Let’s face it, these days, we all need to pay more attention to what is going on with our home networks. I have the mindset and maybe this is overkill a bit, but we should manage and administer our home networks just like we do the enterprise. We need to be proactive and monitor what is going on. All too often with our home networks, we are reactive instead of proactive. I have been meaning to do this for a while and just haven’t for lack of time, however, recently the arpwatch home network monitor was implemented.
If you haven’t heard of the utility, it is called arpwatch. Arpwatch as the name implies, watches the MAC to IP pairings of devices on the network. If these change, then arpwatch will log and send an email to alert. In addition to changes, it will alert with new MAC to IP pairings. So the beauty of this for home, you can have it proactively alert you when devices become active on your LAN/WLAN networks, which is super handy and from a security posture, greatly diminishes your response time if an intruder or rogue device is able to connect to your network.
Security is always excessive until it’s not enough. — Robbie Sinclair, Head of Security, Country Energy, NSW Australia
Arpwatch Home Network Monitor
When we think of arpwatch, we can look at it like a home network monitor that patrols your layer 2 network for rogue devices, but not only rogue devices, device that try to masquerade as your gateway for instance or some other critical infrastructure on your network. If arpwatch alerts you for instance that the MAC address of your gateway has changed all of the sudden, then it is definitely something worth investigating immediately.
Installing arpwatch is super simple. If you have a lab environment with a hypervisor running at home, you can easily spin up a new low resource Ubuntu server VM and install arpwatch. Otherwise, you can take an old whitebox machine you have lying around and load up free Ubuntu server and go from there.
To Install in Ubuntu:
sudo apt-get install arpwatch
Once you have arpwatch up and running, there is minor configuration to be done mainly in specifying email addresses and network subnets to scan.
Edit the following file to add your subnet and email address:
Add the following to the bottom of the file. This tells arpwatch which subnets to listen on as well as which email address to send notifications to:
eth0 -a -n 192.168.1.0/24 -m [email protected] eth1 -a -n 192.168.2.0/24 -m [email protected] eth2 -a -n 192.168.3.0/24 -m [email protected]
Restart the arpwatch service:
service arpwatch restart
In addition, you can watch notifications real time by monitoring the file in Ubuntu using the tail command:
tail -f /var/log/syslog
Arpwatch is a great little utility to monitor your home network or even enterprise network if you don’t have pay for utilities available to you. It is easy to configure and get up and running and it just works. Stay tuned for more advanced arpwatch configuration posts for VLANs, etc.