Difference between revisions of "ARPwatch"

From Notes_Wiki
 
(13 intermediate revisions by the same user not shown)
Line 59: Line 59:
Install postfix to enable the mail alerts for ARPwatch
Install postfix to enable the mail alerts for ARPwatch


* Install the required packages
Configure postfix as per the below article:
 
[[CentOS 8.x postfix send email through relay or smarthost with smtp authentication]]
 
== Configure ARPwatch ==
 
* install ARPwatch
<pre>
<pre>
# dnf -y install epel-release
# dnf update
# dnf -y install cyrus-sasl cyrus-sasl-plain cyrus-sasl-lib postfix
# dnf install epel-release
# dnf -y install s-nail
# dnf install arpwatch
</pre>
</pre>


* Configure the following in main.cf file
* Start the service
<pre>
<pre>
# vim /etc/postfix/main.cf
# systemctl start arpwatch
# systemctl status arpwatch
</pre>
</pre>


* add the following entries in their respective locations:
* Add the sub-interfaces to ARPwatch
<pre>
<pre>
      myhostname = <hostname>
# arpwatch -i <sub-interface>
      mydomain = <hostname>
</pre>


      inet_interfaces = all
* Restart the service
      inet_protocols = ipv4
<pre>
      mynetworks = 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8
# systemctl restart arpwatch
</pre>
</pre>


* add the following at the bottom of the document:
* Check the Process to confirm that ARPwatch is running
<pre>
<pre>
smtp_sasl_auth_enable = yes
# ps aux | grep arpwatch
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_security_level = may
relayhost = <mail-server>:<port>
sender_canonical_maps = hash:/etc/postfix/sender_canonical
</pre>
</pre>


* Add the crendentials
* Example output
<pre>
<pre>
# vim /etc/postfix/sasl_passwd
[root@localhost ~]# ps aux | grep arpwatch
   <mail-server>:<port>      <username>:<password>
arpwatch  41710  0.0  0.3  40860  6656 ?        Ss  May13  0:21 /usr/sbin/arpwatch -u arpwatch -F -C
root      41760  0.0  0.3  40976  6024 ?        Ss  May13  0:00 arpwatch -i ens33.40
root      41763  0.0  0.4  40976  8200 ?        Ss  May13   0:01 arpwatch -i ens33.99
root      44122  0.0  0.1 221664  2176 pts/2    S+  16:45  0:00 grep --color=auto arpwatch
 
</pre>
</pre>


* rewrite all mails from root to sender
* Check logs in the following file
<pre>
<pre>
# vim /etc/postfix/sender_canonical
/var/log/messages
      root <email-id>
      root@<hostname> <email-id>
</pre>
</pre>
 
 
Add the sender’s address in aliases file
* Example mail alert output
<pre>
<pre>
# vim /etc/aliases
hostname: <unknown>
ip address: 172.30.30.25
ethernet address: bc:24:11:48:b3:56
ethernet vendor: Proxmox Server Solutions GmbH
timestamp: Wednesday, May 14, 2025 15:46:10 +0530
</pre>
 
== Arpwatch alerts persist across reboots ==


  root:          <mail-id>
* Create a systemd service file


# newaliases
<pre>
vim /etc/systemd/system/arpwatch@.service
</pre>
</pre>


* Give Permission and create the postmap hash
<pre>
<pre>
# cd /etc/postfix
[Unit]
# chmod 600 sasl_passwd
Description=Arpwatch on %i
# postmap hash:/etc/postfix/sasl_passwd
After=network-online.target
# postmap /etc/postfix/sender_canonical
Wants=network-online.target
 
[Service]
Type=forking
User=arpwatch
Group=arpwatch
AmbientCapabilities=CAP_NET_RAW
ExecStartPre=/bin/sleep 5
ExecStart=/usr/sbin/arpwatch -i %i -f /var/lib/arpwatch/arp.%i -w alerts_gbb@gbb.co.in
Restart=on-failure
StandardOutput=null
StandardError=null
 
