Nethserver-arpwatch: Needs Tests

Don’t say sorry, we’re all here to learn from others. :fishing_pole_and_fish:

You are a padawan developer, the way is sometime much more longer than we would

1 Like

@dz00te these are you and @stephdl on your shoulders

2 Likes

This rpm comes from SME Server which was supposed to have only one Internal NIC, therefore the rpm was not intended to find which NIC has a green role, but NethServer lets a lot of freedom on the choices of your network. IMHO the rpm needs to be adapted to this case of configuration, and we must implement the multiple NIC case (one deamon and one arp-etX.dat file for each NIC).

A fallback choice should be to propose the rpm like you did and let the sysadmin decide which unique NIC is monitored.

From my point of view, the gui is really not a mandatory, this rpm is aimed to be to the destination of sysadmin who have the need to keep informations about IP/Mac which are connected to their local network, but of course, since it is said, someone will come with this need :smile:

With smeserver-geoip we have the same issue, the geoip database needs to be updated sometime, by a cron each month, and following the installation.

1 Like

finally today i’ve had some hours to dedicate to code (well, to try to code :grin: )
i think i’ve solved how to find multiple eth on green and generate correct config, and tested with the customized init.d script it works… what is not clear to me is this part:

do you know where i can find some info or some examples in other contribs, or have any hints in how overwrite the init.d script?

tnx

1 Like

simply make a new template of the initscript, I mean this

/etc/e-smith/template/etc/rc.d/init.d/arpwatch/10base

then of course expand it with nethserver-arpwatch-{update,save}

you will need probably to set owner ship and permisions : Templates — NethServer 7 documentation

create a file /etc/e-smith/template.metadata/etc/rc.d/init.d/arpwatch with the relevant content
for example

 UID="root"
GID="root"
PERMS=0755
1 Like

Another solution could be to create an upstart job, see /etc/e-smith/templates.metadata/etc/init/httpd-admin.conf for example.

If I recall well the documentation the upstart init script has the priority against a sysvinit script,so it is used first…but I have not played with upstart script so I have no example with my modules I can point you as examples.

1 Like

I am interested in how this is going :point_up_2:

@dz00te would you like to add it on our NethForge? @giacomo @davidep how can we move forward?

I’ve been watching this thread for some time, this package does something very similar to that of a shell script/daemon I wrote. But my shell script/daemon takes it a step further; when it recognizes a new device on the network (not within a open DHCP range) is adds the IP/MAC address to available linux firewalls on the network. This is the default setup, I can change the sensitivity to be strict it would add the IP/MAC address of a newly discovered device in the open DHCP range to the firewalls. The script must have sudo access of course because iptables command requires it, it also must be able to login to other linux boxes without a SSH password.

Adding IP addresses on Linux firewalls is relatively simple but finding a way to do this on NethServer was challenging. Instead I opted to use MAC addresses. In order to do that I needed to create a custom template for shorewall where the BLACKLIST option changed to “NEW,UNVALID,UNTRACKED” so that I can dynamically add and remove the MAC’s.

The shell script/daemon consists of three files, a configuration file, daemon and shell commands itself. If anyone is interested in looking at the concept I can certainly upload it to github. It may take some time because I’d have to remove a number of personal settings.

2 Likes

@alefattorini
honestly… i don’t remember what i miss to finish the package, i’ll check it and will update the status soon. And, yes if ever will be finished/stable, the idea is to put it on netforge, but i must admit that lately in my short time available, ns7alpha has an high priority :smirk:

@islipfd19
nice idea, if i ever finished the package i’ll ask you the script, tnx :wink:

@islipfd19 as we have introduce fail2ban we can make things work through it

Great idea! I’m thinking some type of trigger from arpwatch to fail2ban to blacklist the offending MAC/IP address and then a way to whitelist it after additional review.

I failed to mention that my shell script also sends notifications using the any of the mail apps; such as postfix or sendmail. As long as its configure properly of course. My shell script also has a mechanism to whitelist the MAC/IP address; CLI driven. Again, my script detects any unknown IP/MAC on the local network. At the heart of the script is nmap that performs a ping sweep of the network and grabs all the MAC addresses, compares them to a predefined list of MAC’s in it’s configuration file and the list of MAC’s obtained from the DHCP config file. When time permits I’ll upload it to github.

When the author think the packages is finished, we can move it to the forge.
We can also give access directly to the forge :wink:

@islipfd19 please attach log, I have created an issue on Fail2ban so they could help to develop arpwatch log monitoring.

I don’t have a log, there may have been some confusion. I currently don’t use Fail2ban or arpwatch, the script I’m referring to is something that I designed and wrote. I believe it would be a “Nice to have” feature for both.

I have submitted logs to Fail2ban already, so wait for new Jail

updated version on first post…

I left it too long, i remember that there was something i want to change/check but i don’t remember what… :pensive:

so for now:

  • after install, the service is enabled and configured on all eth on green
  • it should work also with multiple eth
  • mail is sent by default to root

still to do:

  1. implement a script to update ethercodes.dat using Sanitized IEEE OUI Date (oui.txt) (or put it in the file to separate rpm, or … honestly i’m not sure at the moment how to do but i would like to have it updated :))
  2. a gui (???) if i will ever complete points 2 and 3 :smile:

and a lot of testing :slight_smile:

2 Likes

Though this isn’t part of nethserver, its suppose to assist with the ideas and I’m just replying to a post I placed a month ago.

So I finally got around to uploading my netsecure daemon to github for public use. I’ve named it netsecure for the moment, I may decide to change it in the future. It contains a daemon, configuration file and script itself at the heart of the program. It uses nmap and sendmail (or a similar program). Its purpose it to catch new/foreign mac addresses on your local network and add them to the local firewall and any other firewall (or shorewall) running on a different *nix box.

Any suggestions or questions are welcome, even bugs; I’ll help where I can.

1 Like

on ns7alpha2 (x86-64 and ARM)

yum install http://mirror.framassa.org/dz00test/nethserver-arpwatch-1.0.0-2.ns7.noarch.rpm

3 Likes