Welcome to the Slackware Documentation Project

Diferencias

Muestra las diferencias entre dos versiones de la página.

Enlace a la vista de comparación

es:howtos:software:arpwatch [2019/02/28 01:39 (UTC)] (actual)
slackwarespanol creado
Línea 1: Línea 1:
 +<!-- Add your text below. We strongly advise to start with a Headline (see button bar above). -->
 +====== Network Monitoring with Arpwatch ======
  
 +Arpwatch allows a system to track [[https://​en.wikipedia.org/​wiki/​IP_address|IP]] address pairings. ​ It maps the [[https://​en.wikipedia.org/​wiki/​MAC_address|MAC Addresses]] on a network by tracking [[https://​en.wikipedia.org/​wiki/​Address_Resolution_Protocol|ARP]] requests to each device on the [[https://​en.wikipedia.org/​wiki/​LAN|LAN]] and recording the response in a database. ​ All network cards are manufactured with a unique MAC address and this allows Arpwatch to identify each device. ​ The main purpose of mapping a network like this is so the system administrator can keep track of the devices on a network and identify when there are networking issues. ​ Arpwatch is commonly used to identify when an [[https://​en.wikipedia.org/​wiki/​ARP_spoofing|ARP Man in the Middle attack]] is being conducted by notifying the system administrator when a duplicate MAC address is being used on the network. ​ Arpwatch is most commonly ran on routers, but it can also useful on a managed network switch.
 +
 +===== Install =====
 +Arpwatch is not apart of the standard Slackware Linux distribution. ​ It can be obtained by downloading the [[https://​slackbuilds.org/​result/?​search=arpwatch&​sv=|SlackBuild from SlackBuilds.org]] for your desired Slackware release. ​ SlackBuilds.org has a great [[https://​slackbuilds.org/​howto/​|HOWTO]] discussing how to install a SlackBuild. ​ The [[https://​slackbuilds.org/​faq/​|SlackBuilds.org FAQ]] is also very helpful for Slackware users struggling to install a SlackBuild.
 +
 +===== Configuration =====
 +The included start up script allows the administrator to configure Arpwatch for one or more network cards. ​ The start up script is also where the administrator can configure the run time settings for Arpwatch. ​ Open up **/​etc/​rc.d/​rc.arpwatch** on your system and edit the **OPTIONS** variable to your satisfaction. ​ By default the **root** account gets all Arpwatch emails. ​ Let's try changing the email account Arpwatch will use for email notifications. ​ Make sure you use a user account or an email address that exists or Arpwatch will not send notifications to you.
 +
 +The line you are looking for is:
 +<​code>​
 +OPTIONS="​-i $IFACE -f $ARPDIR/​arp-$IFACE.dat -u root -e root -s root"
 +</​code>​
 +
 +The Arpwatch man page indicates that the **-e** switch manages the email account. ​ Let us change it to the user **darkstar**.
 +<​code>​
 +OPTIONS="​-i $IFACE -f $ARPDIR/​arp-$IFACE.dat -u root -e darkstar -s root"
 +</​code>​
 +
 +Or we can use a remote email address if **sendmail** is configured to do so:
 +<​code>​
 +OPTIONS="​-i $IFACE -f $ARPDIR/​arp-$IFACE.dat -u root -e user@randomdomain.com -s root"
 +</​code>​
 +===== Update MAC Address Database =====
 +The README.ethercodes installed with the Arpwatch SlackBuild indicates that the MAC Address database that comes with the source tarball can be outdated. ​ This database is only updated when there is a new release of Arpwatch, which has not happened in quite a while.
 +
 +//These steps are covered in greater detail if you read /​usr/​doc/​arpwatch-$VERSION/​README.ethercodes//​
