Friday, January 22, 2010

Rogue DHCP detector in Nagios

This Python script I created can be used with Nagios to warn if there are unauthorized DHCP servers on the network. No third party libraries are used.

At the moment the script only checks at IP level, and does not return the MAC address of the rogue server. My plan is to expand this at some stage, but at the moment we do not really need this in our setup.

view plainprint?
  1. #!/usr/bin/python  
  2. from socket import *  
  3. from binascii import *  
  4. from random import *  
  5. from struct import *  
  6.   
  7. # local machine mac address  
  8. chaddr = unhexlify('001122334455')  
  9.   
  10. # allowed dhcp servers  
  11. whitelist = set(['11.22.33.44'])  
  12.   
  13. # random session id (xid)  
  14. xid = pack('L', randrange(02**32 - 1 ))  
  15.   
  16. # setup socket  
  17. s = socket(AF_INET, SOCK_DGRAM)  
  18. s.bind(('0.0.0.0'68))  
  19. s.setsockopt(SOL_SOCKET, SO_BROADCAST, 1)  
  20.   
  21. request = \  
  22.     '\x01\x01\x06\x00' \  
  23.     + xid \  
  24.     + ''.ljust(20'\x00') \  
  25.     + chaddr.ljust(16'\x00') \  
  26.     + ''.ljust(192'\x00') \  
  27.     + '\x63\x82\x53\x63' \  
  28.     + '\x35\x01\x03' \  
  29.     + '\xff'  
  30. s.sendto(request, ('255.255.255.255'67))  
  31.   
  32. # listen for dhcp packets for max 2.5 seconds  
  33. status = "OK - No rogue dhcp servers detected"  
  34. r = 0  
  35. s.settimeout(2.5)  
  36. while 1:  
  37.     try:  
  38.         buf, (ip, port) = s.recvfrom(65565)  
  39.     except:  
  40.         break  
  41.     opcode, = unpack_from('B', buf)  
  42.     if not (ip in whitelist and opcode == 0x02):  
  43.         r = 2  
  44.         status = "CRITICAL - Rogue dhcp server detected on IP-addr: " + ip  
  45.         break  
  46.   
  47. s.close()  
  48. print status  
  49. exit(r)  
Posted by at 3 comments:
Subscribe to: Posts (Atom)