geechorama.com

My wife and I were watching a fairly innocuous show on TLC when we saw this promo:

Probably not the best way for two hypochondriacs to spend their Sunday evening.

Up until recently, I had vehemently decided: “OMG TEH NEIGHBORHOOD HAXXORS! I must put my wireless access points outside a firewall to protect my internal network!”

So I had an IPCop box with a blue zone that had my wireless access points. They were on a separate subnet and firewalled.

But after a while, this got really old. Having multiple laptops, I had to scp stuff back and forth to my desktop machines. Whenever a friend came over, I had to grab their MAC address from my IPCop box’s logs and explicitly give them internet access from the “blue” network. This setup also made tech-support for my Luddite wife Better Half more complicated.

The real deciding factor though, was all the cool Apple toys that use bonjour and, for the most part, just work together without any hassle or setup. The Apple TV, iTunes sharing, iPhone remote control application, AirTunes via the Airport Express, AirTunes via the Apple TV. All that stuff gets kinda borked if you spread stuff across different subnets.

So I thought, OK, I’ll put the wireless access points directly on the internal network, but I wanna be emailed when an unknown MAC address connects.

So this what I did:

First, I told the access points (Airport Extremes in this case) to send syslog messages over the network to my linux box. That was rather trivial:

Then, I made sure the syslogd process on my linux box was getting the “-r” option (Fedora Core 6, so /etc/sysconfig/syslog) to accept remote syslog messages.

Then I used the super-handy info here and channeled everything from local0.* into a named pipe and into a script:

local0.*            |/etc/zoppy/pipe

When a client connects the Airport Extreme spits out a message like this:

Aug  1 14:30:13 zoppy zoppy 80211: Associated with station 00:1d:f4:f8:7c:3d

So my script ended up looking like this:

#!/bin/sh
TMOUT=1
while read line
do
    echo ${line} | grep "Associated with station" > /dev/null 2>&1
    if test $? -eq 0
    then
        echo ${line} | grep -f /etc/zoppy/known-macs > /dev/null 2>&1
        if test $? -eq 1
        then
            echo ${line} | mail -s "Zoppy: unknown mac address connected" geechorama@spam.email
        fi
    fi
done

Set it to run every minute:

0-59 * * * * /etc/zoppy/mailer < /etc/zoppy/pipe > /dev/null 2>&1

If the MAC address of the machine connected isn’t in my known-macs file, I get email.

Paranoid victory!

Riveting.

The harddrive in my webserver died.  I’m in the process of getting everything moved over to dreamhost. Still need to import my old posts and whatnot.  Joy.

The drive was a 41GB IBM Deskstar manufactured in Hungary in October of 2001.  Add that to your drive failure stats.