First off, I have to confess that it’s taking all my restraint not to start to tear open my new stuff and dive into this project. At work, life is all planning, but at home, I have the luxury of seeing how something works quickly then gradually getting it tweaked, but I feel that this is worth trying to do right. Also, I wanted to write down how I did it. First step is a network inventory.
I was going to do this when I built my mining rig, but I literally put it together in my front hall once I had all the pieces.
It’s very hard to pace myself when I have this:
Staring at me.
The Inventory – why I need one
So I realized a long time ago that I have completely lost control of my network. I had tried a few approaches to see if I could get my arms around what was on the network, but to little avail. The best I could do was a combination of arpwatch and logwatch. Arpwatch runs on my Centos Server and sends me an email whenever a new device joins the network; logwatch summarizes logs. I don’t recall how I installed either, except that I recall that they don’t play well with SELinux, and that arpwatch is helpful, and logwatch, for some reason most likely of my own doing, sends me basically a list of all Dynamic BIND updates each day, which isn’t very helpful. I can probably figure that one out later.
One useful thing it did is remind me that I had ssh open on a random port, and had forgotten. The hackers had not. I started to notice that my morning emails were very large, then I saw this:
sshd:
Authentication Failures:
unknown (c-73-85-137-198.hsd1.fl.comcast.net): 106 Time(s)
unknown (ns537874.ip-142-4-208.net): 105 Time(s)
unknown (ns513497.ip-167-114-65.net): 101 Time(s)
unknown (static.169.13.201.138.clients.your-server.de): 101 Time(s)
unknown (respectable.institute): 10 Time(s)
I really liked that someone bothered to register the domain ‘respectable.institute’. It oozes confidence.
Then I closed off that old port. This is why you secure in depth. My ssh daemon only has one allowed login, with a hard password, and it’s hardened:
sshd_config:
PermitRootLogin no
MaxAuthTries 3
This was basically all that was holding back the tide. Now that port is closed, and that ssh server is wrapped in an ssl tunnel care of stunnel. It uses a certificate whitelist. Remember, the only true security lies in math.
Anyhow…
The Inventory (for real)
So I read through my dhcp leases and my dns setup, and made a list of approximately what is on my network:
| Part | Type |
| Camera | Panasonic BL VP 104W |
| Camera | Panasonic BL VP 104W |
| Camera | Panasonic BL VP 104W |
| Camera | BL-C121 |
| Dash Button | various (6) |
| HDMI over IP | Mirabox HDMI extender on separate VLAN |
| Samsung TV 1 | Living Room |
| Samsung TV 2 | Attic |
| Apple TV | Office |
| Apple TV | Living Room |
| Apple TV | Sonos |
| Apple TV | Basement |
| Apple TV | Bedroom |
| Ipad | (3?) |
| iPhone | several |
| Laptop | several |
| Computer | several |
| Stereo | |
| Sonos | 4 devices |
| DVD player | |
| Printer 1 | |
| Printer 2 | |
| Echo Dot | (2) |
| Amazon Echo | |
| WII | We kick it old-school. |
| Chromecast | |
| Fire TV | |
| RaspBerry PI | several |
| EcoBee 4 | 2 thermostats. these are great. I am pretty sure I’d have saved a lot of money on cooling this year if I had not had a mining rig running. |
| Roku | |
| ISY Bridge for Insteon | I use insteon light switches. They are awesome. |
| AcuRite weather device | This has 3 sensors so I can check if my attempts to insulate an 80 year old house work. |
| Philips Hue Hub | So we can have dance parties with our bedside lamps. |
As you can see, I’ve never met a device that I didn’t want to plug in somewhere, and when I see an unknown plug, I have to find a use for it. That’s why I lament the death of SCSI. There was always some version of it you didn’t have, and that was tempting you to get. More pins? Sure! some new weird termination scheme? Sure! I am pretty sure I bought (and may still have) a SCSI Iomega Zip drive, which, now that I think about it, I may not have the appropriate cables or adapter card for. I’ll hold on to that one, though. You never know…
So, what do I want to do with this?
Most of this stuff does not need to be visible and should not be able to see any trusted parts of my network. It ought to be segmented off and able to only connect to the internet. The vast majority of it needs to be on an IoT WiFi Network on its own VLAN. I have two kids (see prior posts), and I want to isolate them, too. It’s not so much that I don’t trust a 3-year-old and a 6-year-old, but I definitely don’t trust their friends or cousins. And I need a good network for my guests.
Now that my network inventory is done, I’ll play with NetSpotApp to see where my WFfi is, and is not.
What I’m listening to as I do this:
Gangstagrass. Were you looking for a blend of gangsta rap and bluegrass? Well look no further. Saw them live at Hill Country last year, and it was excellent. If you were feeling a void in your life, it’s probably for this.