Be sure to scroll down and view the whole post as there is both audio and video coverage of today's episode!

Intro

We're going to create an nmap script to help us get visibility into what's on (and changing in) our network. Then we'll use Papertrailapp to capture syslogs from various systems, and finish by laying some OpenCanary traps to attract attackers.

Nmap alerting script

This script follows Jerry Gamblin's great blog entry, and we'll set it to run as a cron job. Once in place, this script will proactively alert us on changes about changes in the environment, such as ports opening/closing or new hosts joining the network.

Here are the relevant bits to change in the /etc/ssmtp/ssmtp.conf file (marked with CHANGE ME):

# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=brian@brianjohnson.tv (CHANGE ME):  
# The place where the mail goes. The actual machine name is required no 
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587 (CHANGE ME if necessary...this is for a GSuite account)

# Where will the mail seem to come from?
rewriteDomain=

# The full hostname
hostname=localhost

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
#FromLineOverride=YES
UseSTARTTLS=yes  
AuthUser=someone@gmail.com (CHANGE ME)  
AuthPass=mypass (CHANGE ME)  
FromLineOverride=YES  

Here are the changes for /root/nmap/scan.sh and pretty much all I did was make the email address after user/sbin/ssmtp be my email address where I want to receive alerts, and yourGmailAccount@gmail.com should be the address you're sending alerts from:

#!/bin/sh
TARGETS="192.168.3.0/24" (CHANGE ME to your subnet(s))
OPTIONS="-v -sV -T4 -F --open"
date=$(date +%F%T)
cd ~/nmap/diffs
nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
email()
{
/usr/sbin/ssmtp you@yourdomain.com <<EOF
From: yourGmailAccount@gmail.com
Subject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***
$(cat diff-$date)
EOF
}
if [ -e scan-prev.xml ]; then
ndiff scan-prev.xml scan-$date.xml > diff-$date
[ "$?" -eq "1" ] && email
fi
ln -sf scan-$date.xml scan-prev.xml

Papertrailapp

Getting Papertrailapp going is pretty straight forward. Head to their Web site to get a free account setup, and then go to the systems setup screen for instructions on setting up your various devices.

From there, I setup a few alerts. One search criteria is authentication failure on my router, so that anytime someone SSH's in with the wrong password, I get an email. In the same way, I setup an alert for DHCPREQUEST for 192.168.66. so that I can an alert anytime someone connects to my guest network.

OpenCanary

The project is here and detailed instructions are here. I had some issues getting the configuration and email alerts tuned so that everything was working right, so I wrote up these instructions as part of my BPATTY project, which will hopefully set you straight if you run into the same issues.

Canarytokens

These are a snap to implement. Just head to Canarytokens.org, feed the form your email address and a short token description, and bam, you're good to go.

Video:

Here's the complementary video content for today's audio podcast: