LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Grab the MAC addresses and if 3 exist from list...do not do (https://www.linuxquestions.org/questions/linux-security-4/grab-the-mac-addresses-and-if-3-exist-from-list-do-not-do-4175544683/)

HardenedCriminal 06-06-2015 02:56 PM
Grab the MAC addresses and if 3 exist from list...do not do
 
We keep having a problem with IT people turning on us after years of service in various locations.


I want to tie the Alarm System & the Server together that if the alarm system is dead the server self-destructs. (Not a problem).

But I run into the problem of when NO one tells us the alarm system is deactivated due to some maintenance issue so at these times, we don't want the server in self-destruct mode.

arp |awk '{print $3}'
Gets a nice pretty list of MAC Addresses all around the building(s) even the DVR & copier(s).

If the first program comes back as "self-destruct" I need a program to run and looks to see if 3 of the MAC addresses in the building are still active from that "arp |awk '{print $3}'" list. (Just in case the idiot in charge didn't log or tell us what is going on remotely.)

Thanks to all in advanced.

joec@home 06-06-2015 03:03 PM
If I understand this correctly then you would want to use the arping command. But this would only be true if the known IP addresses remain the same. Either that or arping the whole subnet and search for the known MAC address. Interesting concept but I can see a whole slew of problems with this concept for triggering a self destruct. More common is to have an obfuscated code in the server contact a remote server for a license key on a regular basis. Rather than using cron which can be easily traced down, have a script run the at command where the script reschedules itself with the at command. Food for thought anyways.

HardenedCriminal 06-06-2015 03:20 PM
Joseph, I understand your concerns. 99 of the places we service only purchase new equipment from us so once a year or so we will need to cronjob a new list. Most of these people leave all the computers & copiers & printers on all the time; alarm system of course. If a total power outage they are mostly all back on before the server would run this program. Our thief always do on after hours Fridays; by Monday he has done his damage. Many of our clients are Comcast or Uverse... so we can't count of 95%+ uptime.

LIST1=`arp |awk '{print $3}'`
LIST2=`/var/log/imaginaryProgram (in plain view to anyone but a Linux expert)

HardenedCriminal 06-06-2015 03:24 PM
"Rather than using cron which can be easily traced down, have a script run the at command where the script reschedules itself with the at command."

Okay I am interested in this?

I attach "secret programs" in common executed programs and some in plain view in Cron.

I would love to know how to put one of my secret programs in Squid that on the 1000th spawning it would execute.

But I like any new way to hide stuff!

joec@home 06-06-2015 03:31 PM
Ah, a better understanding or arp to help explain. For some stupid reason I can not get the arp function to work on my test server, gah! Any case, arp by itself is cached information, not real time. You said you needed to know specifically if the connection was live online or not. This is where you would need to use the arping tools. Now personally, my experience with this was for locating two devices on the same network with the same IP. Wrong IP allocation, IP theft kind of thing. So with arping, you get a MAC address response from any IP address not local to the system running arping rather than an ICPM reply. At least as far as I know, you have to ping an IP address to get a MAC address response in real time. Other than that, I think the only method of getting active mac addresses would be to poll the network switch if it has that particular function in its management. I.E. High end managed switches. However even on managed switches, some models just give caches information with a delay time of around 10 ~ 30 minutes between updates.

HardenedCriminal 06-06-2015 03:53 PM
I didn't know ARP was on a delay but even then this would be fine the IT person is driving the server to his house and returning it Sunday.

HardenedCriminal 06-06-2015 05:31 PM
This is what ARP output looks like

HWaddress
00:22:2D:32:06:EE
94:DE:80:2B:F9:80
00:22:2D:32:06:EE
etc.

without the smiley face I guess (colon D ) is smiley.

joec@home 06-06-2015 06:15 PM
So then it sounds like you need a conditional if statement to build your script with.

say x = some mac address
or x1 x2 x3 being multiple addresses
then have y be from what ever you are using to check if the mac address is present
!= meaning does not equal

self_destruct(){
#some command to self destruct
}
if [ $x != y ] then self_destruct; fi

or say you need all three in a row you need the and statement of &&

if [ $x1 != y ] && [ $x2 != y ] && [ $x3 != y ] then self_destruct; fi

or any one of three you need the or statement of ||

if [ $x1 != y ] || [ $x2 != y ] || [ $x3 != y ] then self_destruct; fi

I am not certain, is this what you are looking for?

HardenedCriminal 06-06-2015 07:19 PM
I think I need a little more crunching.
Maybe I need to state this differently.


LIST1= this would be from ARP like below (but a few months old):

HWaddress
00:22:2D:32:06:EE
94:3E:80:2B:F9:80
00:22:2D:32:06:EE
& 5-20 more MACs.

LIST2 would be the current output of ARP.

I need to compare LIST1 to LIST2 if they contain at least 3 matches... then NO self destruct.

joec@home 06-06-2015 08:23 PM
Well you do not want it triggered because someone rebooted something or just one device got replaced, or a new device got added, so you need at least more than one trigger. Looks like this needs to have data files as well rather than raw variables. This will give you a raw idea but will need some tweaking I am sure.

So first you want to sort the data so that they are easier to parse.

cat FILE1 | sort > FILE3
cat FILE2 | sort > FILE4
rm FILE1 FILE2
mv FILE3 FILE1
mv FILE4 FILE2

That kind of thing, you get the idea.


FILE1 old data
FILE2 new data

Then compare the difference between the two. I think though this is a bit more than what I would want to try to use with the diff command and regex. Parse it with loops an grep is my personal choice in this matter.

Code:

TEST1=$(cat FILE1| wc -l)
TEST2=$(for i in $(cat FILE1) ; do grep $i FILE2 ; done |wc -l)
TEST3=$(for i in $(cat FILE2) ; do grep $i FILE1 ; done |wc -l)
THRESHOLD1=3
THRESHOLD2=(-3)
TEST3=$(echo "scale=10; $TEST1-$TEST2 " | bc -lq)
TEST4=$(echo "scale=10; $TEST1-$TEST3 " | bc -lq)
if [ $TEST3 >= $THRESHOLD1 ] || [ $TEST3 <= $THRESHOLD2 ] || [ $TEST4 >= $THRESHOLD1 ] || [ $TEST4 <= $THRESHOLD2 ]; then SELF_DESTRUCT; fi
Lets see if that gets you further along on this project.

HardenedCriminal 06-06-2015 08:42 PM
Thanks you; this looks beyond my abilities at present but I will go grab some data Monday and give it a whirl. I think I am going to call my week DONE. I would not need this if I have 2 constants in each building. The alarm system is one for sure.

Any way to read a NON managed switch for any kind of useful info; I have lots of these in the buildings? I am going to Google now. Thanks again.

joec@home 06-06-2015 09:32 PM
Quote:
Originally Posted by HardenedCriminal (Post 5373313)
Any way to read a NON managed switch for any kind of useful info
Unfortunately nope. They store about as much data as a your lunch, none.


All times are GMT -5. The time now is 04:49 PM.