избежать запуска скриптов arpalert в конечном итоге
Я установил оранжевый Pi (с Ubuntu Xenial, взятый с armbian.com) в качестве моего домашнего сервера.
Я установил arpalert (через apt) и настроил его. Пока все хорошо, все работает нормально. За исключением случаев, когда запускается скрипт оповещения, он никогда не получает пожинающих накоплений зомби при каждом вызове.
Как только порожденные скрипты достигнут определенного числа (максимальное количество порожденных скриптов, установленных в файле конфигурации arpalert), скрипт не запускается снова, делая arpalert бесполезным.
Я также попытался скомпилировать источник, но ничего не изменилось.
Я попытался перенаправить вывод сценария (stderr и stdout) в / dev / null, но если я поместил его в config, добавленный к пути к скрипту, он просто не может найти скрипт.
Есть ли что-то еще, чтобы попробовать?
Вот сценарий, который вызывается. Он просто проверяет, находится ли MAC-адрес в черном списке, если он тогда проверяет, какой он есть, и регистрирует его, тогда он может отправить электронное письмо:
#!/bin/bash
#mac adress of requestor, ip of requestor, supp. parm., type of alert .IP type of alert:
#0: IP change
#1: Mac address already detected but not in white list
#2: Mac address in black list
#3: New mac address
#4: Unauthorized arp request
#5: Abusive number of arp request detected
#6: Ethernet mac address different from arp mac address
#7: Flood detected
#8: New mac address whithout ip address
DATA=$(date)
MACA='01:02:03:04:05:06'
MACB='0a:0b:0c:0d:0e:0f'
echo "$DATA Alert arguments 1: $1 2: $2 3: $3 4: $4 5: $5 " >> /home/arpalert/arpalertscriptlog.log
#MAC addresses to be check are put in the black list
if [ "$5" != '2' ]
then
exit
fi
if [ "$1" == $MACB ]
then
echo "MAC address B recognised: $1 " >> /home/arpalert/arpalertscriptlog.log
elif [ "$1" == $MACA ]
then
echo "MAC address A recognised: $1 " >> /home/arpalert/arpalertscriptlog.log
echo -e "to: me@mailprovider.com\nsubject: Welcome home!\nWelcome back home! \nDate and hour: $(date)\n" | ssmtp -t
fi
exit
Как меня спрашивают, я редактирую в результате запуска arpalert с протоколированием отладки:
$ ps aux | grep arp
arpalert 4370 0.5 0.7 5432 3940 ? S 22:09 0:02 arpalert -D 7 -d -f /etc/arpalert/arpalert.conf
arpalert 4426 0.3 0.0 0 0 ? Z 22:17 0:00 [arpalert_script] <defunct>
Я изменил фактические MAC-адреса, важный - 01: 02: 03: 04: 05: 06 Я не вижу разницы с регистрацией отладки on:
$ sudo cat /var/log/arpalert.log
Nov 25 22:09:34 arpalert: Selected device: eth0
Nov 25 22:11:04 arpalert: seq=6, mac=00:00:00:00:00:00, ip=192.168.1.132, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=black_listed, dev=eth0, vendor="(null)"
Nov 25 22:23:20 arpalert: seq=272, mac=AA:AA:AA:AA:AA:AA, ip=192.168.1.133, type=new, dev=eth0, vendor="(null)"
$ sudo cat /var/log/syslog | grep arp
Nov 25 22:09:34 localhost arpalert: Selected device: eth0
Nov 25 22:11:04 localhost arpalert: seq=6, mac=00:00:00:00:00:00, ip=192.168.1.132, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 localhost arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=new, dev=eth0, vendor="(null)"
Nov 25 22:17:03 localhost arpalert: seq=137, mac=01:02:03:04:05:06, ip=192.168.1.129, type=black_listed, dev=eth0, vendor="(null)"
Nov 25 22:17:05 localhost sSMTP[4429]: Sent mail for arpalert@orangepi uid=1001 username=arpalert outbytes=470
Nov 25 22:23:20 localhost arpalert: seq=272, mac=AA:AA:AA:AA:AA:AA, ip=192.168.1.133, type=new, dev=eth0, vendor="(null)"
Вот весь файл arpalert.conf:
#
# Copyright (c) 2005-2010 Thierry FOURNIER
# $Id: arpalert.conf.in 690 2008-03-31 18:36:43Z $
#
# Default config file
#
# white list
maclist file = "/etc/arpalert/maclist.allow"
# black list
maclist alert file = "/etc/arpalert/maclist.deny"
# dump file
maclist leases file = "/var/lib/arpalert/arpalert.leases"
# list of authorized request
#auth request file = /etc/arpalert/authrq.conf
# log file
log file = "/var/log/arpalert.log"
# pid file
lock file = "/var/run/arpalert.pid"
# log level
use syslog = true
# log level
log level = 7
# user for privilege separation
user = arpalert
# rights for file creation
umask = 177
#chroot dir = /home/arpalert/
# only for debugging: this dump paquet received on standard output
dump packet = false
# run the program as daemon ?
daemon = true
# minimun time to wait between two leases dump
dump inter = 5
#Configure the network for catch only arp request.
