This is a script to check for new devices on the network (regardless of connectivity type. i.e. wired, wireless, vpn). New devices (either new MAC or old MAC with new hostname) joining the network will trigger an email alert to be sent. A simple intrusion detection system for Asus routers running custom firmware by Padavan (https://code.google.c…

lan_monitor.sh

#!/bin/bash
# Script to monitor devices on network (regardless of connectivity type.
# i.e. wired, wireless, vpn). New devices (either new MAC or old MAC with 
# new hostname) joining the network will trigger an email alert to be sent.
#
# REQUIRED ENTWARE PACKAGES :
#       * msmtp - SMTP client to send mail to external email addresses
#
# Author: SidneyC <sidneyc_at_outlook_dot_com>
#
# CHANGELOG
# ---------
# 29/01/2015 Initial release
# 01/02/2015 Made path to msmtp explicit to avoid issues when running via cron
#            Fixed typo in 'msmtp'
#            Fixed issue in script due to careless cut n paste!
# 30/03/2016 Distinguish between a NEW device vs a device with a CHANGED hostname
#
###################################################################################

# Recepient email address where the alert will be sent to 
ALERT_EMAIL="root"

# This script uses msmtp (from entware) to send email.
MAIL_BIN="/opt/bin/msmtp"

# List of MAC addresses and hostnames to check for is in the file specified below.
# Note that this script will append new/unseen devices to this file if
# they are connected to the network at the time this script is run
MACS_FILE="/opt/etc/lan_monitor_devices"

# INTERNAL VARIABLES
EMAIL_TMP="/tmp/`basename $0 | sed 's/\./_/'`.tmp"

# SANITY CHECK #1 - if MACS_FILE does not exist, creat it
if [[ ! -e $MACS_FILE ]]; then
  echo "[`date`] WARNING - file ($MACS_FILE) does not exist. Creating one."
  touch $MACS_FILE
fi

# initialise temp file
> $EMAIL_TMP

# Get the list of macs on the network
#DEV_CONNECTED=$(cut -d ',' -f2 /tmp/static_ip.inf)
DEV_CONNECTED=$(sed -n "s/^.*,\(.*,.*\),.,.,./\1/p" /tmp/static_ip.inf)
#DEV_CONNECTED=$(sed -n "s/^.*,\(.*,.*\),.,.,./\1/p" /tmp/test_static_ip.inf)
#echo "DEBUG- $DEV_CONNECTED"

for i in $DEV_CONNECTED; do
  # First we check for unique MAC address
  DEV_MAC=$(echo "$i" | cut -d ',' -f1)
  DEV_NAME=$(echo "$i" | cut -d ',' -f2)
  if [[ -z "$(grep "$DEV_MAC" $MACS_FILE)" ]]; then
    #new device on network! 
    #let's add it to the mac file so we won't get notified again
    echo "$i [first seen on `date`]" >> $MACS_FILE
    #let's log it and inform user!
    echo "[`date`] New device found on network! Name - $DEV_NAME, MAC - $DEV_MAC"
    echo "*NEW* MAC Address - $DEV_MAC    Hostname - $DEV_NAME" >> $EMAIL_TMP
  elif [[ -z "$(grep "$i" $MACS_FILE)" ]]; then
    #we have seen this MAC but hostname has changed, 
    #let's log it and inform user!
    OLD_DEV_NAME=$(grep "$DEV_MAC" $MACS_FILE | cut -d ',' -f2  | sed -e 's/^/          /')
    echo "[`date`] Device with new HOSTNAME found on network! New Name - $DEV_NAME, MAC - $DEV_MAC"
    echo "*CHANGED* MAC Address - $DEV_MAC  New Hostname - $DEV_NAME" >> $EMAIL_TMP 
    echo "          Old Hostname(s)seen - " >> $EMAIL_TMP
    echo "$OLD_DEV_NAME" >> $EMAIL_TMP
    #let's add it to the mac file so we won't get notified again
    echo "$i [first seen on `date`]" >> $MACS_FILE
  fi
done

# Now we send email to user if we found any new devices
if [[ -s $EMAIL_TMP ]]; then
  sed -i "1iSubject: [`hostname`] ALERT - `grep '*NEW*' $EMAIL_TMP |wc -l | cut -d ' ' -f1` NEW, `grep '*CHANGED*' $EMAIL_TMP |wc -l | cut -d ' ' -f1` CHANGED device(s) connected to network!" $EMAIL_TMP
  sed -i "2iFrom: lan_monitor@`hostname` <noreply@`hostname --fqdn`>" $EMAIL_TMP
  sed -i "3iTo: $ALERT_EMAIL" $EMAIL_TMP
  sed -i "4i" $EMAIL_TMP #you need a blank line to seperate the body from the header fields
  sed -i "5iNew/Changed device(s) detected on network at `date`. Details as follows:" $EMAIL_TMP
  $MAIL_BIN $ALERT_EMAIL < $EMAIL_TMP
fi

#clean up
rm $EMAIL_TMP

exit 0;