Linux-da Ethernet işjeňligine gözegçilik etmek üçin Arpwatch Tool


Arpwatch, toruňyzdaky Ethernet trafik işjeňligine (IP we MAC Salgylaryny üýtgetmek ýaly) gözegçilik etmäge kömek edýän we ethernet/ip adres jübütleriniň maglumat bazasyny ýöredýän açyk çeşme kompýuter programma üpjünçiligi. IP we MAC adresleriniň bellik edilen jübütleriniň gündeligi bilen bir hatarda maglumatlary döredýär, şonuň üçin jübütleşme işjeňliginiň torda peýda bolandygyny üns bilen synlap bilersiňiz. Şeýle hem, jübüt goşulanda ýa-da üýtgedilende, e-poçta arkaly hasabatlary tor administratoryna ibermek mümkinçiligi bar.

Bu gural, tor dolandyryjylary üçin ARP-iň zaýalanmagyny ýa-da garaşylmadyk IP/MAC salgylarynyň üýtgemelerini ýüze çykarmak üçin ARP işjeňligine gözegçilik etmek üçin aýratyn peýdalydyr.

Linux-da Arpwatch gurmak

Düzgüne görä, Arpwatch guraly hiç Linux paýlanyşynda gurulmaýar. RHEL, CentOS, Fedora-da 'yum' buýrugyny we Ubuntu-da 'apt-get', Linux Mint we Debian ulanyp, el bilen gurmalydyrys. .

# yum install arpwatch
$ sudo apt-get install arpwatch

Iň möhüm arpwatch faýllaryna üns bereliň, operasiýa ulgamyňyza görä faýllaryň ýerleşişi birneme tapawutlanýar.

  1. /etc/rc.d/init.d/arpwatch: Daemony başlamak ýa-da duruzmak üçin arpwatch hyzmaty.
  2. /etc/sysconfig/arpwatch: Bu esasy konfigurasiýa faýly…
  3. /usr/sbin/arpwatch: Terminal arkaly guraly başlamak we duruzmak üçin ikilik buýrugy.
  4. /var/arpwatch/arp.dat: Bu IP/MAC salgylary ýazylan esasy maglumat bazasy faýly.
  5. /var/log/messages: arpwatch IP/MAC-a islendik üýtgeşmeleri ýa-da üýtgeşik işleri ýazýan gündelik faýly.

Arpwatch hyzmatyny başlamak üçin aşakdaky buýrugy ýazyň.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start
$ sudo chkconfig --level 35 arpwatch on
$ sudo /etc/init.d/arpwatch start

Belli bir interfeýsi görmek üçin aşakdaky buýrugy “-i” we enjamyň ady bilen ýazyň.

# arpwatch -i eth0

Şeýlelik bilen, haçan-da täze MAC dakylsa ýa-da belli bir IP torda MAC salgysyny üýtgedýän bolsa, syslog ýazgylaryny/var/log/syslog ýa-da/var/log/message faýlynda görersiňiz.

# tail -f /var/log/messages
Apr 15 12:45:17 tecmint arpwatch: new station 172.16.16.64 d0:67:e5:c:9:67
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45

Aboveokardaky çykyş täze iş stansiýasyny görkezýär. Üýtgeşmeler girizilse, aşakdaky netijäni alarsyňyz.

Apr 15 12:45:17 tecmint arpwatch: changed station 172.16.16.64 0:f0:b8:26:82:56 (d0:67:e5:c:9:67)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)

Şeýle hem aşakdaky buýrugy ulanyp, häzirki ARP tablisasyny barlap bilersiňiz.

# arp -a
linux-console.net (172.16.16.94) at 00:14:5e:67:26:1d [ether] on eth0
? (172.16.25.125) at b8:ac:6f:2e:57:b3 [ether] on eth0

Customörite e-poçta idiňize duýduryş ibermek isleseňiz, esasy konfigurasiýa faýlyny '/ etc/sysconfig/arpwatch' açyň we aşakda görkezilişi ýaly e-poçta goşuň.

# -u <username> : defines with what user id arpwatch should run
# -e <email>    : the <email> where to send the reports
# -s <from>     : the <from>-address
OPTIONS="-u arpwatch -e [email  -s 'root (Arpwatch)'"

Ine, täze MAC birikdirilende e-poçta hasabatynyň mysaly.

        hostname: centos
      ip address: 172.16.16.25
       interface: eth0
ethernet address: 00:24:1d:76:e4:1d
 ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
       timestamp: Monday, April 15, 2012 15:32:29

Ine, bir IP MAC salgysyny üýtgedeninde e-poçta hasabatynyň mysaly.

            hostname: centos
          ip address: 172.16.16.25
           interface: eth0
    ethernet address: 00:56:1d:36:e6:fd
     ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
old ethernet address: 00:24:1d:76:e4:1d
           timestamp: Monday, April 15, 2012 15:43:45
  previous timestamp: Monday, April 15, 2012 15:32:29 
               delta: 9 minutes

Aboveokarda görşüňiz ýaly, Hostname, IP adresi, MAC salgysy, Satyjynyň ady we wagt bellikleri ýazylýar. Has giňişleýin maglumat üçin terminaldaky “man arpwatch” düwmesine basyp, arpwatch adam sahypasyna serediň.