Arpwatch
Arpwatch is a classic, a tool that we can implement in our organization in less than a minute. Its operation is very simple, It will send us an alert when it detects a new computer on the network, or a new MAC or MAC change. Ideal for detecting intruders or unwanted visitors on different network segments.
Well, Arpwatch can run on any linux machine like a demon, Installation is very simple, on Debian-based distributions we install it:
sudo apt-get install arpwatch -y
We add the next two lines in your configuration file /etc/default/arpwatch, the first indicating the email address where we will receive the alerts, and the next with the name of the interface where it will be listened to:
...
IFACE_ARGS="-m di*****************@do*****.eso"
...
INTERFACES="ens160"
...
If we want the machine itself to take out the emails, We need to install mailutils:
sudo apt-get install ssmtp mailutils -y
And we edit your configuration file, /etc/ssmtp/ssmtp.conf, leaving something like:
# # Config file for sSMTP sendmail # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. root=Ar******@do*****.eso # The place where the mail goes. The actual machine name is required no # MX records are consulted. Commonly mailhosts are named mail.domain.com mailhub=mail.dominio.eso # Where will the mail seem to come from? #rewriteDomain= # The full hostname hostname=dominio.eso # Are users allowed to set their own From: address? # YES - Allow the user to specify their own From: address # NO - Use the system generated From: address FromLineOverride=YES AuthUser=us*****@do*****.eso AuthPass=CONTRASEÑA
Podemos probar a enviar un correo de pruebas y que sale:
ECHO "Que pasa por tu casa" | mail -s Prueba dirección_*********@do*****.eso
Podremos ver los logs de arpwatch en el syslog:
sudo tail -f /var/log/syslog |grep arpwatch ... Nov 14 17:14:45 os-honeypot-01 systemd[1]: Starting arpwatch service on interface ens160... Nov 14 17:14:45 os-honeypot-01 systemd[1]: Started arpwatch service on interface ens160. Nov 14 17:14:45 os-honeypot-01 arpwatch: Running as uid=113 gid=116 Nov 14 17:14:45 os-honeypot-01 arpwatch: listening on ens160 Nov 14 17:15:23 os-honeypot-01 arpwatch: New Station 192.168.1.85 00:50:56:8f:ff:7a ens160 Nov 14 17:15:25 os-honeypot-01 sSMTP[29753]: Sent mail for Ar******@do*****.eso (221 2.0.0 Bye) uid=113 username=arpwatch outbytes=699 Nov 14 17:16:09 os-honeypot-01 arpwatch: New Station 192.168.1.196 b0:4a:39:2d:F9:0a ens160 Nov 14 17:16:11 os-honeypot-01 sSMTP[29756]: Sent mail for Ar******@do*****.eso (221 2.0.0 Bye) uid=113 username=arpwatch outbytes=699 ...
And we will be able to verify in our email how it detects all the computers on the network, and will notify of any changes they suffer, either to change MACs or to add a new one on the network. We will know instantly any intruder, we can avoid poisoning from ARP or ARP Spoofing…
I hope it can help someone, a utility that I believe fits in any type of company, In addition, if we have firewall pfSense, we can integrate it directly there.
A hug to all, May it go VERY well 🙂
