restricting unknown user

Hari Sekhon hpsekhon at googlemail.com
Tue Dec 11 10:29:23 CET 2007

Previous message: restricting unknown user
Next message: check_log + mysqld.log
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave wrote:
> arpwatch does something like that, keeps an eye on what mac addresses
> are active using what IP on the local subnet, sends an alert when a
> new mac address appearrs or some change occurs in the pairs of active
> MAC/IP pairs.
>
> Currently there is no integration between arpwatch and nagios.
> arpwatch sends email alerts, maybe outputs to the log or console?
>
> I don't think it is a good fit, since nagios assumes that all the
> hosts it cares about are pre-defined in its config file.
>
>
> On Dec 9, 2007 2:56 AM, sachin kumar <sachink at 7i.net.sa> wrote:
>   
>> Hi list
>>
>> I want to configure nagios in such a way that if unknown mac-address enters into network to access resources , that system will be displayed in nagios.I want to create a list of mac-addresses which are in our network , and link it with nagios and if any other mac-address (out of this list)connects to network, it will be displayed in the nagios .
>>
>>
>>
>> - sachin kumar (sachin1361

Although not a complete fit, one thing I do is run a check of all dhcpd 
leases that were handed out by all of my Isc Dhcpd servers using a 
plugin I wrote:

http://www.nagiosexchange.org/Check_Plugins.21.0.html?&tx_netnagext_pi1[p_view]=1164&tx_netnagext_pi1[page]=20%3A10

This can use whitelists, so you can whitelist your Mac addresses and it 
will raise a critical alert in Nagios if a lease is given out to any non 
recognized Mac. Since spoofing the Mac is obvious, it can also take a 
list of hostnames since this is less obvious to spoof. If you use both, 
chances are that anyone jumping on your network and being issued a dhcp 
lease from dhcpd will trip it and alert you.

It's not a complete solution but is nice from the defense in depth point 
of view of multiple layers. It's also just nice to see at a glance in 
Nagios who has leases on your dhcpd server and the output is fairly 
flexible.

Of course, someone who gets on your network may not use dhcp at all but 
this is just a small piece of the puzzle.

I also use arpwatch which can indeed alert on mac changes or additions, 
or you can use it's logging to alert from a central place...

Arpwatch will not integrate directly into Nagios, but since arpwatch can 
log  to syslog, you could use a nagios log check to alert on any
logged Mac additions.

-h

-- 
Hari Sekhon

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: restricting unknown user
Next message: check_log + mysqld.log
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list