Cable theft monitoring
I work in an Internet provider, in one of the districts of the city they often cut a copper 25 pair cable.
The attackers are simple - went to the entrance, climbed to the top floor, cut the cable and pulled out of the pipe posts, you can twist and sell. The fact of theft will be noticeable only when the installers arrive at the call from dissatisfied subscribers. The management set the task - to figure out how to deal with it and, naturally, without add. costs.
After the hikes on the forums, the general principle was this - we make a loop on the last pair and connect to the first port of the switch, if thieves cut the cable - the link disappears. In theory, everything is simple, but the long search for a “chewed” solution did not yield a result.
During real tests, it turned out that for 2-core 10Mbps the link on the port does not even go up to 10Mb_Half (Dlink switches), it really worked only on 4-cores, i.e. It is necessary to use the last 2 pairs in the cable.
So, we take 4 cores from the cable (last 2 pairs) at one end of the cable and twist them, twist 1 and 4 core, 2 and 3 core, then crimp connector 1,2,3 core on the other end in order of 1- 3 pin, and the 4th core in the 6th pin
On the switches, select a separate vlan for the monitoring port (used the 1st port) and set the speed on the port 10Mb_Half hard
We connect the cable to the 1st port, Link UP - great, now it remains to monitor the port on / off event and report it to the services. Initially I wanted to catch SNMP traps, but even on the same vendor on different models and firmware they work differently using different OIDs. Also, traps for changing links come all the time, even when the port status does not change. Therefore, I decided that it was more logical to poll switches on SNMP myself after a certain period of time (60 seconds). OIDs for requesting port link status are standardized in the RFC (for the first port 1.3.6.1.2.1.2.2.1.8.1 ).
')
In order for the switch to give the link status value, SNMP must be configured on it.
Next, it was necessary to decide what to monitor, the article on Habré about Zabbix helped a lot, especially since we are already using Zabbix. First, create a template in Zabbix,
Create the file CableState_zabbix_template.xml with the following contents (the generator from the same article was used, leaving only the trigger to change the link):
After that go to Zabbix select Settings-> Templates-> Template Import
Select the created file CableState_zabbix_template.xml
Next, in the Network nodes we find or add the node we need, where the cable will be monitored, in its settings we select Attached Templates - Add - CableState Save.
Everything, now in Zabbix Monitoring, the events of shutdown of the 1st port will be displayed
Messages like:
Port 1 status down (CABLE CUT !!!) on 10.20.123.123
If this is not enough, set up a trigger trigger for mail.
Go to Settings-> Actions-> Create Actions
We configure something like this:
In the action itself, you can choose to send to a user / group of users.
As a result, you will receive letters of the form:
2013.07.29 - 15:55:39
Port 1 status down (CABLE CUT !!!) on 10.20.123.123: 10.20.123.123
Now it only remains to decide who to send alerts to and what to do next - call 02 / Chop or installers on duty ...
The attackers are simple - went to the entrance, climbed to the top floor, cut the cable and pulled out of the pipe posts, you can twist and sell. The fact of theft will be noticeable only when the installers arrive at the call from dissatisfied subscribers. The management set the task - to figure out how to deal with it and, naturally, without add. costs.
After the hikes on the forums, the general principle was this - we make a loop on the last pair and connect to the first port of the switch, if thieves cut the cable - the link disappears. In theory, everything is simple, but the long search for a “chewed” solution did not yield a result.
During real tests, it turned out that for 2-core 10Mbps the link on the port does not even go up to 10Mb_Half (Dlink switches), it really worked only on 4-cores, i.e. It is necessary to use the last 2 pairs in the cable.
