Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort

ARPWatch is a daemon that watches for new Ethernet interfaces on a network. If a new ARP entry is seen, it could be indicative of a rogue computer somewhere within the network.

ARPWatch uses the PCap library, which may not (yet) be on your system. If it's not, you'll find out during the configuration process for ARPWatch. The PCap library, commonly known as libpcap, can be downloaded from http://www.tcpdump.org/. The PCap library is used for other network and security-related programs such as TCPDump. Because TCPDump was already covered, I'll forego repeating the instructions for installing libpcap in this chapter and instead I'll refer you to the section "TCPDump: A Simple Overview" for those instructions.

Installation of ARPWatch involves untarring the ARPWatch archive that you download, usually something like tar -zxvf arpwatch.tar.Z. From there, change directory into the ARPWatch directory and run the configure script:

./configure

You'll see a (hopefully somewhat) familiar series of output statements, something like this:

creating cache ./config.cache checking host system type... i686-pc-linux-gnu checking target system type... i686-pc-linux-gnu checking build system type... i686-pc-linux-gnu checking for gcc... gcc checking whether the C compiler (gcc ) works... yes ... (output truncated) ...

If you see an error to the effect of the following, you'll need to install libpcap:

checking for main in -lpcap... no configure: error: see the INSTALL doc for more info

Refer to the section on TCPDump earlier in this chapter for information on installing the PCap library.

For the rest of you, and if you're joining us again after installing PCap, the next step to compile ARPWatch is to make it. From the command line within the ARPWatch source code directory, type this:

make

ARPWatch will now compile and you'll see messages indicating the progress, as well as possibly a warning or two:

report.o(.text+0x409): the use of `mktemp' is dangerous, better use `mkstemp' gcc -O2 -DDEBUG -DHAVE_FCNTL_H=1 -DHAVE_MEMORY_H=1 -DTIME_WITH_SYS_TIME=1 \ -DHAVE_BCOPY=1 -DHAVE_STRERROR=1 -DRETSIGTYPE=void -DRETSIGVAL= \ -DHAVE_SIGSET=1 -DDECLWAITSTATUS=int -DSTDC_HEADERS=1 \ -DARPDIR=\"/usr/local/arpwatch\" -DPATH \ _SENDMAIL=\"/usr/sbin/sendmail\" -I.\ -Ilinux-include -c ./arpsnmp.c gcc -O2 -DDEBUG -DHAVE_FCNTL_H=1 -DHAVE_MEMORY_H=1 -DTIME_WITH_SYS_TIME=1 \ -DHAVE_BCOPY=1 -DHAVE_STRERROR=1 -DRETSIGTYPE=void -DRETSIGVAL= \ -DHAVE_SIGSET=1 -DDECLWAITSTATUS=int -DSTDC_HEADERS=1 \ -DARPDIR=\"/usr/local/arpwatch\" \ -DPATH_SENDMAIL=\"/usr/sbin/sendmail\" \ -I. -Ilinux-include -o arpsnmp \ arpsnmp.o db.o dns.o \ ec.o file.o intoa.o \ machdep.o util.o report.o setsignal.o version.o report.o: In function `report': report.o(.text+0x409): the use of `mktemp' is dangerous, better use `mkstemp'

After it's compiled, install ARPWatch with the following command:

make install

ARPWatch will be installed (by default) into /usr/local/sbin. This directory is usually in root's path, but if you type arpwatch and receive a command not found error, you probably need to preface the command with its directory, like this:

/usr/local/bin/arpwatch

As ARPWatch runs, it will report to the SYSLOG daemon about new MAC addresses found on the network. This means that ARPWatch will usually output to /var/log/messages, so you can run a grep command to find out about the new hosts as ARPWatch finds them:

grep arpwatch /var/log/messages

Additionally, ARPWatch will also send email to the root account on a system detailing the new hosts as well. The email contains details such as the date, the IP address, and the MAC address:

hostname: client.example.com ip address: 192.168.1.10 ethernet address: 0:e1:18:34:2f:e8 ethernet vendor: <unknown> timestamp: Saturday, May 22, 2004 11:25:59 -0500

In both of these ways, it's possible to know virtually instantly when a new host appears on the network. Such information would be helpful to the security administrator in monitoring for possible unauthorized use of a network.

ARPWatch will run in the background as a daemon, silently (or hopefully silently) going about its business and reporting back to you as needed. If, for some reason, ARPWatch shuts off, maybe due to the machine rebooting, the existing entries will be written to a file called arp.dat (the location of this file varies greatly; if you need to find it run find / -name "arp.dat"). If you need to reset ARPWatch's monitoring database so that it will "pick up" all the hosts on the network again, run these commands from within the directory in which you locate ARPWatch:

rm arp.dat touch arp.dat

A tip about using ARPWatch: Make sure that the ARPWatch data file, arp.dat, is monitored for unauthorized changes. If an attacker can alter this file and add his own entry manually, ARPWatch won't alert you to the presence of the new host. Make sure that the arp.dat file is monitored by AIDE (covered in Chapter 12, "Filesystem Integrity") or through other similar means.

Категории