Nmap running every 30 seconds


#1

Absolutely love this, but it’s a bit much. :slight_smile:


Why I'm leaving for home assistant
#2

Oh, interesting! I don't want to go down the whole pi as a firewall thing .. my pi ethernet isn't as stable as I'd like (though I usually point at my router), and a reboot taking out the whole house don't sound good to me.
But using assorted monitoring tricks to alert me when something aint right sounds like a good approach .. onto the Kanban it goes as a Big TShirt!


#3

Eh, it's a remnant from my work networking days. I actually just ordered a Fingbox yesterday to replace that cron. :slight_smile:


#4

Nope. I would NEVER do this. The ethernet port on the Pi just isn't that great for larger (>30 devices) networks. But, for pi-hole, it's the best use I have EVER had for a RPi.

I actually have that nmap cron running on a Dell PowerEdge R340 server sitting in my rack.


#5

nmap scanning, nice idea - have to look into that one or fingbox.. whatever.. :grin:


#6

Periodic Diffs | Nmap Network Scanning is where I got the concept from. I adapted it to run on a 30 second cron by saving the diff file to a RAM drive.

An OLD boss of mine SWORE by nmap for anything network discovery related. That was probably 15 years ago and it's just stuck with me ever since.


#7

I should read up more on my firewall - I am running OpnSense a fork of pfSense. There is probably a way to do it there..


#8

So if I really wanted to be slick, do the periodic scanning have it trip a virtual switch via Maker API and then do something in HE!!!


#9

What you are looking for is arpwatch. :slight_smile: (@ACKmySYN you have pfSense, any experience with arpwatch?)


#10

Back in the old days we used something called ARPWatch. I think it's still around. I don't know if that could be configured to do this . . . ?


#11

You beat me to it.


#12

GMTA sir. :slight_smile:


#13

Sorry to the OP for completely derailing their thread.

I played with it in pfSense a long time ago when it was new, there were a lot of issues with notifications. arpwatch is a very old, but tried and true, tool for a lot of things.

I don’t worry about using things like arpwatch, nmap, or the likes on my “production” sides of my home “data center” because most of them won’t work or be to intensive (time and computing). When I do, I have to lax things up a bit to get anything worth while.

I tend to take a different approach than most people I think. I explicitly deny everything and anything except what I want and need. It’s a lot of work up front, but only requires maintenance to do changes, and pretty much takes away any worry.

I don’t play whack-a-mole because I don’t want to, nor is it very effective.

My DHCP reservations are very tight to the point that I have to manually add anything new, this includes VMs. ((Example my printer vlan only has two usable addresses)). Lots of vlans. Next are my L2-L4 ACL explicit allows at the switch level (both inter-vlan and external). ((Again with the printer vlan - only certain devices can hit the IPs and one port needed to print and printers are kept internal only)). Then explicit allows at the in-line interior firewall and the border firewall/router for things to get to the Interwebs for things they must have. I top it off with multiple HIPS/NIPS and Geo-IP filters. I have a few blacklists (IP based), but they are really just a tin foil hat failsafe for when I have to open things up troubleshoot.

I don’t get a lot of (monitored) hits on the firewalls or IPSes because the traffic is so minimalized, but I also don’t log much until I have to make a change or troubleshoot something.

This is all way overkill, but once the initial planning and configuration is done there isn’t much to even bother monitoring regularly.


#14

We always do this. LOL (and yeah, @soumya92, sorry for the hijacking)

As for the rest of your post, +1,000,000 upvotes.


#15

And I thought your nmap cron job was a bit much right? :joy:


#16

Corn job?! LMAO Is that some advanced *nix utility I've never heard of? :wink:


#17

Haha, stupid phone got me. But yeah it is new, like the new Spaghetti Monster init system. :joy:


#18

systemd all the way baby... LOL Because who doesn't love symlinks in 15 different locations? :wink:


#19

Some kind of agricultural reference, I guess.


#20

Would you mind posting your thoughts about the Fingbox after you have used it for a while? It sounds like something I would like to try...