Last active
August 20, 2025 13:24
-
-
Save githubfoam/ab8ac5ee92c2acbcf0a01dbcb67fb332 to your computer and use it in GitHub Desktop.
rogue dhcp detection cheat sheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #==================================================================== | |
| #one log file per day | |
| #script rotates daily by filename (rogue_dhcp_discover_warning_YYYY-MM-DD.log) | |
| #Hourly cron job → appends to today’s log file. | |
| #Next day → new file automatically created. | |
| #Old logs (>30 days) are auto-deleted. | |
| #!/bin/bash | |
| # rogue_dhcp_monitor.sh | |
| # Purpose: Detect multiple DHCP servers and log warnings or info | |
| LOG_DIR="/var/log/rogue_dhcp" | |
| mkdir -p "$LOG_DIR" | |
| # Current date-based log file | |
| LOG_FILE="$LOG_DIR/rogue_dhcp_discover_warning_$(date +%F).log" | |
| # Add timestamp | |
| echo "=== $(date) ===" >> "$LOG_FILE" | |
| # Run DHCP discovery scan and append output | |
| /usr/bin/nmap --script broadcast-dhcp-discover 2>&1 | tee -a "$LOG_FILE" | |
| # Extract unique DHCP server IPs (from the last scan section only) | |
| server_list=$(tail -n 50 "$LOG_FILE" | grep "Server Identifier" | sed 's/^[|[:space:]]*Server Identifier: //' | sort -u) | |
| # Count number of unique servers | |
| servers=$(echo "$server_list" | grep -c '.') | |
| # Log based on result | |
| if [ "$servers" -gt 1 ]; then | |
| echo "=== $(date) === WARNING: Multiple distinct DHCP servers detected: $server_list" >> "$LOG_FILE" | |
| elif [ "$servers" -eq 1 ]; then | |
| echo "=== $(date) === INFO: Single DHCP server detected: $server_list" >> "$LOG_FILE" | |
| else | |
| echo "=== $(date) === INFO: No DHCP servers detected" >> "$LOG_FILE" | |
| fi | |
| # Delete logs older than 30 days | |
| find "$LOG_DIR" -type f -name "rogue_dhcp_discover_warning_*.log" -mtime +30 -exec rm -f {} \; | |
| #==================================================================== | |
| #Optional logrotate | |
| #config if you want system rotation & compression instead of script-based deletion | |
| /etc/logrotate.d/rogue_dhcp | |
| /var/log/rogue_dhcp/rogue_dhcp_discover_warning_*.log { | |
| daily | |
| rotate 30 | |
| compress | |
| missingok | |
| notifempty | |
| dateext | |
| dateformat -%Y-%m-%d | |
| } | |
| Explanation | |
| daily → rotate logs daily | |
| rotate 30 → keep 30 rotations (roughly 1 month) | |
| compress → compress old logs with gzip (.gz) | |
| delaycompress → keeps the most recent rotated log uncompressed for one cycle (useful if something still writes to it right after rotation) | |
| missingok → no error if log file is missing | |
| notifempty → don’t rotate empty log files | |
| create 0640 root root → create a new log file with these permissions after rotation | |
| dateext + dateformat → ensures rotated logs have a date in their filename (rogue_dhcp_discover_warning_2025-08-20.log.gz) | |
| Test the configuration | |
| (-d = debug mode, doesn’t actually rotate, just simulates) | |
| sudo logrotate -d /etc/logrotate.d/rogue_dhcp | |
| Then force a rotation to check it works | |
| sudo logrotate -f /etc/logrotate.d/rogue_dhcp | |
| script will just append daily logs, and logrotate will automatically rotate & compress them. | |
| #!/bin/bash | |
| # Directory for logs | |
| LOG_DIR="/var/log/rogue_dhcp" | |
| LOG_FILE="$LOG_DIR/rogue_dhcp_discover.log" | |
| # Ensure log directory exists | |
| mkdir -p "$LOG_DIR" | |
| # Run nmap DHCP discover scan | |
| scan_output=$(nmap --script broadcast-dhcp-discover 2>&1) | |
| # Extract DHCP server identifiers from output | |
| identifiers=$(echo "$scan_output" | grep 'Server Identifier' | awk '{print $3}' | sort -u) | |
| server_count=$(echo "$identifiers" | grep -c .) | |
| if [ "$server_count" -eq 0 ]; then | |
| echo "=== $(date) === WARNING: No DHCP servers responded" >> "$LOG_FILE" | |
| elif [ "$server_count" -eq 1 ]; then | |
| echo "=== $(date) === INFO: Single DHCP server detected: Identifier: $identifiers" >> "$LOG_FILE" | |
| else | |
| server_list=$(echo "$identifiers" | tr '\n' ',' | sed 's/,$//') | |
| echo "=== $(date) === WARNING: Multiple distinct DHCP servers detected: $server_list" >> "$LOG_FILE" | |
| fi | |
| Crontab (unchanged) | |
| 0 * * * * /usr/local/bin/rogue_dhcp_monitor.sh | |
| Script always writes to /var/log/rogue_dhcp/rogue_dhcp_discover.log. | |
| Logrotate runs (by default daily at 00:00 on CentOS) → rotates yesterday’s log into rogue_dhcp_discover-2025-08-20.gz, etc. | |
| Keeps 30 days of logs, compresses older ones, and prevents huge log files. | |
| Check config:(-d = dry-run, safe test) | |
| sudo logrotate -d /etc/logrotate.d/backups | |
| perform the rotation (not just debug). | |
| sudo logrotate -v /etc/logrotate.d/network_switch_backups | |
| Force run: | |
| sudo logrotate -f /etc/logrotate.d/backups | |
| #==================================================================== |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment