042013

DHCP Alerter Script Andrew Mallett | Updated April 2013

Tweaking DHCP..So we have a working ISC DHCP Server under FreeBSD or Linux and the service has been set up to log to its own file (FreeBSD | Linux). The server gives specific, reserved IP Addresses to known systems. Now I want my DHCP Server to notify me if it allocates an IP to an unknown node on the network. This means a system with a MAC Address which is not listed the dhcpd.conf file.

The DHCP server has a range (scope) of IPs which can be allocated to systems which are not listed in the reserved IP section. This is the default way of going about things, where it doesn't matter which box is given which IP. However for extra security you may want to lock down specific IPs to specific workstations.

This was the case when I was teaching Information Technology at TAFE, where I configured the DHCP server to give a specific IP to each of around 90 workstations on the LAN. This meant I knew (and could remotely access) each workstation by its IP Address. And yes, it was a pretty humongous config file. For security and bandwidth reasons, students were not allowed to put their own systems on the teaching network. When somebody did attempt to do this, I was notified that their unknown MAC Address had been given a general lease IP and so I was able to hunt them down and kill them.

Here's an example dhcpd.conf file..

# Andy's dhcpd.conf

default-lease-time 600;
max-lease-time 7200;
ddns-update-style ad-hoc;

# option definitions common to all supported networks..
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.50 192.168.0.70;
option routers 192.168.0.101;
option domain-name-servers 192.168.0.101;
option domain-name "domain.net";
}

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

#Example reserved IPs..
host andy.domain.net {
hardware ethernet 00:04:23:21:51:50;
fixed-address 192.168.0.100;
}
host cindy.domain.net {
hardware ethernet 00:fe:23:7e:14:22;
fixed-address 192.168.0.101;
}


The above config file will give out 'general range' IPs from 192.168.0.50 to 192.168.0.70. Note the example reserved IP Addresses for hosts 'andy' and 'cindy', which would receive specific IPs based on their known MAC Addresses (aka hardware ethernet).

Fiddling with the logs

Whenever a known workstation requests an IP Address, the ISC DHCP server notes the IP allocation in a specific log file; in the previous example I use /var/log/dhcpd.log. However if a system with an unknown MAC Address requests an IP, the server offers an IP from the general lease range and notes this in a different log file (typically /var/lib/dhcp3/dhcpd.leases under Linux and /var/db/dhclient.leases under FreeBSD).

I like to archive my logs at midnight, so my dhcpd.leases (or dhclient.leases) is usually empty except for the standard two lines..

Example default dhcpd.leases file..

# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.1.2



This standard, empty log file is normally 126 bytes in size.

Example dhcpd.leases file showing a general lease..

# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.1.2

lease 192.168.0.50 {
  starts 1 2012/02/13 06:31:20;
  ends 2 2012/02/14 01:01:20;
  tstp 2 2012/02/14 01:01:20;
  cltt 1 2012/02/13 06:31:20;
  binding state free;
  hardware ethernet 00:42:e2:55:ef:7c;
}

A new IP allocation to an unlisted host would show up as an increase in the size of the log file after it has been written to. Thus the essence of the DHCP alerter script is to periodically check that file for a change in its size.

Creating and developing the script

Here is version 1.0 of the Email alerter script..

#/bin/sh
#Andys File Size - Email Alerter Script

cd /var/lib/dhcp3/
if  [ $(ls -la | grep  dhcpd.leases | cut -c 28-31) -gt "126" ]; then
mailx -s "New IP Address allocated" andym < /var/lib/dhcp3/dhcpd.leases
fi

After changing to the relevant directory, the second line of code uses grep to pull the line containing the dhcpd.leases filename, from an ls -la listing and then uses cut to remove every character from that line, except the file size (note when playing around with the cut command to get the correct file size reading, allow for the file to grow to 4 digits which will allow for 127-9999 byte file size). If the file has grown bigger than 126 bytes, the email gets sent.

