Arpwatch SMTP configuration

6

One of the more obscure sources of information when configuring arpwatch is arpwatch SMTP configuration.  There are so many flavors of linux and SMTP servers, how can you easily setup a vanilla SMTP mechanism to shoot out your arpwatch notifications?

In the second part of the arpwatch series (see part 1 here), I wanted to share with you guys what I used to get arpwatch notifications up and running as well as send the notification emails to my gmail account using port 587.

arpsmtp01 Arpwatch SMTP configuration

Arpwatch SMTP Configuration

SSMTP

The easiest small footprint SMTP engine I found for my Ubuntu installation was SSMTP.  You can install SSMTP by the following command in Ubuntu:

sudo apt-get install ssmtp

Once you have installed SSMTP, we need to edit the config file located at:

/etc/ssmtp/ssmtp.conf

Below is a sample configuration that you might see for Gmail:

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
[email protected]

# The place where the mail goes. The actual machine name is required no 
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
#rewriteDomain=gmail.com

# The full hostname
hostname=arpwatchmachine

# Use SSL/TLS before starting negotiation
UseTLS=Yes
UseSTARTTLS=Yes

# Username/Password
[email protected]
AuthPass=mypassword


# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES

Setting up accounts:

Then to map local system accounts to the email addresses they need to send to:

/etc/ssmtp/revaliases

A sample of how your file might look:

# sSMTP aliases
# 
# Format:	local_account:outgoing_address:mailhub
#
# Example: root:[email protected]:mailhub.your.domain[:port]
# where [:port] is an optional port number that defaults to 25.

root:[email protected]:smtp.gmail.com:587

Testing:

To test mailflow using SSMTP, you can use the following command:

$ echo test | mail -v -s "testing ssmtp setup" [email protected]

Note if you are running this in Ubuntu, you may need to install the mailutils package by running the following:

sudo apt-get install mailutils

Once you install mailutils and run the test script above, you should receive your test email.  Keep in mind that you will need to make sure that your firewall rules allow outbound port 587.

Once you receive the test email, you are ready to configure arpwatch for sending to your Gmail account.

Arpwatch config

Edit the following file:

/etc/arpwatch.conf

Add your config for your interface, subnet, and email address you want to send to:

eth0 -a -n 192.168.1.0/24 -m [email protected]
eth1 -a -n 192.168.2.0/24 -m [email protected]
eth2 -a -n 192.168.3.0/24 -m [email protected]

After following the steps above – installing SSMTP, configuring, arpwatch, and configuring, you should be able to receive notifications for new hosts/changed MAC/IP mappings on your networks:

hostname: test1
ip address: 192.168.3.10
interface: eth0
ethernet address: 00:11:22:33:44:55
ethernet vendor: VMware
timestamp: Thursday, February 25, 2016 9:54:47 -0600

How does Arpwatch know to use ssmtp for sending email?

If you don’t see anything in the config file above specifying the use of ssmtp, you are correct.  Arpwatch inherently will use the program specified at the /usr/sbin/sendmail symlink (this is location in Ubuntu).  After installing ssmtp, you can edit the /usr/sbin/sendmail symlink and you will see it populated with ssmtp.  Each time it attempts to send email, it utilizes the symlink and executes ssmtp to send email.

Final Thoughts

Arpwatch is a great tool for monitoring network traffic.  The most tricky part is arpwatch smtp configuration.  Hopefully the above steps will help to get your configuration up and running and monitoring MAC/IP quickly.

Part 1 – Arpwatch Home Network Monitor