Due to the lack of physical security in a wireless network, low-level attacks are of a much greater concern than they would be on a wired network. ARP poisoning, as discussed in Chapter 2, allows a malicious host to act as a man in the middle for machines on the network. The static ARP settings discussed earlier in this chapter are one way to protect yourself from ARP-based problems.

However, being able to detect ARP issues on the network gives you a window into the overall security of the network. If someone on the network is attempting ARP spoofing attacks, it is safe to assume your packets are being sniffed and your data is a risk. A program called arpwatch will watch the network for you and report any unusual activity. In order to use arpwatch, the program must have access to raw frames being sent across the wire. This requires CONFIG_PACKET support in your kernel.

For a complete discussion of arpwatch and how to configure it, see Section 4.1.6.1.

syslog is a common audit facility that any application on a host can use. Many standard applications as well as the kernel log send very useful information to syslog. Being able to direct syslog data to a desired location and monitor it gives you a view into what your system is doing as well as what others are trying to do to it.

Different Linux distributions have different syslog configurations. In general, they are configured to send syslog to many different logfiles based on syslog facility and severity. Rather than break apart the log data into different files, it is sometimes useful to send all log data to one file. This allows the data to be distilled using tools such as grep and perl. These unique views of audit data tend to be much more useful than splitting the data up a priori.

In order to log all data sent to syslog to /var/log/messages, add the following line to the top of your /etc/syslog.conf:

*.*                           /var/log/messages

Be sure to comment out any other line that references /var/log/messages in the syslog configuration file with a hash mark (#). To force these changes to take effect without rebooting, execute killall syslogd; syslogd as root.

Watching logfiles is boring. When there are no interesting events in a logfile, it is easy to lose interest and stop paying attention. It is also impossible to watch logfiles all the time. swatch is a program designed to watch logfiles for you. It will tail (continuously monitor what is being written to) any ASCII logfile and watch it for interesting strings. swatch can be configured to alert you via email, console messages, or even a system beep when it detects a problem. For a complete discussion of swatch, see Section 4.1.6.3.