Up until recently, I had vehemently decided: “OMG TEH NEIGHBORHOOD HAXXORS! I must put my wireless access points outside a firewall to protect my internal network!”
So I had an IPCop box with a blue zone that had my wireless access points. They were on a separate subnet and firewalled.
But after a while, this got really old. Having multiple laptops, I had to scp stuff back and forth to my desktop machines. Whenever a friend came over, I had to grab their MAC address from my IPCop box’s logs and explicitly give them internet access from the “blue” network. This setup also made tech-support for my Luddite wife Better Half more complicated.
The real deciding factor though, was all the cool Apple toys that use bonjour and, for the most part, just work together without any hassle or setup. The Apple TV, iTunes sharing, iPhone remote control application, AirTunes via the Airport Express, AirTunes via the Apple TV. All that stuff gets kinda borked if you spread stuff across different subnets.
So I thought, OK, I’ll put the wireless access points directly on the internal network, but I wanna be emailed when an unknown MAC address connects.
So this what I did:
First, I told the access points (Airport Extremes in this case) to send syslog messages over the network to my linux box. That was rather trivial:
Then, I made sure the syslogd process on my linux box was getting the “-r” option (Fedora Core 6, so /etc/sysconfig/syslog) to accept remote syslog messages.
Then I used the super-handy info here and channeled everything from local0.* into a named pipe and into a script:
local0.* |/etc/zoppy/pipe
When a client connects the Airport Extreme spits out a message like this:
Aug 1 14:30:13 zoppy zoppy 80211: Associated with station 00:1d:f4:f8:7c:3d
So my script ended up looking like this:
#!/bin/sh
TMOUT=1
while read line
do
echo ${line} | grep "Associated with station" > /dev/null 2>&1
if test $? -eq 0
then
echo ${line} | grep -f /etc/zoppy/known-macs > /dev/null 2>&1
if test $? -eq 1
then
echo ${line} | mail -s "Zoppy: unknown mac address connected" geechorama@spam.email
fi
fi
done
Set it to run every minute:
0-59 * * * * /etc/zoppy/mailer < /etc/zoppy/pipe > /dev/null 2>&1
If the MAC address of the machine connected isn’t in my known-macs file, I get email.
Paranoid victory!