 +<​code>​
 +su -
 +cd /​var/​lib/​arpwatch
 +wget http://​standards-oui.ieee.org/​oui.txt
 +./​massagevendor oui.txt > ethercodes.dat
 +rm -f oui.txt
 +</​code>​
 +
 +===== Start and Stop at Boot =====
 +The file **/​etc/​rc.d/​rc.arpwatch** controls start up and shut down of Arpwatch. ​ In order to use this script you need to add a few lines to **/​etc/​rc.d/​rc.local** and **/​etc/​rc.d/​rc.local_shutdown**. ​ Be sure to use the appropriate order if you have any other network services starting or stopping in these scripts. ​ As an example, you should start Arpwatch before you bring up hostapd if you are running a [[howtos:​network_services:​configuring_a_wireless_access_point|Wireless Access Point]], and shutdown Arpwatch after hostapd exits. ​ Using such ordering assures that Arpwatch identifies all ARP requests on your network.
 +
 +Continuing with the above example lets assume you are running a wireless access point. ​ Add this to **/​etc/​rc.d/​rc.local**
 +<​code>​
 +if [ -x /​etc/​rc.d/​rc.arpwatch ]; then
 +  /​etc/​rc.d/​rc.arpwatch start wlan0
 +fi
 +</​code>​
 +
 +If you wish to run Arpwatch on multiple network cards adjust **/​etc/​rc.d/​rc.local** like this:
 +<​code>​
 +# Change eth0 and wlan0 to match your configuration
 +if [ -x /​etc/​rc.d/​rc.arpwatch ]; then
 +  /​etc/​rc.d/​rc.arpwatch start eth0
 +  /​etc/​rc.d/​rc.arpwatch start wlan0
 +fi
 +</​code>​
 +
 +It's important that Arpwatch is stopped cleanly when your system is shutdown or rebooted. ​ If you haven'​t already done so, create **/​etc/​rc.d/​rc.local_shutdown** as root:
 +<​code>​
 +touch /​etc/​rc.d/​rc.local_shutdown
 +</​code>​
 +
 +Next you need to edit **rc.local_shutdown** like so:
 +<​code>​
 +if [ -x /​etc/​rc.d/​rc.arpwatch ]; then
 +  /​etc/​rc.d/​rc.arpwatch stop
 +fi
 +</​code>​
 +
 +Finally, mark **rc.local** and **rc.local_shutdown** as //​executable//​. ​ This tells Slackware to automatically execute these scripts during the boot process.
 +<​code>​
 +chmod +x /​etc/​rc.d/​rc.local
 +chmod +x /​etc/​rc.d/​rc.local_shutdown
 +</​code>​
 +
 +===== Wrap Up =====
 +Assuming all steps were followed you should have received an email for each device Arpwatch discovered on your network. ​ If you opted to use the **root** user for notifications,​ you can view them by using the **mail** command as root user.
 +
 +<​code>​
 +mail -f /​var/​spool/​mail/​root
 +</​code>​
 +
 +Here is an example of what you may find in your inbox:
 +<​code>​
 +            hostname: <​unknown>​
 +          ip address: 192.168.151.170
 +    ethernet address: XX:​XX:​XX:​XX:​XX:​XX
 +    ethernet address: XX:​XX:​XX:​XX:​XX:​XX
 +     ​ethernet vendor: <​unknown>​
 +           ​timestamp:​ Monday, April 9, 2018 12:01:39 -0600
 +</​code>​
 +
 +====== Sources ======
 +* [[https://​ee.lbl.gov/​|Arpwatch Home]]
 +
 +* Originally written by [[wiki:​user:​mralk3 | Brenton Earl]]
 +<!-- If you are copying information from another source, then specify that source -->
 +<!-- * Original source: [[http://​some.website.org/​some/​page.html]] -->
 +<!-- Authors are allowed to give credit to themselves! -->
 +<!-- * Originally written by [[wiki:​user:​xxx | User X]] -->
 +<!-- * Contributions by [[wiki:​user:​yyy | User Y]] -->
 +
 +<!-- Please do not modify anything below, except adding new tags.-->
 +<!-- You must remove the tag-word "​template"​ below before saving your new page -->
 +{{tag>​howtos network monitoring arpwatch user_mralk3}}

En otros idiomas
QR Code
QR Code es:howtos:software:arpwatch (generated for current page)