The third line uses the mailx command to email me and also copies the contents of the log file into the email body. With IMAP running on the server, you can grab emails using a standard email client like Thunderbird or Outlook from another workstation.

A further development involves checking the file size and then calling a second script, based on my SMS script, to send an alert straight to my smartphone.

Email alerter script, dhcpalert.sh

#!/bin/sh
#Andy's DHCP File check script

cd /var/lib/dhcp3/
if  [ $(ls -la | grep  dhcpd.leases | cut -c 28-31) -gt "126" ]; then
/sc/dhcp_unauth.sh
fi

If the file has changed, the second script is called..

SMS sending script dhcp_unauth.sh

#!/bin/sh
#Andy's SMS IP Alerter script

cd /var/lib/dhcp3

cat dhcpd.leases | grep -v file | grep lease | cut -c 7-19  >> ip.txt

cat dhcpd.leases | grep -v file | grep hardware | cut -c 21-37  >> mac.txt

echo Unauthorised System! > details.txt

echo IP Address: `cat ip.txt` >> details.txt

echo MAC: `cat mac.txt` >> details.txt

cp dhcpd.leases dhcpd.leases.txt

/usr/bin/sendemail -f andy@mydomain.com.au \
                   -t 0408123456@messagenet.com.au \
                   -s mail.mydomain.com.au \
                   -xu andy@mydomain.com.au \
                   -xp password \
                   -u "Gateway DHCP Server Alert" \
                   -o message-file=/var/lib/dhcp3/details.txt \

/usr/bin/sendemail -f gateway@mydomain.com.au \
                   -t andy@mydomain.com.au \
                   -s mail.mydomain.com.au \
                   -xu gateway@mydomain.com.au \
                   -xp password \
                   -u "Gateway DHCP MAC Warning" \
                   -m "Unauthorised IP Allocated..!" \
                   -a /var/lib/dhcp3/dhcpd.leases.txt \

rm /var/lib/dhcp3/*.txt


The above code firstly greps out the two top lines of dhcpd.leases, which both contain the words 'file' (because they also contain the word 'lease' and we want to grab that string from the other lines). It then cuts out the IP and MAC Address from the log into text files and sends them in the body of the SMS message. Secondly a copy of the dhcpd.leases file is lobbed into a text file and attached to the email alert.

Note the "-o" switch is used to include the details contained in details.txt whereas the "-a" switch is used like a normal attachment for the email containing the whole of the dhcpd.leases.txt file. After some experimenting that's just the way it wanted to work. Click here for the sendEmail parameters).

DHCP Alert..Yes I know I could have echoed the grepped details straight into the details.txt file, but the ip.txt and mac.txt are useful for debugging the script during development and anyway, I don't have enough width on this page! I also copy dhcpd.leases to a text file as it's easier to read as an email attachment with a .txt extension. Note all text files get blown away in the last line, ready for the next time.

To finish off, the script needs to be automated. Note that when scheduling scripts through Cron, make sure full paths are used to all files in the script and don't forget to make the script executable..

chmod 755 /sc/dhcpalert.sh

Here's an entry using the crontab -e command:

00,15,30,45 * * * * /sc/dhcpalert.sh

In the above example the file gets checked every 15 minutes, every day/week/month/etc.. And that's about it. A simple 'file size' monitoring script can be used to send alerts about all sorts of system events and that's why we love Unix..!.

Back

Comments (1)

Alerter
Awesome way to alert about foreign system on your network.
#1 - SputNix1 - 11/10/2014 - 05:01
Name
E-mail (Will not appear online)
Homepage
Title
Comment
;-) :-) :-D :-( :-o :-O B-) :oops: :-[] :-P
To prevent automated Bots form spamming, please enter the text you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
»
This comment form is powered by GentleSource Comment Script. It can be included in PHP or HTML files and allows visitors to leave comments on the website.

Temporary Email   Disposable Email   Disposable Email