Dec 18th, 2019: [EN][Elastic Stack] Monitoring your home network with the Elastic Stack

Why add a home router?

There are lots of good reasons to take control and start using your own home router:

  • You can add best-of-breed network and security features that are not always available in consumer modem routers. Tired of ads - install Pi-hole :scissors:. Need to know which IP your internet-connected fridge is talking to at 3AM? No problem - you can check the flows with Packetbeat :mag_right:.
  • Most households become pretty unhappy places when the wifi is down. The good news is that if anything goes wrong in your router you shouldn't need to make any config changes to your existing Cable/DSL modem - just unplug your router from the existing modem and everything is back to normal, crisis resolved. :smiley:
  • There are now many cheap low-power PCs with sufficient IO/CPU for the task. My home router is a few years old, so I've been using a low-power fanless PC
    (Gigabyte Brix GB-BXBT-1900) - you might find something like a Raspberry Pi 4 might be a better option today.

Networking

For simplicity I've used a double-NAT configuration as below:

  • enp3s0 is the internal ethernet adapter, connected to the modem
  • enx000ec6fa0c99 is an external 1000BaseT USB adapter that connects to my private network

I'm running vanilla Ubuntu Linux on my router. I enabled a static IP for the private network by adding the following to etc/network/interfaces:

auto enx000ec6fa0c99
iface enx000ec6fa0c99 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255

iptables was configured with a basic NAT setup:

sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE  
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A FORWARD -i enp3s0 -o enx000ec6fa0c99 -m state --state RELATED,ESTABLISHED -j ACCEPT  
sudo iptables -A FORWARD -i enx000ec6fa0c99 -o enp3s0 -j ACCEPT

I enabled IP routing in /etc/sysctl.conf with:

net.ipv4.ip_forward=1

I installed a DHCP Server and I added the following to /etc/dhcp/dhcpd.conf :

subnet 192.168.2.0 netmask 255.255.255.0 {
   interface eth-int;
   range 192.168.2.10 192.168.2.250;
   option broadcast-address 192.168.2.255;
   option routers 192.168.2.1;
   default-lease-time 600;
   max-lease-time 7200;
   option domain-name "local";
   option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Installing the Elastic Stack

Elastic Cloud allows you to try the Elasticsearch Service with a free 14-day trial. I've been using a 4GB Elasticsearch single node cluster for this demonstration.

I installled the following Beats for Linux from the Elastic Stack (currently on version 7.5.0):

I followed the Beats instructions as described online. It is worth noting that use of the Elasticsearch Service allows you to simplify the configuration - you don't need to specify host or username/password when you use the cloud.id and cloud.auth:

cloud.id: "<your_cloud_id>"
cloud.auth: "elastic:<password>"

After installation, I made two small tweaks to the default options:

  1. I enabled geoip enrichment using https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-geoip.html
  2. In /etc/packetbeat/packetbeat.yml I bumped the flows reporting period from 30s to 300s to reduce traffic to the Elasticsearch cluster:
packetbeat.flows:
  period: 300s

I then restarted packetbeat (sudo service packetbeat restart) to pickup the new configuration.

Now you can grab a coffee whilst Elasticsearch starts to ingest your data.

Kicking the tires

A great place to start is to look at the Packetbeat Dashboards:

If I click on the Network flows I can see the traffic associated with each IP address. For example 192.168.2.39 seems to be doing a lot of downloading, and indeed this is the IP of my NVIDIA Shield TV box:

Next try the SIEM section in Kibana to investigate any suspicious activity. For example I can look at the uncommon processes running on my router:


All good! :sweat_smile:

Hope this has provided some inspiration - have fun exploring your home network!

3 Likes