Wireless client notifications?

[Darg]

I'm trying to set up my router running 380.70 to notify me on wireless client connects that don't match a list of mac's I've created. I was going to run a simple bash script to do so, but cannot find anything on the router that I can reference. Is there a wireless client log somewhere? Or maybe a plug-in or addon I'm unaware of that already does this? Thank you!

 

[ColinTaylor]

This might give you some ideas. BTW the router doesn't have bash it has ash.

 

[Darg]

Ok thank you! I will check that out. What is "logger"?

 

[roadwrenchtech]

Are you thinking someone is going to hack your network, or are you wanting notified when a specific authorized client is on your network?

 

[Darg]

Are you thinking someone is going to hack your network, or are you wanting notified when a specific authorized client is on your network?

Mainly I would like it to notify me if there is an attacker connected to the network.

 

[ColinTaylor]

Ok thank you! I will check that out. What is "logger"?

It writes a message to syslog.

 

[ColinTaylor]

to notify me on wireless client connects that don't match a list of mac's I've created.

The Wireless MAC Filter is designed to block or accept connections from a set list. Although as I'm sure many people here will be keen to point out, a skilled hacker can easily spoof MAC addresses.

 

[roadwrenchtech]

I would spend more effort on hardening the network, than an alert for an attack though check out fingbox and fing app for that. Mac filtering is a reasonable defense, yes you can change the mac address of an attacking device to anything but the only mac address you can see from outside the network is the wifi radio and not the list of allowed macs which would require logging into the router admin. The dhcp pool could also be sized just enough to fit your allowed clients with reserved routing for all. Wifi can be set to turn off during certain hours, and internet access could also be restricted during certain hours. Wifi power output can be turned down if your easily covering everywhere you use it. Strong passwords for wifi and wpa2 encryption should be used, and passwords could be changed periodically. A dummy router could be set up with the lease period stretched out where you could log in and check the log or lease record, leave it open or put weak encryption on it and obviously no connection to your network. If someone defeats common sense security practices, you have bigger problems as someone with mad skills cracking your network is not random or luck of the draw they have a goal and motivation and you need to think about what that might be.

 

[Darg]

I would spend more effort on hardening the network, than an alert for an attack though check out fingbox and fing app for that. Mac filtering is a reasonable defense, yes you can change the mac address of an attacking device to anything but the only mac address you can see from outside the network is the wifi radio and not the list of allowed macs which would require logging into the router admin. The dhcp pool could also be sized just enough to fit your allowed clients with reserved routing for all. Wifi can be set to turn off during certain hours, and internet access could also be restricted during certain hours. Wifi power output can be turned down if your easily covering everywhere you use it. Strong passwords for wifi and wpa2 encryption should be used, and passwords could be changed periodically. A dummy router could be set up with the lease period stretched out where you could log in and check the log or lease record, leave it open or put weak encryption on it and obviously no connection to your network. If someone defeats common sense security practices, you have bigger problems as someone with mad skills cracking your network is not random or luck of the draw they have a goal and motivation and you need to think about what that might be.

I agree, and I have spent as much as I can think of on hardening the network. I'd just like this to nerd out on. I've never heard of fingbox, I'll check that out. Mac filtering is a pain and because it is so trivial to spoof, I wouldn't recommend that solution. You can grab mac's out of the air before you ever connect to the network with something like Kismet (management frames) so I wonder if I need to check for duplicates in mac addresses as well, or maybe go deeper in the detail of individual clients.

Colin, should I just execute the script or add it to a cronjob? I'm still working on getting the script working, currently its showing line 13: syntax error: unexpected word (expecting "do")

 

[ColinTaylor]

Colin, should I just execute the script or add it to a cronjob? I'm still working on getting the script working, currently its showing line 13: syntax error: unexpected word (expecting "do")

It's needs to be run in background (as it never ends). So once you've got it working properly I recommend you kick it off from services-start. For example:

#!/bin/sh

/jffs/scripts/wireless_monitor.sh &

But before you do that you need to fix the error. I don't know what is causing it. Maybe the script is not compatible with your router? Or maybe the script wasn't created properly - make sure there weren't any line wrapping problems and that you're using a Unix editor.

What model router do you have?

 

[Darg]

It's needs to be run in background (as it never ends). So once you've got it working properly I recommend you kick it off from services-start. For example:

#!/bin/sh

/jffs/scripts/wireless_monitor.sh &

But before you do that you need to fix the error. I don't know what is causing it. Maybe the script is not compatible with your router? Or maybe the script wasn't created properly - make sure there weren't any line wrapping problems and that you're using a Unix editor.

What model router do you have?

I pasted from the post into nano and named the file "macreport.sh", ran "chmod +x" on it and tried to run it via "./macreport.sh" from "/jffs/scripts"

This is on an Asus RT-N66u.

 

[ColinTaylor]

I pasted from the post into nano and named the file "macreport.sh", ran "chmod +x" on it and tried to run it via "./macreport.sh" from "/jffs/scripts"

OK I see the problem. nano has wrapped line 12 onto line 13. I suggest that you delete your file and recreate it using the "-w" parameter:

# rm /jffs/scripts/macreport.sh
# nano -w /jffs/scripts/macreport.sh
# chmod 755 /jffs/scripts/macreport.sh

 

[Darg]

I got the script to work, your suggestion worked perfectly. I can see client connects and disconnects. Awesome!!! However, the wiki is a little vague on scripts. I am unsure if I need to create a new folder called "services-start" or if it's something different. I can run the script in the background via "&" but that process is killed once ssh disconnects. I'm thinking they're arguments to be used with "nvram"? Please forgive my lack of knowledge and late response, and thank you!

 

[ColinTaylor]

Just create a file in /jffs/scripts called services-start. No file extension is used. Make services-start executable. It should look like this:

#!/bin/sh

/jffs/scripts/macreport.sh &

As per the wiki make sure user scripts are enabled under Administration -> System on the webui.

That's it. Now, every time the router starts up services-start will run.

 

[Darg]

I rebooted and it works, thanks again!