Syed Jahanzaib – Personal Blog to Share Knowledge !

February 6, 2014

Detect Rogue DHCP & Alert via Email

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:53 PM 

Dedicated to Local Desi Cable.Network Operators šŸ˜‰

dhcp-rogue

To detect ROGUE (Duplicate / Conflicting) DHCP server via mikrotik and received an email alert about the conflicting dhcp server IP/MAC/Date+time, there are several ways to do, either using remote syslog server, OR use LOG action BUT I found the following method more customizable and suitable. Just make sure to tune if properly before deployment šŸ˜€

CONFIGURE DHCP-ALERT

Goto IP / DHCP SERVER / ALERTS

Click on + sign to add new alert, & on Alert box,

& paste the following code.


:local CurrentTime [/system clock get time];
 :local hostname [/system identity get name]
 :global date [/system clock get date]
 :local int "$interface"
 :local addr "$address"
 :local mac $"mac-address"
 :local dh

/tool e-mail send server=173.194.69.109 port=587 start-tls=yes YOUR_GMAIL_ID@gmail.com password=YOURPASSWORD to=aacable@hotmail.com subject=DHCP-Detected body=("ROGUE DHCP Server have been detected on $hostname at $dateĀ  - time $CurrentTimeĀ  - Interface= $intĀ  - IP Address=$addr - MAC-Address= $macĀ  !! GO HUNT & KILL :D")

Now click on Apply.

As showed in the image below …

dhcp-alert.

Make sure to tune the INTERVAL setting according to your requirement. Also its a good idea to enter legitimate mac address in VALID SERVER box to avoid false detection of your valid dhcp servers.

Configure EMAIL/SMTP Settings

Now configure your EMAIL smtp address so that email can be send,OR you can set other alert options too like sms or print LOG in main window only or whatever :p

I am using GMAIL in this example.


/tool e-mail set address=74.125.45.109 from=gmailid@gmail.com password=mypassword port=587 starttls=no user=gmailid

Also enable EMAIL logging so that in case of any error, you can view it in LOG window for troubleshooting purposes.


/system logging add topics=e-mail action=memory

Now as soon as any rogue/conflicting dhcp server will be detected by Mikrotik, it will log it in main LOG window, and will also send you email alert using your GMAIL ID.

As showed in the image below …

log

.

Regard’s
Syed Jahanzaib