I have too many devices connected to my network and while most are in an isolated vlan I was still interested in detecting unexpected behavior. Now, there are many tools that analyze packets of data and can provide what I wanted. However, most are pretty complex to configure, require some other box for analysis, DB or whatever. Mostly they are not really designed for a home user.
I wanted something really simple. Just one package to install on my OpenWrt box that will track and notify me straight to my phone.
The closest service I could find that does something in that direction is nlbwmon by @jow. However it only monitors bandwidth and I wanted more data. So I slowly added the functionality I was missing on top of the nlbwmon code base. I'm not an OpenWrt dev and can't really spend much time on this but it works well enough for me and may interest others to try or further expand and improve on it.
So what does it do?
- It uses ipinfo.io api to get information about external IP addresses - country, ASN. While this may be a privacy issue for some, I have found the ipinfo.io data to be pretty accurate and useful
- It listens on ubus for DNS resolve responds from dnsmasq and ties domain information to IP addresses
- It also listens on ubus for DHCP ack messages from dnsmasq to keep a list of devices
- It serves a Telegram bot that communicates with a telegram client on a phone to send notifications and receive some commands
- It can report IP addresses to abuseipdb.com if you choose to
Currently there are four types of notifications:
- A devices sends significant data amounts outbound.
- A device connects to an unexpected country (list of countries to notify should be stated in the configuration).
- An inbound connection has passed through the firewall. This can be to a service that runs on the router itself or to any client on your lan if your firewall redirected it there.
- A new device connected to the network.
Each notification is shown once as long it is connected to the same client, and goes to the same country and same ASN.
An example of an outbound notification:
Clicking on Mute allows to define a rule to avoid getting notifications, for example mute notifications about any connection from my Doorbell to Google (using the ASN).
The service does not require much CPU but does require around 5MB of ram and some more depending on your network size. So it should be able to run on most modern boxes.
I have only compiled and ran it on my x86_64 OpenWrt.
If you want to try it you need to add to the config file:
- Create an ipinfo.io token
- Create a Telegram bot and add its token
- If you want to report IPs, create an abuseipdb.com account and ask to be approved for reporting. Only then add the token to the config file.
Once you start the service, send a message to your bot and it should immediately response that it's ready. It will set a chat_id number in the config file which identifies your Telegram client. Keep it there.
PRIVACY - please note that the service will send all external addresses to ipinfo.io to get information about them, so only use it if you are comfortable with that. Also, once a notification is sent, a preview from abuseipdb.com is shown which means that the IP address is sent to them as well (only IP addresses that you were notified about unexpected behavior). And finally it uses Telegram so all the notification information is sent through their network.
This is not just a bandwidth monitor and it takes a very different philosophy from @jow's nlbwmon so it should have a different name. But for now I just relied on nlbwmon's code, config file and package makefile, so it carries the same name. Sorry about that.
Note you can't run both nlbwmon and this service together. This service will use separate DB files so it should not overwrite anything. You can run the regular luci-nlbwmon with this service but none of the additional information will be shown there.
The package can be installed from here:
The actual code is here:
