{"id":2894,"date":"2018-07-28T17:06:43","date_gmt":"2018-07-28T17:06:43","guid":{"rendered":"https:\/\/tst-amo.net.ua\/blog\/?p=2894"},"modified":"2020-01-17T11:25:51","modified_gmt":"2020-01-17T11:25:51","slug":"arpwatch","status":"publish","type":"post","link":"https:\/\/tst-amo.net.ua\/blog\/?p=2894","title":{"rendered":"arpwatch"},"content":{"rendered":"

arpwatch<\/b>\u00a0\u2014 \u0434\u0435\u043c\u043e\u043d, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u0442 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0438\u0435 \u043c\u0435\u0436\u0434\u0443 IP \u0438 MAC-\u0430\u0434\u0440\u0435\u0441\u0430\u043c\u0438, \u0438 \u043f\u0440\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0438 \u0430\u043d\u043e\u043c\u0430\u043b\u0438\u0439, \u0441\u043e\u043e\u0431\u0449\u0430\u044e\u0449\u0438\u0439 \u043e\u0431 \u044d\u0442\u043e\u043c \u0432 Syslog. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043e\u0434\u0438\u043d \u0438\u0437 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0434\u043b\u044f \u0431\u043e\u0440\u044c\u0431\u044b \u0441\u00a0ARP-spoofing’\u043e\u043c.<\/p>\n

\u0414\u0435\u043c\u043e\u043d \u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u0443\u0435\u0442\u00a0ARP-\u043e\u0442\u0432\u0435\u0442\u044b\u00a0\u043d\u0430\u00a0\u0441\u0435\u0442\u0435\u0432\u043e\u043c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0435, \u043a \u043a\u043e\u0442\u043e\u0440\u043e\u043c\u0443 \u043e\u043d \u043f\u0440\u0438\u0432\u044f\u0437\u0430\u043d, \u0438 \u0437\u0430\u043f\u043e\u043c\u0438\u043d\u0430\u0435\u0442 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0438\u0435\u00a0IP-\u0430\u0434\u0440\u0435\u0441\u043e\u0432\u00a0\u0438\u00a0MAC-\u0430\u0434\u0440\u0435\u0441\u043e\u0432. \u041a\u0430\u043a \u0442\u043e\u043b\u044c\u043a\u043e \u043e\u043d \u0432\u0438\u0434\u0438\u0442, \u0447\u0442\u043e \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0438\u0435 \u043d\u0430\u0440\u0443\u0448\u0435\u043d\u043e, \u0438\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u0442 \u043f\u043e\u044f\u0432\u043b\u0435\u043d\u0438\u0435 \u043d\u043e\u0432\u044b\u0445 \u0430\u0434\u0440\u0435\u0441\u043e\u0432 \u0432 \u0441\u0435\u0442\u0438, \u043e\u043d \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u0442 \u043e\u0431 \u044d\u0442\u043e\u043c \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0439 \u0436\u0443\u0440\u043d\u0430\u043b (syslog).<\/p>\n

