665
edits
Changes
From SME Server
Jump to navigationJump to searchCreated page with '{{Languages}} ===Maintainer=== Daniel B.<br/> [http://www.firewall-services.com Firewall Services]<br> mailto:daniel@firewall-services.com === Version === {{...'
{{Languages}}
===Maintainer===
[[User:VIP-ire|Daniel B.]]<br/>
[http://www.firewall-services.com Firewall Services]<br>
mailto:daniel@firewall-services.com
=== Version ===
{{ #smeversion: smeserver-arpwatch }}
{{ #smeversion: arpwatch }}
=== Description ===
[http://www-nrg.ee.lbl.gov/ Arpwatch] is a tool to monitor the ARP activity of your local network. Its main goal is to detect [http://en.wikipedia.org/wiki/ARP_poisoning|arp poisoning attacks].
It'll first create a database of IP<->mac associations (the database is /var/lib/arpwatch/arp.dat). Then, it'll be able to detect changes, and send an email to the admin.
=== Requirements ===
*SME Server 7.X
=== Installation ===
*install the rpms
yum --enablerepo=smecontribs install smeserver-arpwatch
*Start the daemon
Log into your server using SSH, and start the daemon
expand-template /etc/sysconfig/arpwatch
/etc/init.d/arpwatch start
Or
signal-event post-upgrade && signal-event reboot
=== Known issues ===
You may have some emails the first days you run it, because it'll see new computers on the network. Just let it running a few days. Then, you should only receive alerts when a new machines connects or when something wrong appens (arp spoofing attack)
You may also have problems if you runs arpwatch with [[OpenVPN_Bridge|OpenVPN Bridge]] contrib. The reason is that your client will have a dynamic IP. This problem can be solved if you fixe an IP for each client using the configuration rules manager. The second problem is that OpenVPN client will generate a random mac adress for each connection. So once again, you may have a lot of false positives. You can also solve this issue if you fixe a mac address in the client configuration:
lladdr 00:aa:bb:cc:dd:ee:ff
Of course, choose a unique mac address for each client.
=== Uninstall ===
If you want to remove the contrib, just run:
/etc/init.d/arpwatch stop
yum remove arpwatch
=== Source ===
The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/smeserver/smeserver-arpwatch/ CVS] on sourceforge.
=== Bugs ===
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-arpwatch component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-arpwatch|title=this link}}
----
[[Category:Contrib]]
===Maintainer===
[[User:VIP-ire|Daniel B.]]<br/>
[http://www.firewall-services.com Firewall Services]<br>
mailto:daniel@firewall-services.com
=== Version ===
{{ #smeversion: smeserver-arpwatch }}
{{ #smeversion: arpwatch }}
=== Description ===
[http://www-nrg.ee.lbl.gov/ Arpwatch] is a tool to monitor the ARP activity of your local network. Its main goal is to detect [http://en.wikipedia.org/wiki/ARP_poisoning|arp poisoning attacks].
It'll first create a database of IP<->mac associations (the database is /var/lib/arpwatch/arp.dat). Then, it'll be able to detect changes, and send an email to the admin.
=== Requirements ===
*SME Server 7.X
=== Installation ===
*install the rpms
yum --enablerepo=smecontribs install smeserver-arpwatch
*Start the daemon
Log into your server using SSH, and start the daemon
expand-template /etc/sysconfig/arpwatch
/etc/init.d/arpwatch start
Or
signal-event post-upgrade && signal-event reboot
=== Known issues ===
You may have some emails the first days you run it, because it'll see new computers on the network. Just let it running a few days. Then, you should only receive alerts when a new machines connects or when something wrong appens (arp spoofing attack)
You may also have problems if you runs arpwatch with [[OpenVPN_Bridge|OpenVPN Bridge]] contrib. The reason is that your client will have a dynamic IP. This problem can be solved if you fixe an IP for each client using the configuration rules manager. The second problem is that OpenVPN client will generate a random mac adress for each connection. So once again, you may have a lot of false positives. You can also solve this issue if you fixe a mac address in the client configuration:
lladdr 00:aa:bb:cc:dd:ee:ff
Of course, choose a unique mac address for each client.
=== Uninstall ===
If you want to remove the contrib, just run:
/etc/init.d/arpwatch stop
yum remove arpwatch
=== Source ===
The source for this contrib can be found in the smeserver [http://smeserver.cvs.sourceforge.net/smeserver/smeserver-arpwatch/ CVS] on sourceforge.
=== Bugs ===
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla]
and select the smeserver-arpwatch component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-arpwatch|title=this link}}
----
[[Category:Contrib]]
