Nmap running every 30 seconds

Absolutely love this, but itā€™s a bit much. :smiling_face:

1 Like

Oh, interesting! I don't want to go down the whole pi as a firewall thing .. my pi ethernet isn't as stable as I'd like (though I usually point at my router), and a reboot taking out the whole house don't sound good to me.
But using assorted monitoring tricks to alert me when something aint right sounds like a good approach .. onto the Kanban it goes as a Big TShirt!

1 Like

Eh, it's a remnant from my work networking days. I actually just ordered a Fingbox yesterday to replace that cron. :slight_smile:

Nope. I would NEVER do this. The ethernet port on the Pi just isn't that great for larger (>30 devices) networks. But, for pi-hole, it's the best use I have EVER had for a RPi.

I actually have that nmap cron running on a Dell PowerEdge R340 server sitting in my rack.

nmap scanning, nice idea - have to look into that one or fingbox.. whatever.. :grin:

Periodic Diffs | Nmap Network Scanning is where I got the concept from. I adapted it to run on a 30 second cron by saving the diff file to a RAM drive.

An OLD boss of mine SWORE by nmap for anything network discovery related. That was probably 15 years ago and it's just stuck with me ever since.

I should read up more on my firewall - I am running OpnSense a fork of pfSense. There is probably a way to do it there..

So if I really wanted to be slick, do the periodic scanning have it trip a virtual switch via Maker API and then do something in HE!!!

1 Like

What you are looking for is arpwatch. :slight_smile: (@ACKmySYN you have pfSense, any experience with arpwatch?)

1 Like

Back in the old days we used something called ARPWatch. I think it's still around. I don't know if that could be configured to do this . . . ?

1 Like

You beat me to it.

1 Like

GMTA sir. :slight_smile:

Sorry to the OP for completely derailing their thread.

I played with it in pfSense a long time ago when it was new, there were a lot of issues with notifications. arpwatch is a very old, but tried and true, tool for a lot of things.

I donā€™t worry about using things like arpwatch, nmap, or the likes on my ā€œproductionā€ sides of my home ā€œdata centerā€ because most of them wonā€™t work or be to intensive (time and computing). When I do, I have to lax things up a bit to get anything worth while.

I tend to take a different approach than most people I think. I explicitly deny everything and anything except what I want and need. Itā€™s a lot of work up front, but only requires maintenance to do changes, and pretty much takes away any worry.

I donā€™t play whack-a-mole because I donā€™t want to, nor is it very effective.

My DHCP reservations are very tight to the point that I have to manually add anything new, this includes VMs. ((Example my printer vlan only has two usable addresses)). Lots of vlans. Next are my L2-L4 ACL explicit allows at the switch level (both inter-vlan and external). ((Again with the printer vlan - only certain devices can hit the IPs and one port needed to print and printers are kept internal only)). Then explicit allows at the in-line interior firewall and the border firewall/router for things to get to the Interwebs for things they must have. I top it off with multiple HIPS/NIPS and Geo-IP filters. I have a few blacklists (IP based), but they are really just a tin foil hat failsafe for when I have to open things up troubleshoot.

I donā€™t get a lot of (monitored) hits on the firewalls or IPSes because the traffic is so minimalized, but I also donā€™t log much until I have to make a change or troubleshoot something.

This is all way overkill, but once the initial planning and configuration is done there isnā€™t much to even bother monitoring regularly.

1 Like

We always do this. LOL (and yeah, @soumya92, sorry for the hijacking)

As for the rest of your post, +1,000,000 upvotes.

1 Like

And I thought your nmap cron job was a bit much right? :joy:

1 Like

Corn job?! LMAO Is that some advanced *nix utility I've never heard of? :wink:

Haha, stupid phone got me. But yeah it is new, like the new Spaghetti Monster init system. :joy:

1 Like

systemd all the way baby... LOL Because who doesn't love symlinks in 15 different locations? :wink:

1 Like

Some kind of agricultural reference, I guess.

3 Likes

Would you mind posting your thoughts about the Fingbox after you have used it for a while? It sounds like something I would like to try...

1 Like