{"id":99,"date":"2012-09-26T23:47:38","date_gmt":"2012-09-26T23:47:38","guid":{"rendered":"https:\/\/www.nicktailor.com\/?p=99"},"modified":"2022-10-21T11:59:54","modified_gmt":"2022-10-21T11:59:54","slug":"99","status":"publish","type":"post","link":"https:\/\/nicktailor.com\/tech-blog\/99\/","title":{"rendered":"How to setup Arpwatch across multiple vlans"},"content":{"rendered":"<p><strong><span style=\"text-decoration: underline;\">How to setup Arpwatch across multiple vlans<\/span><\/strong><\/p>\n<ul>\n<li>Arpwatch is primarily used to avoid ip conflicts on your network<strong><\/strong><\/li>\n<li>This will help avoid an accidental outages from occurring by the mac-address arping to another device in error due to a duplicate ip configuration on another device<strong><\/strong><\/li>\n<li>This will also help track down a gateway theft, if there is an accidental theft of your gateway within your network by a compromised machine.<strong><\/strong><\/li>\n<li>Arpwatch\u00a0 keeps\u00a0 track\u00a0 for\u00a0 ethernet\/ip\u00a0 address\u00a0 pairings. It syslogs activity and reports certain changes via email.\u00a0 Arpwatch uses\u00a0 pcap(3) to listen for arp packets on a local ethernet interface.<\/li>\n<\/ul>\n<p><strong><span style=\"text-decoration: underline;\">Installing ArpWatch on Debian<\/span><\/strong><\/p>\n<p><em>Note-You will need to ensure that your vlans are trunked and might need to tag them depending on your setup, so that you arp requests packets from arpwatch are not dropped if they go to another switch. <\/em><\/p>\n<ol>\n<li>Now you can download the source and compile and do this, however debian sources already have it, so this is pretty easy to install. \u201c<em>apt-get install arpwatch\u201d<\/em><\/li>\n<li>Create empty file for storing host information \u201c<em>touch \/var\/lib\/arpwatch\/arp.dat\u201d<\/em> if this file already exists move to the next setup<\/li>\n<li>You want to open up your \/etc\/arpwatch.conf and configure your interfaces for listening on which ever subnets you want it to check.<\/li>\n<\/ol>\n<p><em>Note: Since eth0 on the arpwatch server is your primary interface. I used the second nic plugged into a tagged vlan so that my arpwatch server could send packets<\/em><\/p>\n<p>Add these lines for email alerts<\/p>\n<p>eth1 -a -m admin@nicktailor.com<br \/>\neth1.1 -a -m admin@nicktailor.com<br \/>\neth1.2 -a &#8211; -m <a href=\"mailto:admin@nicktailor.com\">admin@nicktailor.com<\/a><\/p>\n<p>4. If you need to exclude a specific subnet for any reason. I had to do this because we had multiple physical servers that had unconfigured drac cards which had the same ip address configured, so when we implemented arpwatch on our public facing vlans, we got a lot of alerts because dracs. To get around it we used the added the following lines in \/etc\/arpwatch.conf<\/p>\n<p>&nbsp;<\/p>\n<p>eth1 -a -z 192.168.0.0\/255.255.0.0 -m <a href=\"mailto:admin@nicktailor.com\">admin@nicktailor.com<br \/>\n<\/a>eth1.1 -a -z 192.168.0.0\/255.255.0.0 -m <a href=\"mailto:admin@nicktailor.com\">admin@nicktailor.com<br \/>\n<\/a>eth1.2 -a -z 192.168.0.0\/255.255.0.0 -m <a href=\"mailto:admin@nicktailor.com\">admin@nicktailor.com<\/a><\/p>\n<p>Note: Another way to do this is updating the startup script \/etc\/init.d\/arpwatch, edit the line below as follows:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Additional Configuring<\/strong><\/span><\/p>\n<p>IFACE_OPTS=&#8221;-i ${IFACE} -f ${IFACE}.dat $2 -z 192.168.0.0\/255.255.0.0&#8243;<\/p>\n<ol>\n<li>If you want to make config cleaner for the emails for instance you want to have multiple addresses emailed. Open up<em> \/etc\/aliases\u00a0<\/em><\/li>\n<\/ol>\n<p>Add the lines<\/p>\n<p>arp-alert: <a href=\"mailto:nick@nicktailor.com\">nick@nicktailor.com<\/a>, <a href=\"mailto:admin@nicktailor.com\">admin@nicktailor.com<br \/>\n<\/a><br \/>\n2. Next go back into \/etc\/arpwatch.conf and edit the lines from step 3 as indicated below, this way you don\u2019t have to keep updated the conf, if you want to added more emails addresses in future, just update your aliases file.<\/p>\n<p>eth1 -a -z 192.168.0.0\/255.255.0.0 -m arp-alert<br \/>\neth1.1 -a -z 192.168.0.0\/255.255.0.0 \u2013m arp-alert<br \/>\neth1.2 -a -z 192.168.0.0\/255.255.0.0 -m arp-alert<\/p>\n<p><strong><span style=\"text-decoration: underline;\">How to Check your logs<\/span><\/strong><\/p>\n<p>So everything is logged in \/var\/log\/syslog, if you want to filter out arpwatch logs. This a possible way to go about it. Mind you will need to edit this grep based on whatever your are mining log file for. Hope this was helpful.<\/p>\n<p><em>cat syslog | grep -i arpwatch | grep -i reuse | cut -d&#8221; &#8221; -f11 | sort | uniq<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to setup Arpwatch across multiple vlans Arpwatch is primarily used to avoid ip conflicts on your network This will help avoid an accidental outages from occurring by the mac-address arping to another device in error due to a duplicate ip configuration on another device This will also help track down a gateway theft, if there is an accidental theft<a href=\"https:\/\/nicktailor.com\/tech-blog\/99\/\" class=\"read-more\">Read More &#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58,138],"tags":[],"class_list":["post-99","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux"],"_links":{"self":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/99","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/comments?post=99"}],"version-history":[{"count":11,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/99\/revisions"}],"predecessor-version":[{"id":1624,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/posts\/99\/revisions\/1624"}],"wp:attachment":[{"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/media?parent=99"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/categories?post=99"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nicktailor.com\/tech-blog\/wp-json\/wp\/v2\/tags?post=99"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}