[Install]
WantedBy=multi-user.target
</pre>
</pre>


* restart the service
* Before starting the service, manually create the database files:
 
<pre>
<pre>
# systemctl restart postfix.service
touch /var/lib/arpwatch/arp.ens192.99
# postfix reload
</pre>
</pre>


* test the outgoing mail
* Give permission to arpwatch user:
 
<pre>
<pre>
echo "Test email using postfix" | mail -s "Relay test with smtp authentication" <mail-id>
chown arpwatch:arpwatch /var/lib/arpwatch/arp.ens192.99
</pre>
</pre>


== Configure ARPwatch ==
* Start and enable the service:


* install ARPwatch
<pre>
<pre>
# dnf update
systemctl start arpwatch@ens192.99
# dnf install epel-release
systemctl enable arpwatch@ens192.99
# dnf install arpwatch
systemctl status arpwathc@ens192.99
</pre>
</pre>


* Start the service
* After few minutes, check the database file to view the alerts
 
<pre>
<pre>
# systemctl start arpwatch
vim /var/lib/arpwatch/ens192.99
# systemctl status arpwatch
</pre>
</pre>


* Add the sub-interfaces to ARPwatch
== Suppress flip flop and changed Ethernet address alerts ==
 
To suppress '''flip flop''' and '''changed Ethernet address''' alerts, we can use Postfix '''header_checks''' mechanism as a global filter.
 
* Create or edit a header checks file
 
<pre>
<pre>
# arpwatch -i <sub-interface>
vim /etc/postfix/header_checks
</pre>
</pre>


* Restart the service
* Add rule
<pre>
<pre>
# systemctl restart arpwatch
/^Subject:.*flip flop/ DISCARD
/^Subject:.*changed ethernet address/ DISCARD
</pre>
</pre>


* Check the Process to confirm that ARPwatch is running
* Enable in main.cf
<pre>
<pre>
# ps aux | grep arpwatch
vim /etc/postfix/main.cf
</pre>
</pre>


* Example output
<pre>
<pre>
[root@localhost ~]# ps aux | grep arpwatch
header_checks = regexp:/etc/postfix/header_checks
arpwatch  41710  0.0  0.3  40860  6656 ?        Ss  May13  0:21 /usr/sbin/arpwatch -u arpwatch -F -C
root      41760  0.0  0.3  40976  6024 ?        Ss  May13  0:00 arpwatch -i ens33.40
root      41763  0.0  0.4  40976  8200 ?        Ss  May13  0:01 arpwatch -i ens33.99
root      44122  0.0  0.1 221664  2176 pts/2    S+  16:45  0:00 grep --color=auto arpwatch
 
</pre>
</pre>


* Check logs in the following file
* Reload postfix
<pre>
<pre>
/var/log/messages
postmap /etc/postfix/header_checks
</pre>
</pre>


* Example mail alert output
<pre>
<pre>
hostname: <unknown>
postfix reload
ip address: 172.30.30.25
ethernet address: bc:24:11:48:b3:56
ethernet vendor: Proxmox Server Solutions GmbH
timestamp: Wednesday, May 14, 2025 15:46:10 +0530
</pre>
</pre>
This will drop the mail at the SMTP level, before delivery.


Reference
Reference

Latest revision as of 11:57, 7 October 2025

Home > Rocky Linux or CentOS > Rocky Linux 9.x > Rocky 9.x Network Monitoring Tools > ARPwatch

Create Virtual Machine

  • Create a Rocky 9.x VM in the Vcenter
  • Select All VLANs Trunk in Network Adapter while creating the Virtual Machine

Configure Network Scripts

Create Network Scripts for each Vlan as per the below article:

CentOS 8.x Configure ethernet port for 802.3 encapsulated trunk traffic communication

