Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
err, that is not at all nagios or automatic or anything. I am not personally going to __manually__ check for rogue dhcp servers, don't have the time for that. I check my dhcp servers anyway, if I get an extra offer, an alarm is raised. This is automatic, has no extra overhead as I check my dhcp servers anyway as part of my monitoring. I have never seen a dhcpoffer being missed, but at the very least I run the check every 3 minutes so you're not going to get away with it here for more than that. I think the wrapper to check_dhcp is quick and effective with no overhead. The best solution would be to extend the check_dhcp plugin, get into the C and add the functionality. Maybe if it's not done in the future I will come back and do it. Until then, the wrapper does exactly what I need. -h Hari Sekhon Brian A. Seklecki wrote: What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? That sounds very reasonable; there's always the possibility that you won't see, within your run time threshold, offers from a rouge server due to race conditions or other crud (slow networks, etc.). Of course, then you have a lot of proactive bogus DHCP Client activity coming from your Nagios system. The best solution of course, but not always the most feasible, is a SPAN port in your core: Simply: $ sudo tcpdump -n -e -vvv 'src port bootps !ether src 0:50:da:28:37:62' Replace the MAC with your know DHCP server. Matches are rouge. If you see them, get out the jumper cables. ~BAS - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
This is an interesting program and a very good idea. In relation to nagios though, the right thing to do is to extend the functionality of check_dhcp to do this, so that you do not incur extra overhead, network traffic or checks. It could do the whole thing, get your C skills out if you have the time. I personally wouldn't want to slap a second check on just for this which it can be done in one check if you are already checking your dhcp server(s). -h Hari Sekhon Rogelio Bastardo wrote: requires a whole new plugin written from scratch, I haven't seen a tcpdump like plugin. Therefore much more difficult and more time required, as well as more computationally intensive to watch all traffic for another dhcpoffer, when actually you'll get the same result. What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? https://roguedetect.bountysource.com/ From the website: Rogue Detect sends DHCPDISCOVER packets to the network and listens for DHCP servers to respond and checks responses against authorized dhcp servers. It�s written in Perl. By default it supports sending reports to syslog, email, standard out or a customer script of your chosing. Each reporting method has it�s own independent reporting level. Their wiki is here: https://roguedetect.bountysource.com/wiki https://roguedetect.bountysource.com/wiki notes at the bottom of the wiki: Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to allocate an IP address for a few seconds, while they wait for the detector to ACK their offer. Since we never do send an ACK, the IP is not allocated to us. Hence, it should be ok to run this on the network.. but do so at your OWN RISK!! This package is nice in that you do not have to have a clear view of the network to run it (ie, it works behind a switch). You DO have to be within broadcast range, which usually means on the same subnet as the DHCP server. In some cases scaning port 68 (67?) on every machine may be the better answer to finding dhcp servers, but with this program, as apposed to a passive one like snort, you do not have to be able to see traffic not destined for you. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
Hari Sekhon wrote: err, that is not at all nagios or automatic or anything. I am not personally going to __manually__ check for rogue dhcp servers, don't have the time for that. I check my dhcp servers anyway, if I get an extra offer, an alarm is raised. This is automatic, has no extra overhead as I check my dhcp servers anyway as part of my monitoring. I have never seen a dhcpoffer being missed, but at the very least I run the check every 3 minutes so you're not going to get away with it here for more than that. I think the wrapper to check_dhcp is quick and effective with no overhead. What wrapper would that be, If one might ask? /Lars The best solution would be to extend the check_dhcp plugin, get into the C and add the functionality. Maybe if it's not done in the future I will come back and do it. Until then, the wrapper does exactly what I need. -h Hari Sekhon Brian A. Seklecki wrote: What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? That sounds very reasonable; there's always the possibility that you won't see, within your run time threshold, offers from a rouge server due to race conditions or other crud (slow networks, etc.). Of course, then you have a lot of proactive bogus DHCP Client activity coming from your Nagios system. The best solution of course, but not always the most feasible, is a SPAN port in your core: Simply: $ sudo tcpdump -n -e -vvv 'src port bootps !ether src 0:50:da:28:37:62' Replace the MAC with your know DHCP server. Matches are rouge. If you see them, get out the jumper cables. ~BAS - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