#The detection type "new_mac" is desactived.
#This mode is used for CPU saving if Arpalert is running on a router
catch only arp = true
# comma separated interfaces to lesson
# if not precised, the soft select the first interface.
# by default select the first interface encontered
interface = eth0
# script launched on each detection
# parameters are:
# - "mac adress of requestor"
# - "ip of requestor"
# - "supp. parm."
# - "ethernet device listening on"
# - "type of alert"
# - optional : "ethernet vendor"
# type of alert:
# 0: ip change
# 1: mac address only detected but not in whithe list
# 2: mac address in black list
# 3: new mac address
# 4: unauthorized arp request
# 5: abusive number of arp request detected
# 6: ethernet mac address different from arp mac address
# 7: global flood detection
# 8: new mac adress without ip
# 9: mac change
# 10: mac expire
action on detect = "/usr/local/bin/arpalert_script.sh"
# module launched on each detection
mod on detect = ""
# this chain is transfered to the init function of module loaded
mod config = ""
# script execution timeout (seconds)
execution timeout = 5
# maximun simultaneous lanched script
max alert = 20
# what data are dumped in leases file
dump black list = false
dump white list = true
dump new address = true
# after this time a mac adress is removed from memory (seconds) (default 1 month)
mac timeout = 259200
# Allow arpalert to expire authorized mac addresses
expire authorized mac addresses = false
# after this limit the memory hash is cleaned (protect to arp flood)
max entry = 1000000
# this permit to send only one mismatch alert in this time (in seconds)
anti flood interval = 5
# if the number of arp request in seconds exceed this value, all alerts are ignored for
# "anti flood interval" time
anti flood global = 50
# vendor name
# add the mac vendor field in logs, alerts script and/or module execution
mac vendor file = "/etc/arpalert/oui.txt"
log mac vendor = true
alert mac vendor = true
mod mac vendor = true
# log if the adress is referenced in hash but is not in white list
log referenced address = false
alert on referenced address = false
mod on referenced address = false
# log if the mac adress is in black list
log deny address = true
alert on deny address = true
mod on deny address = true
# log if the adress isn't referenced
log new address = true
alert on new address = false
mod on new address = false
# log if the adress isn't referenced (for mac adress only)
log new mac address = true
alert on new mac address = true
mod on new mac address = true
# log if the ip adress id different from the last arp request with the same mac adress
log ip change = true
alert on ip change = true
mod on ip change = true
# log if the ip adress id different from the last arp request with the same mac adress
log mac change = true
alert on mac change = true
mod on mac change = true
# unauthorized arp request:
# log all the request not authorized in auth file
log unauth request = false
alert on unauth request = false
mod on unauth request = false
# dont analyse arp request for unknow hosts (not in white list)
ignore unknown sender = false
# ignore arp request with mac adresse of the lessoned interfaces for the authorizations checks
ignore me = true
# ignore windows self test
ignore self test = false
# suspend time method:
# 1: ignore all unauth alerts during "anti flood interval" time
# 2: ignore only tuple (mac address, ip address) during "anti flood interval" time
unauth ignore time method = 2
# log if the number of request per seconds are > "max request"
log request abus = true
alert on request abus = true
mod on request abus = true
# maximun request authorized by second
max request = 1000000
# log if the ethernet mac address are different than the arp amc address (only for requestor)
log mac error = true
alert on mac error = true
mod on mac error = true
# log if have too many arp request per seconds
log flood = true
alert on flood = true
mod on flood = true
# log if the adress is removed after mac timeout
log expire mac address = false
alert on expire mac address = false
mod on expire mac address = false
edit: Запустив arpalert с action on detect = "bash -c 'echo test>>/home/arpalert/arpalertscriptlog.log'" и это мой результат:
$ ps faux | grep arp
arpalert 21420 0.7 0.7 5432 3992 ? S 18:59 0:30 arpalert -D 7 -d -f /etc/arpalert/arpalert.conf
arpalert 21493 0.0 0.0 0 0 ? Z 19:07 0:00 \_ [arpalert] <defunct>
arpalert 21794 0.0 0.0 0 0 ? Z 20:00 0:00 \_ [arpalert] <defunct>
arpalert 21795 0.0 0.0 0 0 ? Z 20:01 0:00 \_ [arpalert] <defunct>
Также test не записано на /home/arpalert/arpalertscriptlog.log.
2
задан zakkos
27 November 2017 в 23:29
поделиться