Arpwatch Kayan aiki don Kula da Ayyukan Ethernet a cikin Linux
Arpwatch shiri ne na bude komputa na komputa wanda yake taimaka muku wajen lura da ayyukan zirga-zirgar Ethernet (kamar Canza adiresoshin IP da adiresoshin MAC) akan hanyar sadarwar ku kuma yana riƙe da bayanan haɗin adireshin ethernet/ip. Yana samar da log na lura hadewa na IP da MAC adiresoshin bayanai tare da timestamps, don haka zaka iya lura da kyau lokacin da aikin haɗin ya bayyana akan hanyar sadarwar. Hakanan yana da zaɓi don aika rahoto ta imel zuwa ga mai kula da cibiyar sadarwa lokacin da aka haɗa ko aka canza wani abu.
Wannan kayan aikin yana da amfani musamman ga masu kula da hanyar sadarwa don su sa agogo akan ayyukan ARP don gano ɓarnar ARP ko canje-canje na adireshin IP/MAC da ba tsammani.
Girkawar Arpwatch a cikin Linux
Ta hanyar tsoho, ba a sanya kayan aikin Arpwatch a kan kowane rarraba Linux ba. Dole ne mu girka ta da hannu ta amfani da umarnin 'yum' akan RHEL, CentOS, Fedora da 'apt-get' akan Ubuntu, Linux Mint da Debian .
# yum install arpwatch
$ sudo apt-get install arpwatch
Bari mu mai da hankali kan wasu mahimman fayiloli arpwatch, wurin fayilolin sun ɗan bambanta kaɗan bisa tsarin aikinku.
- /etc/rc.d/init.d/arpwatch: Arpwatch sabis don farawa ko tsayar daemon.
- /sauransu/sysconfig/arpwatch: Wannan shine babban fayil ɗin daidaitawa…
- /usr/sbin/arpwatch: Umarnin binary don farawa da dakatar da kayan aiki ta hanyar tashar.
- /var/arpwatch/arp.dat: Wannan shine babban fayil ɗin ajiyar inda aka rubuta adiresoshin IP/MAC.
- /var/log/saƙonni: Fayil ɗin log, inda arpwatch ke rubuta kowane canje-canje ko wani aiki na ban mamaki ga IP/MAC.
Buga umarni mai zuwa don fara aikin arpwatch.
# chkconfig --level 35 arpwatch on # /etc/init.d/arpwatch start
$ sudo chkconfig --level 35 arpwatch on $ sudo /etc/init.d/arpwatch start
Don kallon takamaiman aikin dubawa, rubuta umarni mai zuwa tare da '-i' da sunan na'urar.
# arpwatch -i eth0
Don haka, duk lokacin da sabon MAC ya toshe ko wani IP na canza adireshin MAC dinsa akan hanyar sadarwar, zaka lura da shigar syslog a '/ var/log/syslog' ko '/ var/log/message' file.
# tail -f /var/log/messages
Apr 15 12:45:17 tecmint arpwatch: new station 172.16.16.64 d0:67:e5:c:9:67 Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45 Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45 Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45 Apr 15 12:45:19 tecmint arpwatch: new station 172.16.25.86 0:d0:b7:23:72:45
Abubuwan da ke sama suna nuna sabon tashar aiki. Idan duk wani canje-canje da aka yi, zaku sami fitarwa mai zuwa.
Apr 15 12:45:17 tecmint arpwatch: changed station 172.16.16.64 0:f0:b8:26:82:56 (d0:67:e5:c:9:67) Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45) Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45) Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45) Apr 15 12:45:19 tecmint arpwatch: changed station 172.16.25.86 0:f0:b8:26:82:56 (0:d0:b7:23:72:45)
Hakanan zaka iya bincika teburin ARP na yanzu, ta amfani da bin umarni.
# arp -a
linux-console.net (172.16.16.94) at 00:14:5e:67:26:1d [ether] on eth0 ? (172.16.25.125) at b8:ac:6f:2e:57:b3 [ether] on eth0
Idan kana son aika faɗakarwa zuwa id ɗin imel na al'ada, sannan ka buɗe babban fayil ɗin daidaitawa '/ sauransu/sysconfig/arpwatch' kuma ƙara imel ɗin kamar yadda aka nuna a ƙasa.
# -u <username> : defines with what user id arpwatch should run # -e <email> : the <email> where to send the reports # -s <from> : the <from>-address OPTIONS="-u arpwatch -e [email -s 'root (Arpwatch)'"
Ga misalin rahoton imel, lokacin da aka haɗa sabon MAC.
hostname: centos
ip address: 172.16.16.25
interface: eth0
ethernet address: 00:24:1d:76:e4:1d
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
timestamp: Monday, April 15, 2012 15:32:29Ga misalin rahoton imel, lokacin da IP ke canza adireshin MAC ɗin sa.
hostname: centos
ip address: 172.16.16.25
interface: eth0
ethernet address: 00:56:1d:36:e6:fd
ethernet vendor: GIGA-BYTE TECHNOLOGY CO.,LTD.
old ethernet address: 00:24:1d:76:e4:1d
timestamp: Monday, April 15, 2012 15:43:45
previous timestamp: Monday, April 15, 2012 15:32:29
delta: 9 minutesKamar yadda kake gani a sama, yana rikodin, sunan mai masauki, Adireshin IP, adireshin MAC, sunan mai siyarwa da timestamps. Don ƙarin bayani, duba shafin arpwatch mutum ta hanyar buga 'man arpwatch' a tashar.