我设置了一个 orangePi(带有取自 armbian.com 的 Ubuntu Xenial)作为我的家庭服务器。
我安装了 arpalert(通过 apt)并对其进行了配置。到目前为止一切顺利,一切正常。除了运行警报脚本时,它永远不会在每次调用时堆积僵尸。
一旦生成的脚本达到一定数量(在 arpalert 配置文件中设置的生成脚本的最大数量),该脚本就不会再次运行,从而使 arpalert 变得毫无用处。
我也尝试编译源代码但没有任何改变。
我尝试将脚本的输出(stderr 和 stdout)重定向到 /dev/null,但如果我将其放入配置文件中,并附加到脚本路径,它根本找不到该脚本。重定向 arpalert 的输出没有任何区别(尽管我尝试过)。
还有什么可以尝试吗?
这是调用的脚本。它只是检查 MAC 地址是否在黑名单中,如果在,则检查是哪一个并记录下来,然后它可能会发送电子邮件:
#!/bin/bash
#mac adress of requestor, ip of requestor, supp. parm., type of alert .IP type of alert:
#0: IP change
#1: Mac address already detected but not in white list
#2: Mac address in black list
#3: New mac address
#4: Unauthorized arp request
#5: Abusive number of arp request detected
#6: Ethernet mac address different from arp mac address
#7: Flood detected
#8: New mac address whithout ip address
DATA=$(date)
MACA='01:02:03:04:05:06'
MACB='0a:0b:0c:0d:0e:0f'
echo "$DATA Alert arguments 1: $1 2: $2 3: $3 4: $4 5: $5 " >> /home/arpalert/arpalertscriptlog.log
#MAC addresses to be check are put in the black list
if [ "$5" != '2' ]
then
exit
fi
if [ "$1" == $MACB ]
then
echo "MAC address B recognised: $1 " >> /home/arpalert/arpalertscriptlog.log
elif [ "$1" == $MACA ]
then
echo "MAC address A recognised: $1 " >> /home/arpalert/arpalertscriptlog.log
echo -e "to: [email protected]\nsubject: Welcome home!\nWelcome back home! \nDate and hour: $(date)\n" | ssmtp -t
fi
exit
根据要求,我正在编辑带有调试日志的 arpalert 运行结果:
$ ps aux | grep arp
arpalert 4370 0.5 0.7 5432 3940 ? S 22:09 0:02 arpalert -D 7 -d -f /etc/arpalert/arpalert.conf
arpalert 4426 0.3 0.0 0 0 ? Z 22:17 0:00 [arpalert_script] <defunct>
我更改了实际的 MAC 地址,重要的是 01:02:03:04:05:06
我看不出打开调试日志记录有什么区别:
$ sudo cat /var/log/arpalert.log
Nov 25 22:09:34 arpalert: Selected device: eth0
Nov 25 22:11:04 arpalert: seq=6, mac=00:00:00:00:00:00, ip=192.168.1.132, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=black_listed, dev=eth0, vendor="(null)"
Nov 25 22:23:20 arpalert: seq=272, mac=AA:AA:AA:AA:AA:AA, ip=192.168.1.133, type=new, dev=eth0, vendor="(null)"
$ sudo cat /var/log/syslog | grep arp
Nov 25 22:09:34 localhost arpalert: Selected device: eth0
Nov 25 22:11:04 localhost arpalert: seq=6, mac=00:00:00:00:00:00, ip=192.168.1.132, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 localhost arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 localhost arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=black_listed, dev=eth0, vendor="(null)"
Nov 25 22:17:05 localhost sSMTP[4429]: Sent mail for arpalert@orangepi uid=1001 username=arpalert outbytes=470
Nov 25 22:23:20 localhost arpalert: seq=272, mac=AA:AA:AA:AA:AA:AA, ip=192.168.1.133, type=new, dev=eth0, vendor="(null)"
以下是整个arpalert.conf文件:
#
# Copyright (c) 2005-2010 Thierry FOURNIER
# $Id: arpalert.conf.in 690 2008-03-31 18:36:43Z $
#
# Default config file
#
# white list
maclist file = "/etc/arpalert/maclist.allow"
# black list
maclist alert file = "/etc/arpalert/maclist.deny"
# dump file
maclist leases file = "/var/lib/arpalert/arpalert.leases"
# list of authorized request
#auth request file = /etc/arpalert/authrq.conf
# log file
log file = "/var/log/arpalert.log"
# pid file
lock file = "/var/run/arpalert.pid"
# log level
use syslog = true
# log level
log level = 7
# user for privilege separation
user = arpalert
# rights for file creation
umask = 177
#chroot dir = /home/arpalert/
# only for debugging: this dump paquet received on standard output
dump packet = false
# run the program as daemon ?
daemon = true
# minimun time to wait between two leases dump
dump inter = 5
#Configure the network for catch only arp request.
