标题:跟着ArthurXF学FreeBSD42——解决ARP欺骗问题 出处:BIWEB开源PHP WMS系统创始人ArthurXF肖飞的blog 时间:Fri, 28 Mar 2008 14:57:24 +0000 作者:ArthurXF 地址:http://www.bizeway.net/read.php/321.htm 内容: 最近手头上管理的服务器有一台机器被网段中的其他服务器搞了arp欺骗,在网页上挂了木马。让机房赶快修理,竟然搞了两天还没搞好,最后推卸责任说是我们自己服务器有漏洞造成的。强烈鄙视一下不负责任的人!看来还是要自力更生才行。大家准备了啊。1.不安装软件的方法。首先要重启,确保你拿到的网关地址是正确的。步骤如下:ifconfig显示类似如下内容bge0: flags=8843 mtu 1500options=1binet 192.168.0.5 netmask 0xffffffc0 broadcast 192.168.0.1ether 00:17:08:2a:13:88media: Ethernet autoselect (100baseTX )status: activeplip0: flags=108810 mtu 1500lo0: flags=8049 mtu 16384inet 127.0.0.1 netmask 0xff000000我们把网关的信息存到一个文件里。echo 192.168.0.1 00:17:08:2a:13:88 > /etc/ipmac接着使用crontab -e编辑系统定时排程(计划任务)让它按照设定时间循环执行*/5 * * * * /usr/sbin/arp -f /etc/ipmac 这样就每5分钟更新一次网关MAC地址,保证正确。注意:这里有一个隐患,那就是如果网关设备更换,也就是网关的MAC地址变了就会发生网络不通的现象了。因此就要去机房修改ipmac文件,将新网关MAC改进去,所以我的建议是,先备份ipmac,但是不要马上定时更新,而是等发现有ARP病毒了,再更新,等病毒消除了,就停止更新。确保网络连接正常。2.安装防ARP的保护软件cd /usr/ports/security/ipguard/make install安装完之后会建立/etc/ethers文件来保护本机,抵御arp欺骗、攻击。启动ipguard.cd /usr/local/etc/rc.dmv ipguard.sh.sample ipguard.sh/usr/local/etc/rc.d/ipguard.sh startipguard用法详解ipguard - tool designed to protect LAN IP adress space by ARP spoofing.ipguard listens network for ARP packets. All permitted MAC/IP pairslisted in 'ethers' file. If it recieves one with MAC/IP pair, which isnot listed in 'ethers' file, it will send ARP reply with configuredfake address. This will prevent not permitted host to work properly inthis ethernet segment. Especially Windows(TM) hosts.EXAMPLESNormal method, duplex, autoupdate /etc/ethers every 5 min and send 2fake replies:ipguard -x -u 300 -n 2 fxp0Read-only mode and remember last 100 not listed in `ethers' MACs. Use-ful for initial MAC/IP pairs collect:ipguard -r -b 100 -f ./empty_file rl0Do not go to background and be more verbose, with test ethers file:ipguard -dv -f /tmp/ethers my1TIPSYou must have read permission on /dev/bpf* if you want to start ipguardin read-only mode and read/write permission for full functional ifyou're not root.First MAC/IP pair in list always taken from listening interface, so youcan't occasionally block yourself.BUGSipguard will not prevent changing MAC address along with IP by client.Linux send weird ARP packet when enters net. ipguard did'nt handle it.Signals like HUP or TERM works only on new received arp packet.ArthurXF从业10年的CTO,受上海非凡学院邀请,进行PHP,CSS,FREEBSD等网络技能授课培训,有意向参加的,请联系QQ:29011218,MSN:onenight11@hotmail.com Generated by Bo-blog 2.0.3 sp1