# yum install arpwatch<\/pre>\n
\u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0435\u043c:<\/p>\n
$ cat \/etc\/sysconfig\/arpwatch\r\nOPTIONS=\"-i enp5s0<\/span> -f arp.dat -u arpwatch -e admin@example.com<\/span> -s 'root (Arpwatch)'\"<\/pre>\n
$ sudo systemctl start arpwatch\r\n$ sudo systemctl enable arpwatch<\/pre>\n
\/var\/lib\/arpwatch - default directory\r\n          arp.dat - ethernet\/ip address database\r\n   ethercodes.dat - vendor ethernet block list<\/pre>\n
\u041f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e, \u0434\u0435\u043c\u043e\u043d \u043f\u0438\u0448\u0435\u0442 \u043b\u043e\u0433\u0438 \u0432 \/var\/log\/messages, \u0447\u0442\u043e \u0431\u044b \u043d\u0435 \u043c\u0443\u0441\u043e\u0440\u0438\u0442\u044c \u0432 \u044d\u0442\u043e\u0442 \u0444\u0430\u0439\u043b \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u0438\u043c \u0432 \u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0439 \u043b\u043e\u0433. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0441\u043e\u0437\u0434\u0430\u0435\u043c \u0444\u0430\u0439\u043b \u043b\u043e\u0433\u043e\u0432 \u0438 \u0444\u0430\u0439\u043b \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u0434\u043b\u044f rsyslog<\/p>\n
# touch \/var\/log\/arpwatch.log\r\n\r\n# vi \/etc\/rsyslog.d\/arpwatch.conf\r\nif ( $programname startswith \"arpwatch\" ) then {\r\naction(type=\"omfile\" file=\"\/var\/log\/arpwatch.log\")\r\nstop\r\n}<\/pre>\n
\u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c \u0438 \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u043c:<\/p>\n
# rsyslogd -N 1\r\n# systemctl restart rsyslog<\/pre>\n
\u0422\u0430\u043a \u043a\u0430\u043a \u0432 \u043f\u0435\u0440\u0432\u044b\u0445 \u0442\u0440\u0435\u0445 \u043e\u043a\u0442\u0435\u0442\u0430\u0445 \u041c\u0410\u0421-\u0430\u0434\u0440\u0435\u0441\u0430 \u043a\u043e\u0434\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044c \u043e\u0431\u043e\u0440\u0443\u0434\u043e\u0432\u0430\u043d\u0438\u044f, \u043d\u0430\u043c \u0436\u0435\u043b\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0438\u043c\u0435\u0442\u044c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u0443\u044e \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u0443\u044e \u0431\u0430\u0437\u0443 \u041c\u0410\u0421\/\u041f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044c. \u041e\u0431\u043d\u043e\u0432\u043b\u044f\u0435\u043c \u0431\u0430\u0437\u0443 MAC \u0430\u0434\u0440\u0435\u0441\u043e\u0432:<\/p>\n
# vi arpwatch_update_mac.sh\r\n\r\n#!\/bin\/bash\r\n# update_mac_addresses.sh\r\n# This script downloads the currect mac address data from the IEEE and parses it for nmap and arpwatch.\r\n# nmap-mac-prefixes is for nmap.\r\n# ethercodes.dat is arpwatch.\r\n\r\n# Download the current data\r\n\r\nwget http:\/\/standards-oui.ieee.org\/oui\/oui.txt<\/span>\r\n\r\n# Divide the data into Manufacturer and Address files\r\ncat oui.txt | grep '(base 16)' | cut -f3 > mac.manufacturer\r\ncat oui.txt | grep '(base 16)' | cut -f1 -d' ' > mac.address\r\n\r\n# Paste them back together for nmap data\r\npaste mac.address mac.manufacturer > nmap-mac-prefixes\r\n\r\n# Parse the address data for arpwatch\r\ncat mac.address | perl -pe 's\/^(([^0].)|0(.))(([^0].)|0(.))(([^0].)|0(.))\/\\2\\3:\\5\\6:\\8\\9\/' > tmp.address\r\ncat tmp.address | tr [A-Z] [a-z] > mac.address\r\n\r\n# Paste the parsed data into the arpwatch file\r\npaste mac.address mac.manufacturer > \/var\/lib\/arpwatch\/ethercodes.dat<\/span>\r\n\r\n# Clean up intermediary files\r\nrm tmp.address\r\nrm mac.address\r\nrm mac.manufacturer\r\nrm oui.txt<\/pre>\n
\u0414\u0435\u043b\u0430\u0435\u043c \u0444\u0430\u0439\u043b \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u043c \u0438 \u043f\u0440\u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u043c \u0432 cron \u0434\u043b\u044f \u0435\u0436\u0435\u043c\u0435\u0441\u044f\u0447\u043d\u043e\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f:<\/p>\n
# chmod +x arpwatch_update_mac.sh<\/pre>\n
# crontab -e\r\n@monthly\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/home\/svm\/bin\/arpwatch_update_mac.sh<\/pre>\n
ARPWatch<\/strong>\u00a0\u0440\u0430\u0441\u0441\u044b\u043b\u0430\u0435\u0442 \u0447\u0435\u0442\u044b\u0440\u0435 \u0432\u0438\u0434\u0430 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0439.<\/p>\n