#The detection type "new_mac" is desactived.
#This mode is used for CPU saving if Arpalert is running on a router
catch only arp = true
# comma separated interfaces to lesson
# if not precised, the soft select the first interface.
# by default select the first interface encontered
interface = eth0
# script launched on each detection
# parameters are:
# - "mac adress of requestor"
# - "ip of requestor"
# - "supp. parm."
# - "ethernet device listening on"
# - "type of alert"
# - optional : "ethernet vendor"
# type of alert:
# 0: ip change
# 1: mac address only detected but not in whithe list
# 2: mac address in black list
# 3: new mac address
# 4: unauthorized arp request
# 5: abusive number of arp request detected
# 6: ethernet mac address different from arp mac address
# 7: global flood detection
# 8: new mac adress without ip
# 9: mac change
# 10: mac expire
action on detect = "/usr/local/bin/arpalert_script.sh"
# module launched on each detection
mod on detect = ""
# this chain is transfered to the init function of module loaded
mod config = ""
# script execution timeout (seconds)
execution timeout = 5
# maximun simultaneous lanched script
max alert = 20
# what data are dumped in leases file
dump black list = false
dump white list = true
dump new address = true
# after this time a mac adress is removed from memory (seconds) (default 1 month)
mac timeout = 259200
# Allow arpalert to expire authorized mac addresses
expire authorized mac addresses = false
# after this limit the memory hash is cleaned (protect to arp flood)
max entry = 1000000
# this permit to send only one mismatch alert in this time (in seconds)
anti flood interval = 5
# if the number of arp request in seconds exceed this value, all alerts are ignored for
# "anti flood interval" time
anti flood global = 50
# vendor name
# add the mac vendor field in logs, alerts script and/or module execution
mac vendor file = "/etc/arpalert/oui.txt"
log mac vendor = true
alert mac vendor = true
mod mac vendor = true
# log if the adress is referenced in hash but is not in white list
log referenced address = false
alert on referenced address = false
mod on referenced address = false
# log if the mac adress is in black list
log deny address = true
alert on deny address = true
mod on deny address = true
# log if the adress isn't referenced
log new address = true
alert on new address = false
mod on new address = false
# log if the adress isn't referenced (for mac adress only)
log new mac address = true
alert on new mac address = true
mod on new mac address = true
# log if the ip adress id different from the last arp request with the same mac adress
log ip change = true
alert on ip change = true
mod on ip change = true
# log if the ip adress id different from the last arp request with the same mac adress
log mac change = true
alert on mac change = true
mod on mac change = true
# unauthorized arp request:
# log all the request not authorized in auth file
log unauth request = false
alert on unauth request = false
mod on unauth request = false
# dont analyse arp request for unknow hosts (not in white list)
ignore unknown sender = false
# ignore arp request with mac adresse of the lessoned interfaces for the authorizations checks
ignore me = true
# ignore windows self test
ignore self test = false
# suspend time method:
# 1: ignore all unauth alerts during "anti flood interval" time
# 2: ignore only tuple (mac address, ip address) during "anti flood interval" time
unauth ignore time method = 2
# log if the number of request per seconds are > "max request"
log request abus = true
alert on request abus = true
mod on request abus = true
# maximun request authorized by second
max request = 1000000
# log if the ethernet mac address are different than the arp amc address (only for requestor)
log mac error = true
alert on mac error = true
mod on mac error = true
# log if have too many arp request per seconds
log flood = true
alert on flood = true
mod on flood = true
# log if the adress is removed after mac timeout
log expire mac address = false
alert on expire mac address = false
mod on expire mac address = false
编辑:arpalert通过 运行action on detect = "bash -c 'echo test>>/home/arpalert/arpalertscriptlog.log'"并连接我的手机几次,结果如下:
$ ps faux | grep arp
arpalert 21420 0.7 0.7 5432 3992 ? S 18:59 0:30 arpalert -D 7 -d -f /etc/arpalert/arpalert.conf
arpalert 21493 0.0 0.0 0 0 ? Z 19:07 0:00 \_ [arpalert] <defunct>
arpalert 21794 0.0 0.0 0 0 ? Z 20:00 0:00 \_ [arpalert] <defunct>
arpalert 21795 0.0 0.0 0 0 ? Z 20:01 0:00 \_ [arpalert] <defunct>
也test没有写入/home/arpalert/arpalertscriptlog.log。