a name (uses the computer name if returned on the arp command). You can manually override the name. Its inserts an entry in my policy manager table assigning the computer full block policy (my default) (yes, a lame attempt at security but without vlan integration...best I can do at this point) and then sends an email to the administrator account notifying of the new computer.

The only reason I insert the computer into the policy table is that I can quickly change the privleges if the user needs to. Slightly faster than creating a rule for them from scratch.