So, we take 4 cores from the cable (last 2 pairs) at one end of the cable and twist them, twist 1 and 4 core, 2 and 3 core, then crimp connector 1,2,3 core on the other end in order of 1- 3 pin, and the 4th core in the 6th pin
On the switches, select a separate vlan for the monitoring port (used the 1st port) and set the speed on the port 10Mb_Half hard
create vlan vlan1234 tag 1234 config vlan vlan1234 add untagged 1 config ports 1 speed 10_half We connect the cable to the 1st port, Link UP - great, now it remains to monitor the port on / off event and report it to the services. Initially I wanted to catch SNMP traps, but even on the same vendor on different models and firmware they work differently using different OIDs. Also, traps for changing links come all the time, even when the port status does not change. Therefore, I decided that it was more logical to poll switches on SNMP myself after a certain period of time (60 seconds). OIDs for requesting port link status are standardized in the RFC (for the first port 1.3.6.1.2.1.2.2.1.8.1 ).
')
In order for the switch to give the link status value, SNMP must be configured on it.
create snmp group cable v2c read_view CommunityView notify_view CommunityView create snmp community cable view CommunityView read_only Next, it was necessary to decide what to monitor, the article on Habré about Zabbix helped a lot, especially since we are already using Zabbix. First, create a template in Zabbix,
Create the file CableState_zabbix_template.xml with the following contents (the generator from the same article was used, leaving only the trigger to change the link):
Code
<?xml version="1.0" encoding="UTF-8"?> <zabbix_export version="1.0" date="29.07.13" time="12.06"> <hosts> <host name="CableState"> <proxy_hostid>0</proxy_hostid> <useip>1</useip> <dns></dns> <ip>127.0.0.1</ip> <port>10050</port> <status>3</status> <useipmi>0</useipmi> <ipmi_ip>127.0.0.1</ipmi_ip> <ipmi_port>623</ipmi_port> <ipmi_authtype>0</ipmi_authtype> <ipmi_privilege>2</ipmi_privilege> <ipmi_username></ipmi_username> <ipmi_password></ipmi_password> <groups> <group>Templates</group> </groups> <items> <item type="4" key="ifOperStatus.1" value_type="3"> <description>Status port 1</description> <ipmi_sensor></ipmi_sensor> <delay>60</delay> <history>7</history> <trends>365</trends> <status>0</status> <data_type>0</data_type> <units></units> <multiplier>0</multiplier> <delta>0</delta> <formula></formula> <lastlogsize>0</lastlogsize> <logtimefmt></logtimefmt> <delay_flex></delay_flex> <authtype>0</authtype> <username></username> <password></password> <publickey></publickey> <privatekey></privatekey> <params></params> <trapper_hosts></trapper_hosts> <snmp_community>cable</snmp_community> <snmp_oid>1.3.6.1.2.1.2.2.1.8.1</snmp_oid> <snmp_port>161</snmp_port> <snmpv3_securityname></snmpv3_securityname> <snmpv3_securitylevel>0</snmpv3_securitylevel> <snmpv3_authpassphrase></snmpv3_authpassphrase> <snmpv3_privpassphrase></snmpv3_privpassphrase> <valuemapid>0</valuemapid> <applications/> </item> </items> <templates/> <triggers> <trigger> <description>Port 1 status down (CABLE CUT!!!) on {HOSTNAME}</description> <type>0</type> <expression>{CableState:ifOperStatus.1.last(0)}=2</expression> <url></url> <status>0</status> <priority>3</priority> <comments></comments> </trigger> </triggers> <macros/> </host> </hosts> <dependencies/> </zabbix_export> After that go to Zabbix select Settings-> Templates-> Template Import
Select the created file CableState_zabbix_template.xml
Next, in the Network nodes we find or add the node we need, where the cable will be monitored, in its settings we select Attached Templates - Add - CableState Save.
Everything, now in Zabbix Monitoring, the events of shutdown of the 1st port will be displayed
Messages like:
Port 1 status down (CABLE CUT !!!) on 10.20.123.123
If this is not enough, set up a trigger trigger for mail.
Go to Settings-> Actions-> Create Actions
We configure something like this:
In the action itself, you can choose to send to a user / group of users.
As a result, you will receive letters of the form:
2013.07.29 - 15:55:39
Port 1 status down (CABLE CUT !!!) on 10.20.123.123: 10.20.123.123
Now it only remains to decide who to send alerts to and what to do next - call 02 / Chop or installers on duty ...
Source: https://habr.com/ru/post/188730/
All Articles