No matter how strong your security mechanisms are, if you are not logging and monitoring your logs, you are vulnerable to unforeseen attacks. Diligent logging and monitoring gives you the ability to react to attacks in real time, protecting yourself and your resources.
Due to the lack of physical security in a wireless network, low-level attacks are of a much greater concern than they would be on a wired network. ARP poisoning, as discussed in Chapter 2, allows a malicious host to act as a man in the middle for machines on the network. The static ARP settings discussed earlier in this chapter are one way to protect yourself from ARP-based problems.
However, being able to detect ARP issues on the network gives you a
window into the overall security of the network. If someone on the
network is attempting ARP spoofing attacks, it is safe to assume your
packets are being sniffed and your data is a risk. A program called
arpwatch
will watch the network for you and
report any unusual activity. In order to use
arpwatch
, the program must have access to raw
frames being sent across the wire. This requires CONFIG_PACKET
support in your kernel.
For a complete discussion of arpwatch
and how to
configure it, see Section 4.1.6.1.
syslog
is a common audit facility that any
application on a host can use. Many standard applications as well as
the kernel log send very useful information to
syslog
. Being able to direct
syslog
data to a desired location and monitor it
gives you a view into what your system is doing as well as what
others are trying to do to it.
Different Linux distributions have different
syslog
configurations. In general, they are
configured to send syslog
to many different
logfiles based on syslog
facility and severity.
Rather than break apart the log data into different files, it is
sometimes useful to send all log data to one file. This allows the
data to be distilled using tools such as grep
and perl
. These unique views of audit data tend
to be much more useful than splitting the data up a priori.
In order to log all data sent to syslog
to
/var/log/messages
, add the following line to the
top of your /etc/syslog.conf
:
*.* /var/log/messages
Be sure to comment out any other line that references
/var/log/messages
in the
syslog
configuration file with a hash mark (#).
To force these changes to take effect without rebooting, execute
killall syslogd; syslogd
as root.
Watching logfiles is boring. When there
are no interesting events in a logfile, it is easy to lose interest
and stop paying attention. It is also impossible to watch logfiles
all the time. swatch
is a program designed to
watch logfiles for you. It will tail
(continuously monitor what is being written to) any ASCII logfile and
watch it for interesting strings. swatch
can be
configured to alert you via email, console messages, or even a system
beep when it detects a problem. For a complete discussion of
swatch
, see Section 4.1.6.3.
3.140.185.123