Be sure to scroll down and view the whole post as there is both audio and video coverage of today’s episode!
Intro
We’re going to create an nmap script to help us get visibility into what’s on (and changing in) our network. Then we’ll use Papertrailapp to capture syslogs from various systems, and finish by laying some OpenCanary traps to attract attackers.
Nmap alerting script
This script follows Jerry Gamblin’s great blog entry, and we’ll set it to run as a cron job. Once in place, this script will proactively alert us on changes about changes in the environment, such as ports opening/closing or new hosts joining the network.
Here are the relevant bits to change in the /etc/ssmtp/ssmtp.conf file (marked with CHANGE ME):
# Config file for sSMTP sendmail## The person who gets all mail for userids < 1000# Make this empty to disable rewriting.root=brian@brianjohnson.tv (CHANGE ME):# The place where the mail goes. The actual machine name is required no # MX records are consulted. Commonly mailhosts are named mail.domain.commailhub=smtp.gmail.com:587 (CHANGE ME if necessary...this is for a GSuite account)# Where will the mail seem to come from?rewriteDomain=# The full hostnamehostname=localhost# Are users allowed to set their own From: address?# YES - Allow the user to specify their own From: address# NO - Use the system generated From: address#FromLineOverride=YESUseSTARTTLS=yesAuthUser=someone@gmail.com (CHANGE ME)AuthPass=mypass (CHANGE ME)FromLineOverride=YESHere are the changes for /root/nmap/scan.sh and pretty much all I did was make the email address after user/sbin/ssmtp be my email address where I want to receive alerts, and yourGmailAccount@gmail.com should be the address you’re sending alerts from:
#!/bin/shTARGETS="192.168.3.0/24" (CHANGE ME to your subnet(s))OPTIONS="-v -sV -T4 -F --open"date=$(date +%F%T)cd ~/nmap/diffsnmap $OPTIONS $TARGETS -oA scan-$date > /dev/nullemail(){/usr/sbin/ssmtp you@yourdomain.com <<EOFFrom: yourGmailAccount@gmail.comSubject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***$(cat diff-$date)EOF}if [ -e scan-prev.xml ]; thenndiff scan-prev.xml scan-$date.xml > diff-$date[ "$?" -eq "1" ] && emailfiln -sf scan-$date.xml scan-prev.xmlPapertrailapp
Getting Papertrailapp going is pretty straight forward. Head to their Web site to get a free account setup, and then go to the systems setup screen for instructions on setting up your various devices.
From there, I setup a few alerts. One search criteria is authentication failure on my router, so that anytime someone SSH’s in with the wrong password, I get an email. In the same way, I setup an alert for DHCPREQUEST for 192.168.66. so that I can an alert anytime someone connects to my guest network.
OpenCanary
The project is here and detailed instructions are here. I had some issues getting the configuration and email alerts tuned so that everything was working right, so I wrote up these instructions as part of my BPATTY project, which will hopefully set you straight if you run into the same issues.
Canarytokens
These are a snap to implement. Just head to Canarytokens.org, feed the form your email address and a short token description, and bam, you’re good to go.
Video:
Here’s the complementary video content for today’s audio podcast:
Written by: Brian Johnson
Share on socials: