Continuous Network Monitoring

I am often asked  “What is the easiest thing companies can do to secure their networks?” and my answer is always always “Know what is on your network.”   While that is simple advice it is a lot harder to implement.   One company I was working with was looking at a system to do continuous network monitoring (read: scheduled nmap scans) for $40,000 a year.
After I cried for the state of my industry I told them I could do this for them with a small shell script, a $5 a month Digital Ocean Droplet and a free Sendgrid account.
Here is how I did it:

  • Created a free Sendgrid account.
  • Spun up $5 a Month Digitalocean Ubuntu Droplet.
  • Added a DNS record to be perfectly clear waht the box was doing.
  • Updated and installed needed software:
    sudo apt-get update && sudo apt-get dist-upgrade
    sudo apt-get install ssmtp nmap xsltproc
  • Created necessary folders:
    mkdir /root/nmap/
    mkdir /root/nmap/diffs
  • Edit /etc/ssmtp/ssmtp.conf with this:
    [email protected]
    [email protected]
  • Copy this to /root/namp/
    OPTIONS="-v -sV -T4 -F --open"
    date=$(date +%F%T)
    cd ~/nmap/diffs
    nmap $OPTIONS $TARGETS -oA scan-$date > /dev/null
    /usr/sbin/ssmtp [email protected] <<EOF
    From: [email protected]
    Subject: nmap ndiff$(date +"%Y-%m-%d")*** NDIFF RESULTS ***
    $(cat diff-$date)
    if [ -e scan-prev.xml ]; then
    ndiff scan-prev.xml scan-$date.xml > diff-$date
    [ "$?" -eq "1" ] && email
    ln -sf scan-$date.xml scan-prev.xml
  • Test (add cat diff-$date to bottom of the script to see output.)
  • Add a cron job to crontab to run every 15 minutes (or hour for bigger networks)
  • Talk your boss into buying you something awesome with the $39,970 in savings.

It was as simple as that and I put this together in an afternoon.  Up next is to build a Slackbot and an  to deliver the differences to their slack channel.

Site Footer