Linux to prevent ARP attacks some method summary

Method One, the most commonly used binding gateway

The general server gateway is not changed, and VPS also apply.
First, view the current gateway

[Root@local@xiaohuai ~]# Arp-a
? (218.65.22.122) at 80:fb:06:f2:4a:f4 [ether] on eth0

SSH executes the above command to view the gateway host name, Gateway IP, Gateway MAC address, and the corresponding network card.

Second, binding Gateway Mac
1) Binding

[Root@local@xiaohuai ~]# echo "218.65.22.122 80:fb:06:f2:4a:f4" >/etc/safe

#ip, Mac part please amend according to the facts. Format: Gateway IP (space) MAC address
2) activation to make it effective

[Root@local@xiaohuai ~]# arp-f/etc/safe

SSH executes the above command so that it takes effect.

Third, check whether the entry into force

[Root@local@xiaohuai ~]# Arp-a
? (218.65.22.122) at 80:fb:06:f2:4a:f4 [ether] PERM on eth0

Execute the ARP-A command again, as shown in the following figure, if the end of the sentence is one more: PERM, the manual binding takes effect

method Two, using software libnet and Arpoison

Standby software

Libnet to the official website.
Arpoison to the official website.

Installation Method (FC successful, other distributions can refer to):

Install Libnet First
Tar-xvzf libnet.tar.gz
CD libnet
./configure
Make
Make install

Install Arpoison
Tar-xvzf arpoison-0.6.tar.gz
CD Arpoison
GCC Arpoison.c/usr/lib/libnet.a-o Arpoison
MV Arpoison/usr/sbin

Usage:

Usage:-I device-d dest_ip-s src_ip-t target_mac-r Src_mac [-A] [-w time between packets] [-n number to send]

Example:
Arpoison-i eth0-d 172.16.18.254-s 172.16.18.19-t ff:ff:ff:ff:ff:ff-r 00:11:09:e8:78:dd

Explain:

-I eth0 specifies the NIC interface to send the ARP packet eth0
-d 172.16.18.254 Specify destination IP as 172.16.18.254
-S 172.16.18.19 specifies that the source IP is 172.16.18.19
-T FF:FF:FF:FF:FF:FF specified destination MAC address is FF:FF:FF:FF:FF:FF (ARP broadcast address)
-R 00:11:09:e8:c8:ed Specifies that the source MAC address is 00:11:09:e8:c8:ed

Wrote a small script, according to the comments, believe that smart people can handle Linux under the ARP attack:

#!bash
#arpDefend. Sh
#######
#yk103 #
#######

#网关mac地址
Gateway_mac=00:d0:f8:ff:4a:23
#目的mac地址
Dest_mac=ff:ff:ff:ff:ff:ff
#目的ip地址
dest_ip=172.16.18.254
#本地网卡接口
Interface=eth0
# $INTERFACE MAC Address
My_mac=00:11:09:e8:78:dd
# $INTERFACE IP Address
my_ip=172.16.18.19

#在本机建立静态ip/mac entrance $DEST _ip– $GATEWAY _mac
Arp-s $DEST _ip $GATEWAY _mac

#发送arp reply to make $dest_ip update $my_ip MAC address is $my_mac
Arpoison-i $INTERFACE-D $DEST _ip-s $MY _ip-t $DEST _mac-r $MY _mac 1>/dev/null &

Method III, Arptables anti-ARP attack

CENTOS5 Installation:

#http://www.111cn.net
wget http://superb-sea2.dl.sourceforge.net/project/ebtables/arptables/arptables-v0.0.3/arptables-v0.0.3-4.tar.gz
Tar zxvf arptables-v0.0.3-4.tar.gz
CD arptables-v0.0.3-4
Make
Make install

Arptables Rule settings:

Arptables-f
Arptables-p INPUT ACCEPT
#默认策略
Arptables-a INPUT--src-ip 192.168.1.1--src-mac 7a:31:14:42:10:01-j ACCEPT
#允许本网段特定MAC可进入, and the IP matches the Mac
Arptables-a INPUT--src-mac! 74:8e:f8:53:dc:c0-j DROP
#拒绝非网关MAC
Arptables-a INPUT--src-ip! 192.168.1.1-j DROP
#拒绝非网关IP

Save rule and boot load:

Iptables-save >/etc/sysconfig/arptables
/etc/init.d/arptables Save
Chkconfig Arptables on

There will be an error in reloading the rule after it is saved, removing the-o any field in the following file.

/etc/sysconfig/arptables

Method four, Shell script anti-ARP attack

code is as follows

copy code

#!/bin/ Bash Declare gw= ' route-n | grep-e ' ^0.0.0.0 ' declare gwname= ' echo $GW | grep-oe ' w*$ ' ' declare gwip= ' echo $GW | Grep-oe ' [0-9]{2,3}. [0-9] {1,3}. [0-9] {1,3}. [0-9] {1,3} ' declare gwmac= ' arp-n | grep-e $gwip | grep-oe ' [0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a- F]{2}:[0-9a-f ]{2}:[0-9A-F]{2} ' Echo switch $gwname arp: $GWIP-$gwmac to static Arp-s $gwip $gwmac Echo done, off ARP Reuqest ... " Ifconfig $gwname-arp echo "all done."