a few lines of my own bash to call check_dhcp. I call my script instead of check_dhcp, it gives me the check_dhcp result but changes it if extra dhcp offers were received. It was a quick fix that has served me well. Could be better if written into check_dhcp and it doesn't take mac addresses into account, just the number of offers, but it works well enough for me. If check_dhcp isn't improved within the next few months I may have a bash at writing the functionality into it (especially the mac functionality which would be nice) if I get time (big IF there) -h Hari Sekhon Lars Stavholm wrote: Hari Sekhon wrote: err, that is not at all nagios or automatic or anything. I am not personally going to __manually__ check for rogue dhcp servers, don't have the time for that. I check my dhcp servers anyway, if I get an extra offer, an alarm is raised. This is automatic, has no extra overhead as I check my dhcp servers anyway as part of my monitoring. I have never seen a dhcpoffer being missed, but at the very least I run the check every 3 minutes so you're not going to get away with it here for more than that. I think the wrapper to check_dhcp is quick and effective with no overhead. What wrapper would that be, If one might ask? /Lars The best solution would be to extend the check_dhcp plugin, get into the C and add the functionality. Maybe if it's not done in the future I will come back and do it. Until then, the wrapper does exactly what I need. -h Hari Sekhon Brian A. Seklecki wrote: What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? That sounds very reasonable; there's always the possibility that you won't see, within your run time threshold, offers from a rouge server due to race conditions or other crud (slow networks, etc.). Of course, then you have a lot of proactive bogus DHCP Client activity coming from your Nagios system. The best solution of course, but not always the most feasible, is a SPAN port in your core: Simply: $ sudo tcpdump -n -e -vvv 'src port bootps !ether src 0:50:da:28:37:62' Replace the MAC with your know DHCP server. Matches are rouge. If you see them, get out the jumper cables. ~BAS - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
That's a very good idea, I hadn't thought of using the interface of the dhcp server to remove the real offer from the check. The only downside is that it makes an extra check but this may be in fact what you want. The only limitation of this method is that it won't work if you have 2 dhcp servers on the network with non-overlapping pools for redundancy. I use a variable to specify the number of dhcp servers and warn if more than that number of offers are received. If the right dhcp server doesn't respond then it does critical anyway when using the -s switch so there is no opportunity for your dhcp server to fall off and another to silently take it's place by maintaining the correct number of offers. -h Hari Sekhon Marc DeTrano wrote: The way I have done this is to run NRPE on the machine that should be the DHCP server, with this command defined: command[check_ndhcp]=/usr/lib/nagios/plugins/negate /usr/lib/nagios/plugins/check_dhcp -i eth0 Something similar may work for you if your DHCP server is on a Linux box. This just negates the normal check_dhcp command, so that if no offer is received (on the interface serving DHCP, it should not be), it returns with an OK status. If it does get an offer, a Critical is returned and I know it is time to seek-and-destroy. Marc - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
[Nagios-users] using Nagios to detect rogue DHCP servers?
Has anyone used Nagios to detect rogue DHCP severs? I've got a complicated campus environment where people do things such as plug in Linksys routers (the wrong way) and hand out DHCP addresses. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
yes I've done this, by writing a bash script to wrap the check_dhcp plugin and change the status code and output if more than the right number of dhcp servers responded (also, you make sure the dhcp server that responded is the right one using the check_dhcp plugin option.) -h Hari Sekhon Rogelio Bastardo wrote: Has anyone used Nagios to detect rogue DHCP severs? I've got a complicated campus environment where people do things such as plug in Linksys routers (the wrong way) and hand out DHCP addresses. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
Going out and DHCREQUEST'ing and validating may be intermittent in accuracy; you'd be best off with a SPAN port, tcpdump watching all DHCP Client and DHCP Server traffic. DHC-Offers should match a source MAC address(es) you certify. Otherwise, ask your switching fabric to shutdown the port matching the CAM table entry with the rouge MAC address. ~BAS On Tue, 2007-07-10 at 10:45 +0100, Hari Sekhon wrote: yes I've done this, by writing a bash script to wrap the check_dhcp plugin and change the status code and output if more than the right number of dhcp servers responded (also, you make sure the dhcp server that responded is the right one using the check_dhcp plugin option.) -h Hari Sekhon Rogelio Bastardo wrote: Has anyone used Nagios to detect rogue DHCP severs? I've got a complicated campus environment where people do things such as plug in Linksys routers (the wrong way) and hand out DHCP addresses. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
