Network Defense on a Budget

The following post explains how I developed a cybersecurity system for my LLC on a shoestring budget, with a few Raspberry Pis (v3 and above) and a healthy dose of open-source solutions. I hope you find it educational or at least entertaining. 

Pi Alert

Pi Alert is a dashboard for tracking devices, maintaining an archive of all devices which have ever joined a network, and maintaining situational awareness of connected devices. The system thus allows users to practice device inventory management, a cornerstone of IT security. Pi Alert allows users to track devices based on the media access control (MAC) address, which can be used to identify the manufacturer (and device itself) when the control panel is first being configured using MAC address databases such as maclookup.app. This is also valuable if you have IP addresses assigned dynamically across the LAN. 

The tool relies on multiple scanning systems and protocols, including address resolution protocol (ARP), to maintain situational awareness of all devices. 

PiHole for DNS and Advertisement Blocking 

PiHole has become a popular tool for blocking online advertisements and online tracking systems at the DNS level, turning a raspberry pi into a local DNS server for a LAN. All DNS resolutions are run against a continuously updated list of blacklisted sites. PiHole also enables users to add their own custom blacklists and monitor DNS resolution for all devices that use the PiHole. When combined with other anti-tracking and privacy tools, such as Brave Browser, PiHole can keep the more obtrusive and obnoxious aspects of the internet out of your local network.

PiHole features a dashboard which can be used to track the actions of devices on the network, as shown below.

PiHole is also an excellent way of tracking what our IoT devices are actually doing on our networks, such as our smart TVs. The Samsung Smart TV on my LAN fortunately allows the DNS settings to be easily changed, so changing the DNS to my PiHole quickly led to the Smart TV taking the lead as the most blocked device on the network.

Tenable for Vulnerability Management

Nessus, from Tenable, is a long-standing vulnerability management system used by security teams to identify vulnerabilities in devices across a network which can be exploited by attackers. Nessus features a control panel that allows various types of custom scans to be run against devices, breaking down the vulnerabilities identified by severity. 

Users can customize different scans and set them up to be run regularly.

It should be noted that the free Nessus version only allows 15 devices to be scanned. Nessus, like Suricata, requires a fair amount of memory to run, so setting aside a Raspberry Pi specifically for this purpose is a good idea. Nessus does not officially support the ARM operating system that newer Raspberry Pis use, so I first installed a Linux Ubuntu on the SD card for the Raspberry Pi and then deployed Nessus.  

OpenVAS is another scanner with a free version which can be used on a Raspberry Pi, but testing was beyond the scope of this blog.  

Suricata for Network Defense 

Suricata is an open source Intrusion Detection System (IDS), currently in its 7th iteration. Suricata operates with monitoring and filtering capabilities, and can also be used as an Intrusion Prevention System (IPS).

The IDS operates by monitoring traffic and generating alerts if network traffic matches rules that may be suspicious or malicious. Basic rules can be downloaded for free, or used in a subscription scenario where paying users receive advanced rules written to detect new suspicious and malicious activity. Suricata has improved considerably since I first began working with it 7 years ago, and had to use the software’s listserv in order to troubleshoot outstanding issues with system setup. 

Suricata can be used to monitor network activity either with a full inline connection from a router via a mirror port, inserted between the router and the modem, or via packet mirroring. I chose packet mirroring because it would be the easiest setting for our small space environment as the local network is also used for home use. OpenWRT, a Linux firmware system for routers, was installed on a Netgear Nighthawk router (which resembles a UFO when deployed).

OpenWRT allows rulesets to be installed which will mirror all traffic from devices on the network to another device running Suricata, in my case a Raspberry Pi version 4. OpenWRT also allows for other valuable network security solutions, such as network segmentation and the creation of separate VLANS, which is another step for further securing IoT devices. 

Suricata generates alerts based on the rulesets which are included by default with the system, and allows users to create their own rules which will generate alerts based on observed network activity. 

Suricata’s default settings generate a large volume of raw alerts and logs events. These log files quickly eat up space on a Raspberry Pi, and even a small LAN will generate gigabytes of logs within 48 hours, requiring additional configuration from my end. I did not want to add external hard drive space just to store old logs, so I created the following command to truncate logs at 5:00 AM every Sunday, and stored it as a cronjob, which are commands that are scheduled to run on a regular basis within a Linux environment:

0 5 * * 0 :> /var/log/suricata/eve.json

An easy way to quickly test Suricata is to generate traffic with a User Agent string resembling a botnet which has alerts based on the system’s rulesets, so I tested generating traffic via command line with a User Agent across devices on the network and the Suricata instance immediately displayed Level 1 Security Alerts for all of the devices which I had tested. 

I also tested the Suricata instance by running the Tor browser on various devices, which should also generate alerts as a regular network would consider it suspicious network activity:

08/01/2025-00:55:56.004313  [**] [1:2522298:5619] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 299 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 

In order to review the logs, I wrote a Python script to have the security alert logs emailed to me every morning to a secondary email account, which then forwards the email to my main email. A separate cronjob uses the tail command in Linux to copy the latest 500 logs from the Suricata security alerts file into a separate file called daylogs.txt at 6:10 AM, which is then pasted into the email that is sent every morning:

10 6 * * * /usr/bin/tail -n 500 /var/log/suricata/fast.log | tee /var/log/suricata/daylogs.txt

There are other Linux solutions for mailing logs, such as Logwatch, but I decided that having a Python script execute as a cronjob would be the quickest solution for situational security awareness. 

Another method of assuring that Suricata is running properly (and providing additional situational awareness about the state of network security) is to have NMAP executed daily. A Raspberry Pi on my network uses a cronjob to execute a full NMAP scan and fingerprint the operating systems, open ports and services running on each network device:

30 2 * * * /usr/bin/nmap -sS -A -O 192.168.1.0/24

 A separate python script then emails the log file from the NMAP scan to my email to be read every morning. The aggressive scanning performed by NMAP will generate Level 1 security alerts in Suricata which will also be visible in the logs:

08/14/2025-05:42:02.824964  [**] [1:2024364:4] ET SCAN Possible Nmap User-Agent Observed [**] [Classification: Web Application Attack] [Priority: 1] {TCP}   

There are also a plethora of dashboards and platforms which can ingest all of the data that Suricata is generating and display the information as meaningful, ranging from simple to very elaborate solutions. While these are beyond the scope of this blog, they are definitely worth exploring depending on network size and security needs.

CONCLUSION

The market is awash in various cyber tools of various price and complexity, but getting your hands dirty with free solutions is a great introduction to cybersecurity practices. Raspberry Pis and open-source solutions can streamline the process of establishing vulnerability management, device inventory management, DNS security and network security monitoring across a local network while learning about how the network itself functions.