Difference between revisions of "Arpwatch"
Unnilennium (talk | contribs) |
|||
(5 intermediate revisions by 4 users not shown) | |||
Line 3: | Line 3: | ||
===Maintainer=== | ===Maintainer=== | ||
− | [[User:VIP-ire|Daniel B.]]<br/> | + | [[User:VIP-ire|Daniel B.]]<br /> |
[http://www.firewall-services.com Firewall Services]<br> | [http://www.firewall-services.com Firewall Services]<br> | ||
mailto:daniel@firewall-services.com | mailto:daniel@firewall-services.com | ||
Line 9: | Line 9: | ||
=== Version === | === Version === | ||
− | {{ #smeversion: smeserver- | + | {{#smeversion: smeserver-arpwatch }} |
− | |||
=== Description === | === Description === | ||
Line 18: | Line 17: | ||
=== Requirements === | === Requirements === | ||
− | *SME Server 7.X | + | *SME Server 7.X,8.X,9.X 10.x |
− | |||
− | |||
=== Installation === | === Installation === | ||
Line 30: | Line 27: | ||
*Start the daemon | *Start the daemon | ||
− | Log into your server using SSH, and start the daemon | + | Log into your server using SSH, and start the daemon (this should not be necessary for SME10) |
expand-template /etc/sysconfig/arpwatch | expand-template /etc/sysconfig/arpwatch | ||
Line 38: | Line 35: | ||
signal-event post-upgrade && signal-event reboot | signal-event post-upgrade && signal-event reboot | ||
− | === Change recipient from admin to | + | === Change recipient from admin to your user === |
If you'll like to send notifications to other user / group | If you'll like to send notifications to other user / group | ||
Line 73: | Line 70: | ||
Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | Please raise bugs under the SME-Contribs section in [http://bugs.contribs.org/enter_bug.cgi bugzilla] | ||
and select the smeserver-arpwatch component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-arpwatch|title=this link}} | and select the smeserver-arpwatch component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-arpwatch|title=this link}} | ||
− | + | {{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |disablecache=1 |component=smeserver-arpwatch |noresultsmessage="No open bugs found."}} | |
---- | ---- | ||
[[Category:Contrib]] | [[Category:Contrib]] | ||
[[Category:Administration:Monitoring]] | [[Category:Administration:Monitoring]] |
Latest revision as of 05:41, 18 April 2021
Maintainer
Daniel B.
Firewall Services
mailto:daniel@firewall-services.com
Version
Description
Arpwatch is a tool to monitor the ARP activity of your local network. Its main goal is to detect poisoning attacks. It'll first create a database of IP<->mac associations (the database is /var/lib/arpwatch/arp.dat). Then, it'll be able to detect changes, and send an email to the admin.
Requirements
- SME Server 7.X,8.X,9.X 10.x
Installation
- install the rpms
yum --enablerepo=smecontribs install smeserver-arpwatch
- Start the daemon
Log into your server using SSH, and start the daemon (this should not be necessary for SME10)
expand-template /etc/sysconfig/arpwatch /etc/init.d/arpwatch start
Or
signal-event post-upgrade && signal-event reboot
Change recipient from admin to your user
If you'll like to send notifications to other user / group copy the ALL file located in /etc/e-smith/templates/etc/sysconfig/arpwatch to newly created folder /etc/e-smith/templates-custom/etc/sysconfig/arpwatch
mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/arpwatch cp /etc/e-smith/templates/etc/sysconfig/arpwatch/ALL /etc/e-smith/templates-custom/etc/sysconfig/arpwatch/
edit the file ALL and change the user domain...
vi /etc/e-smith/templates-custom/etc/sysconfig/arpwatch/ALL
then issue
expand-template /etc/sysconfig/arpwatch /etc/init.d/arpwatch restart
Known issues
You may have some emails the first days you run it, because it'll see new computers on the network. Just let it running a few days. Then, you should only receive alerts when a new machines connects or when something wrong appens (arp spoofing attack)
You may also have problems if you runs arpwatch with OpenVPN Bridge contrib. The reason is that your client will have a dynamic IP. This problem can be solved if you fixe an IP for each client using the configuration rules manager. The second problem is that OpenVPN client will generate a random mac adress for each connection. So once again, you may have a lot of false positives. You can also solve this issue if you fixe a mac address in the client configuration:
lladdr 00:aa:bb:cc:dd:ee:ff
Of course, choose a unique mac address for each client.
Uninstall
If you want to remove the contrib, just run:
/etc/init.d/arpwatch stop yum remove arpwatch
Source
The source for this contrib can be found in the smeserver CVS on sourceforge.
Bugs
Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-arpwatch component or use this link
ID | Product | Version | Status | Summary (3 tasks) ⇒ |
---|---|---|---|---|
8127 | SME Contribs | 8.0 | UNCONFIRMED | not enough data about mac address database |
8126 | SME Contribs | 8.0 | UNCONFIRMED | If you have the contrib OpenVPN will not assign the correect interface |
7802 | SME Contribs | 8.0 | UNCONFIRMED | feature request - send info about unused mac / IP for certain period of time |