This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unknown Host Remediation

Hello,

My UTMs Management->Licensing->Active IP Addresses page lists two unknown hosts:

192.168.0.102

192.168.0.105

Interestingly, these hosts are in my (tight) DHCP range but are NOT receiving their IP address from my DHCP server.

runZero asset discovery does not find either of these hosts.

Are the MAC addresses of the Active IP Addresses captured somewhere?

Any ideas on how to track down these hosts?

Thanks!



This thread was automatically locked due to age.
Parents
  • Could be static ip devices using utm's gateway?

    Try the arp -a command on utm. That will identify the ip and mac. Resolving the mac may give some indication to the device.

    ---

    utm:/root # arp -a | grep 115
    printer.local.domain (10.10.4.115) at 28:c2:dd:f1:b1:4d [ether] on eth0.4

    ---

    Printer has no internet connectivity - it has a static ip assigned internally, no dns servers, but does have a gateway ip. Printer is on the wifi vlan, but lan clients send data to it, so a gateway ip is needed to route properly. To ensure it doesn't slip past, there's a block firewall rule and printer ip is exempted in the web filtering.

  • Try the arp -a command on utm.

    I had previously tried arp from another host with no luck but arp from the UTM worked!

    <M> Hillary:/home/login # arp -a | grep 102
    ? (192.168.0.102) at 8a:f5:3d:08:18:db [ether] on eth2
    <M> Hillary:/home/login # arp -a | grep 105
    ? (192.168.0.105) at 2a:4e:6c:47:38:fc [ether] on eth2

    These two hosts appear to be assigning themselves IP addresses in my (old) DHCP range.

    I've blocked their IP addresses at the firewall and applied a Block All Web Filter Action. Not sure what else I can do...

Reply
  • Try the arp -a command on utm.

    I had previously tried arp from another host with no luck but arp from the UTM worked!

    <M> Hillary:/home/login # arp -a | grep 102
    ? (192.168.0.102) at 8a:f5:3d:08:18:db [ether] on eth2
    <M> Hillary:/home/login # arp -a | grep 105
    ? (192.168.0.105) at 2a:4e:6c:47:38:fc [ether] on eth2

    These two hosts appear to be assigning themselves IP addresses in my (old) DHCP range.

    I've blocked their IP addresses at the firewall and applied a Block All Web Filter Action. Not sure what else I can do...

Children
  • Those macs come back to nothing.  Do you have some phones/tablets on the network with randomized macs enabled that may be set to static ip?

  • They are probably that, as Android has this enabled by default for their WiFi adapters.  You can see the actual hardware ones in Settings.

    If you use something like PRTG, it may also be able to identify these devices if you scan your network with it.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Do you have some phones/tablets on the network with randomized macs enabled that may be set to static ip?

    In theory, no. All devices on this particular network have static or DHCP mapped addresses that should not be in the .100-.109 range.

  • What about anything like ESPHome devices that are being used for any home control, or IoT?  Smart devices, bulbs, switches, etc?

    Bluetooth devices also have a MAC if I am not mistaken, as they transmit data.

    XG 19.5 GA 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | GB Ethernet x5

  • Interestingly, after changing my DHCP IP address lease range, blocking the old range at the Firewall and Web Filter, the hosts aren't listed in Management->Licensing->Active IP Addresses any longer.

    So the question remains, is there something malicious on my network, something misconfigured, or another explanation?

    I'm confident that if I disable the Firewall and Web Filter rules, the devices will reappear in the UTM's list - but remain undiscoverable on the network.

  • At these times, when even italian coffee machines have WiFi, you could only test one device after the other if something reappears in your list.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.