  • Example Network script ( file name: ifcfg-ens33.99)
VLAN=yes
TYPE=Vlan
PHYSDEV=ens33
VLAN_ID=99
REORDER_HDR=yes
GVRP=no
MVRP=no
HWADDR=
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
IPADDR=172.30.7.106
PREFIX=16
GATEWAY=172.30.0.1
DNS1=172.31.1.160
DNS2=8.8.8.8
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_DISABLED=yes
IPV6INIT=no
NAME=ens33.99
DEVICE=ens33.99
ONBOOT=yes
  • Restart the Network
# systemctl restart NetworkManager
  • Remove the main interface
# nmcli connection del <interface name>
  • Ping to gateway should work for each sub-interface
  • Should be able to access the Internet

Configure Postfix

Install postfix to enable the mail alerts for ARPwatch

Configure postfix as per the below article:

CentOS 8.x postfix send email through relay or smarthost with smtp authentication

Configure ARPwatch

  • install ARPwatch
# dnf update
# dnf install epel-release
# dnf install arpwatch
  • Start the service
# systemctl start arpwatch
# systemctl status arpwatch
  • Add the sub-interfaces to ARPwatch
# arpwatch -i <sub-interface>
  • Restart the service
# systemctl restart arpwatch
  • Check the Process to confirm that ARPwatch is running
# ps aux | grep arpwatch
  • Example output
[root@localhost ~]# ps aux | grep arpwatch
arpwatch   41710  0.0  0.3  40860  6656 ?        Ss   May13   0:21 /usr/sbin/arpwatch -u arpwatch -F -C
root       41760  0.0  0.3  40976  6024 ?        Ss   May13   0:00 arpwatch -i ens33.40
root       41763  0.0  0.4  40976  8200 ?        Ss   May13   0:01 arpwatch -i ens33.99
root       44122  0.0  0.1 221664  2176 pts/2    S+   16:45   0:00 grep --color=auto arpwatch
  • Check logs in the following file
/var/log/messages
  • Example mail alert output
hostname: <unknown>
ip address: 172.30.30.25
ethernet address: bc:24:11:48:b3:56
ethernet vendor: Proxmox Server Solutions GmbH
timestamp: Wednesday, May 14, 2025 15:46:10 +0530

Arpwatch alerts persist across reboots

  • Create a systemd service file
vim /etc/systemd/system/arpwatch@.service

[Unit]
Description=Arpwatch on %i
After=network-online.target
Wants=network-online.target

[Service]
Type=forking
User=arpwatch
Group=arpwatch
AmbientCapabilities=CAP_NET_RAW
ExecStartPre=/bin/sleep 5
ExecStart=/usr/sbin/arpwatch -i %i -f /var/lib/arpwatch/arp.%i -w alerts_gbb@gbb.co.in
Restart=on-failure
StandardOutput=null
StandardError=null

[Install]
WantedBy=multi-user.target
  • Before starting the service, manually create the database files:
touch /var/lib/arpwatch/arp.ens192.99
  • Give permission to arpwatch user:
chown arpwatch:arpwatch /var/lib/arpwatch/arp.ens192.99
  • Start and enable the service:
systemctl start arpwatch@ens192.99
systemctl enable arpwatch@ens192.99
systemctl status arpwathc@ens192.99
  • After few minutes, check the database file to view the alerts
vim /var/lib/arpwatch/ens192.99

Suppress flip flop and changed Ethernet address alerts

To suppress flip flop and changed Ethernet address alerts, we can use Postfix header_checks mechanism as a global filter.

  • Create or edit a header checks file
vim /etc/postfix/header_checks
  • Add rule
/^Subject:.*flip flop/ DISCARD
/^Subject:.*changed ethernet address/ DISCARD
  • Enable in main.cf
vim /etc/postfix/main.cf

header_checks = regexp:/etc/postfix/header_checks
  • Reload postfix
postmap /etc/postfix/header_checks

postfix reload


This will drop the mail at the SMTP level, before delivery.


Reference

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=ARPwatch&oldid=9608"