Day: September 26, 2012
How to setup Arpwatch across multiple vlans
How to setup Arpwatch across multiple vlans
- Arpwatch is primarily used to avoid ip conflicts on your network
- This will help avoid an accidental outages from occurring by the mac-address arping to another device in error due to a duplicate ip configuration on another device
- This will also help track down a gateway theft, if there is an accidental theft of your gateway within your network by a compromised machine.
- Arpwatch keeps track for ethernet/ip address pairings. It syslogs activity and reports certain changes via email. Arpwatch uses pcap(3) to listen for arp packets on a local ethernet interface.
Installing ArpWatch on Debian
Note-You will need to ensure that your vlans are trunked and might need to tag them depending on your setup, so that you arp requests packets from arpwatch are not dropped if they go to another switch.
- Now you can download the source and compile and do this, however debian sources already have it, so this is pretty easy to install. “apt-get install arpwatch”
- Create empty file for storing host information “touch /var/lib/arpwatch/arp.dat” if this file already exists move to the next setup
- You want to open up your /etc/arpwatch.conf and configure your interfaces for listening on which ever subnets you want it to check.
Note: Since eth0 on the arpwatch server is your primary interface. I used the second nic plugged into a tagged vlan so that my arpwatch server could send packets
Add these lines for email alerts
eth1 -a -m admin@nicktailor.com
eth1.1 -a -m admin@nicktailor.com
eth1.2 -a – -m admin@nicktailor.com
4. If you need to exclude a specific subnet for any reason. I had to do this because we had multiple physical servers that had unconfigured drac cards which had the same ip address configured, so when we implemented arpwatch on our public facing vlans, we got a lot of alerts because dracs. To get around it we used the added the following lines in /etc/arpwatch.conf
eth1 -a -z 192.168.0.0/255.255.0.0 -m admin@nicktailor.com
eth1.1 -a -z 192.168.0.0/255.255.0.0 -m admin@nicktailor.com
eth1.2 -a -z 192.168.0.0/255.255.0.0 -m admin@nicktailor.com
Note: Another way to do this is updating the startup script /etc/init.d/arpwatch, edit the line below as follows:
Additional Configuring
IFACE_OPTS=”-i ${IFACE} -f ${IFACE}.dat $2 -z 192.168.0.0/255.255.0.0″
- If you want to make config cleaner for the emails for instance you want to have multiple addresses emailed. Open up /etc/aliases
Add the lines
arp-alert: nick@nicktailor.com, admin@nicktailor.com
2. Next go back into /etc/arpwatch.conf and edit the lines from step 3 as indicated below, this way you don’t have to keep updated the conf, if you want to added more emails addresses in future, just update your aliases file.
eth1 -a -z 192.168.0.0/255.255.0.0 -m arp-alert
eth1.1 -a -z 192.168.0.0/255.255.0.0 –m arp-alert
eth1.2 -a -z 192.168.0.0/255.255.0.0 -m arp-alert
How to Check your logs
So everything is logged in /var/log/syslog, if you want to filter out arpwatch logs. This a possible way to go about it. Mind you will need to edit this grep based on whatever your are mining log file for. Hope this was helpful.
cat syslog | grep -i arpwatch | grep -i reuse | cut -d” ” -f11 | sort | uniq