One of the more obscure sources of information when configuring arpwatch is arpwatch SMTP configuration. There are so many flavors of linux and SMTP servers, how can you easily setup a vanilla SMTP mechanism to shoot out your arpwatch notifications?
In the second part of the arpwatch series (see part 1 here), I wanted to share with you guys what I used to get arpwatch notifications up and running as well as send the notification emails to my gmail account using port 587.
Arpwatch SMTP Configuration
The easiest small footprint SMTP engine I found for my Ubuntu installation was SSMTP. You can install SSMTP by the following command in Ubuntu:
sudo apt-get install ssmtp
Once you have installed SSMTP, we need to edit the config file located at:
Below is a sample configuration that you might see for Gmail:
# # Config file for sSMTP sendmail # # The person who gets all mail for userids < 1000 # Make this empty to disable rewriting. [email protected] # The place where the mail goes. The actual machine name is required no # MX records are consulted. Commonly mailhosts are named mail.domain.com mailhub=smtp.gmail.com:587 # Where will the mail seem to come from? #rewriteDomain=gmail.com # The full hostname hostname=arpwatchmachine # Use SSL/TLS before starting negotiation UseTLS=Yes UseSTARTTLS=Yes # Username/Password [email protected] AuthPass=mypassword # Are users allowed to set their own From: address? # YES - Allow the user to specify their own From: address # NO - Use the system generated From: address FromLineOverride=YES
Setting up accounts:
Then to map local system accounts to the email addresses they need to send to:
A sample of how your file might look:
# sSMTP aliases # # Format: local_account:outgoing_address:mailhub # # Example: root:[email protected]:mailhub.your.domain[:port] # where [:port] is an optional port number that defaults to 25. root:[email protected]:smtp.gmail.com:587
To test mailflow using SSMTP, you can use the following command:
$ echo test | mail -v -s "testing ssmtp setup" [email protected]
Note if you are running this in Ubuntu, you may need to install the mailutils package by running the following:
sudo apt-get install mailutils
Once you install mailutils and run the test script above, you should receive your test email. Keep in mind that you will need to make sure that your firewall rules allow outbound port 587.
Once you receive the test email, you are ready to configure arpwatch for sending to your Gmail account.
Edit the following file:
Add your config for your interface, subnet, and email address you want to send to:
eth0 -a -n 192.168.1.0/24 -m [email protected] eth1 -a -n 192.168.2.0/24 -m [email protected] eth2 -a -n 192.168.3.0/24 -m [email protected]
After following the steps above – installing SSMTP, configuring, arpwatch, and configuring, you should be able to receive notifications for new hosts/changed MAC/IP mappings on your networks:
hostname: test1 ip address: 192.168.3.10 interface: eth0 ethernet address: 00:11:22:33:44:55 ethernet vendor: VMware timestamp: Thursday, February 25, 2016 9:54:47 -0600
How does Arpwatch know to use ssmtp for sending email?
If you don’t see anything in the config file above specifying the use of ssmtp, you are correct. Arpwatch inherently will use the program specified at the /usr/sbin/sendmail symlink (this is location in Ubuntu). After installing ssmtp, you can edit the /usr/sbin/sendmail symlink and you will see it populated with ssmtp. Each time it attempts to send email, it utilizes the symlink and executes ssmtp to send email.
Arpwatch is a great tool for monitoring network traffic. The most tricky part is arpwatch smtp configuration. Hopefully the above steps will help to get your configuration up and running and monitoring MAC/IP quickly.