Going out and DHCREQUEST'ing and validating may be intermittent in accuracy; can you explain why this would be intermittent in accuracy? If there is another dhcp server present on the subnet, you will get an offer from it as well, I have used this quite a lot and caught a colleague of mine who installed vmware. you'd be best off with a SPAN port, tcpdump watching all DHCP Client and DHCP Server traffic. requires a whole new plugin written from scratch, I haven't seen a tcpdump like plugin. Therefore much more difficult and more time required, as well as more computationally intensive to watch all traffic for another dhcpoffer, when actually you'll get the same result. -h - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
requires a whole new plugin written from scratch, I haven't seen a tcpdump like plugin. Therefore much more difficult and more time required, as well as more computationally intensive to watch all traffic for another dhcpoffer, when actually you'll get the same result. What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? https://roguedetect.bountysource.com/ From the website: Rogue Detect sends DHCPDISCOVER packets to the network and listens for DHCPservers to respond and checks responses against authorized dhcp servers. Itâs written in Perl. By default it supports sending reports to syslog, email, standard out or a customer script of your chosing. Each reporting method has itâs own independent reporting level. Their wiki is here: https://roguedetect.bountysource.com/wiki notes at the bottom of the wiki: Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to allocate an IP address for a few seconds, while they wait for the detector to ACKtheir offer. Since we never do send an ACK, the IP is not allocated to us. Hence, it should be ok to run this on the network.. but do so at your OWN RISK!! This package is nice in that you do not have to have a clear view of the network to run it (ie, it works behind a switch). You DO have to be within broadcast range, which usually means on the same subnet as the DHCP server. In some cases scaning port 68 (67?) on every machine may be the better answer to finding dhcp servers, but with this program, as apposed to a passive one like snort, you do not have to be able to see traffic not destined for you. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? That sounds very reasonable; there's always the possibility that you won't see, within your run time threshold, offers from a rouge server due to race conditions or other crud (slow networks, etc.). Of course, then you have a lot of proactive bogus DHCP Client activity coming from your Nagios system. The best solution of course, but not always the most feasible, is a SPAN port in your core: Simply: $ sudo tcpdump -n -e -vvv 'src port bootps !ether src 0:50:da:28:37:62' Replace the MAC with your know DHCP server. Matches are rouge. If you see them, get out the jumper cables. ~BAS - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] using Nagios to detect rogue DHCP servers?
Indeed. Looking at the source of dhcpdetector.pl (https://svn.bountysource.com/roguedetect/trunk/dhcpdetector.pl) it shouldn't be too hard to modify it into a nagios plugin (trivial even). The relevant code block: sub send_log { my $severity = shift @_; my $message = shift @_; if (!$message) { $message = 'ERROR: No Message Recieved, logging failure'; } # If the above conditions are met and # the send_msg is set then go ahead and # log it using the specified log mojo if ($syslog_level = $severity) { syslog('LOG_INFO',$message); } if ($email_level = $severity) { send_mail($alert_email,[RogueDetect] Log Report,$message); } if ($page_level = $severity) { send_mail($page_email,RogueDetect Failure!,$message); } if ($print_level = $severity) { print $message . \n; } Should be fairly easy to hook into this, print the correct message and set an exit code from here From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogelio Bastardo Sent: Wednesday, 11 July 2007 4:12 AM To: Hari Sekhon Cc: Nagios Users mailinglist Subject: Re: [Nagios-users] using Nagios to detect rogue DHCP servers? requires a whole new plugin written from scratch, I haven't seen a tcpdump like plugin. Therefore much more difficult and more time required, as well as more computationally intensive to watch all traffic for another dhcpoffer, when actually you'll get the same result. What about writing a custom plugin that uses this GPL prog to return the warning/critical/ok/pending values? https://roguedetect.bountysource.com/ From the website: Rogue Detect sends DHCPDISCOVER packets to the network and listens for DHCP servers to respond and checks responses against authorized dhcp servers. It’s written in Perl. By default it supports sending reports to syslog, email, standard out or a customer script of your chosing. Each reporting method has it’s own independent reporting level. Their wiki is here: https://roguedetect.bountysource.com/wiki notes at the bottom of the wiki: Sending a DHCPDISCOVER packet causes any DHCPSERVERS listning to allocate an IP address for a few seconds, while they wait for the detector to ACK their offer. Since we never do send an ACK, the IP is not allocated to us. Hence, it should be ok to run this on the network.. but do so at your OWN RISK!! This package is nice in that you do not have to have a clear view of the network to run it (ie, it works behind a switch). You DO have to be within broadcast range, which usually means on the same subnet as the DHCP server. In some cases scaning port 68 (67?) on every machine may be the better answer to finding dhcp servers, but with this program, as apposed to a passive one like snort, you do not have to be able to see traffic not destined for you. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null