Arpwatch

From SME Server
Revision as of 20:01, 7 September 2015 by Stephdl (talk | contribs) (→‎Bugs)
Jump to navigation Jump to search



Maintainer

Daniel B.
Firewall Services
mailto:daniel@firewall-services.com

Version

Contrib 10:
Contrib 9:
smeserver-arpwatch
The latest version of smeserver-arpwatch is available in the SME repository, click on the version number(s) for more information.


arpwatch
The latest version of arpwatch is available in the SME repository, click on the version number(s) for more information.


Description

Arpwatch is a tool to monitor the ARP activity of your local network. Its main goal is to detect poisoning attacks. It'll first create a database of IP<->mac associations (the database is /var/lib/arpwatch/arp.dat). Then, it'll be able to detect changes, and send an email to the admin.

Requirements

  • SME Server 7.X


  Note:
For SME Server 9.x see bug 8429


bugzilla:8429

Installation

  • install the rpms
yum --enablerepo=smecontribs install smeserver-arpwatch
  • Start the daemon

Log into your server using SSH, and start the daemon

expand-template /etc/sysconfig/arpwatch
/etc/init.d/arpwatch start

Or

signal-event post-upgrade && signal-event reboot

Change recipient from admin to youruser

If you'll like to send notifications to other user / group copy the ALL file located in /etc/e-smith/templates/etc/sysconfig/arpwatch to newly created folder /etc/e-smith/templates-custom/etc/sysconfig/arpwatch

mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/arpwatch
cp /etc/e-smith/templates/etc/sysconfig/arpwatch/ALL /etc/e-smith/templates-custom/etc/sysconfig/arpwatch/

edit the file ALL and change the user domain...

vi /etc/e-smith/templates-custom/etc/sysconfig/arpwatch/ALL

then issue

expand-template /etc/sysconfig/arpwatch
/etc/init.d/arpwatch restart

Known issues

You may have some emails the first days you run it, because it'll see new computers on the network. Just let it running a few days. Then, you should only receive alerts when a new machines connects or when something wrong appens (arp spoofing attack)

You may also have problems if you runs arpwatch with OpenVPN Bridge contrib. The reason is that your client will have a dynamic IP. This problem can be solved if you fixe an IP for each client using the configuration rules manager. The second problem is that OpenVPN client will generate a random mac adress for each connection. So once again, you may have a lot of false positives. You can also solve this issue if you fixe a mac address in the client configuration:

lladdr 00:aa:bb:cc:dd:ee:ff

Of course, choose a unique mac address for each client.

Uninstall

If you want to remove the contrib, just run:

/etc/init.d/arpwatch stop
yum remove arpwatch

Source

The source for this contrib can be found in the smeserver CVS on sourceforge.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-arpwatch component or use this link

IDProductVersionStatusSummary (3 tasks)
8127SME Contribs8.0UNCONFIRMEDnot enough data about mac address database
8126SME Contribs8.0UNCONFIRMEDIf you have the contrib OpenVPN will not assign the correect interface
7802SME Contribs8.0UNCONFIRMEDfeature request - send info about unused mac / IP for certain period of time