Hey,
First post here. I was wondering if there are ways to revoke network access for clients having certain ports open (without permission). Not that I necessarily have a use case for this.
For example if my laptop opens port 22 for SSH access somehow without me knowing, with this method it would force me to investigate it. I could work with firewall rules banning ports, but this would not lead to me knowing about it.
Reason why I am wondering about it is because of docker:angry: (podman FTW) which I didn’t know doesn’t play nice with firewalls and opened ports even though I had those ports blocked by the firewall.
The solution would depend on your networking hardware, but in theory, you could use a script to look at syslog events, and based on those events, it could shut down the switchport interface for the switch in question.
There are commercially available security solutions that are very good at identifying these types of threats, but I’m not sure about their capabilities to configure the network based on that information. They won’t be cheap, either.
What I described above could be implemented with a simple python script, but I’d be very wary about the implementation. Doing it wrong can make your network insecure or worse.
You can put notifications or additional logging criteria on firewall rules. You can then run a script to scan those for offenders. The advantages of this is that the port would never really be open, your client would not lose network access, and you have a way to gracefully educate them (or yourself, if it’s a legit attempt).
Nmap on a cron job would work for logging open ports. But there is no way nmap can revoke access. Since it is my homelab I don’t mind if it is not graceful.
If there is no standard solution I’ll see if I can write a script that uses nmap results to revoke dhcp leases or something.
You could script access to ssh into the switch and to a switchport shut to turn off the port. It’s been over a year since I’ve done this (maybe longer), and I don’t know what issues this may cause with respect to synchronization to the controller. This is common practice with many other network switches, but unifi is so different that I was slightly shocked when it worked. There are also many undocumented features within the controllers, but it’s something you’ll need to experiment with.
Once you ssh into a switch, all the commands are simple text, and they are easy to automate.