LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-04-2009, 12:54 PM   #1
todd_dsm
LQ Newbie
 
Registered: Oct 2007
Location: Des Moines, IA
Distribution: Slacware 12
Posts: 23

Rep: Reputation: 16
Protect Static IP Addresses


Hey all, some user showed me something I hadn't yet considered. I have all of my servers on static ip addresses with dhcp enabled on one for xp clients.

Various servers between 192.168.0.1 - 20
DHCP enabled for users between 192.168.0.200 - 250

Anyway, some business partner, from another business and network, walked in off the street. I got him on the network and before I knew it everything stopped working.

Some d-bag configured him with a static ip address - the same one as my dhcp/dns server. I need to insure this never happens again.
===

My question is: how would you protect a range of IP Adds on linux?

I would prefer that, even if a windows xp/vista user attempt to connect to this network, they receive the message telling them that the ip add is already in use - not me when I try to restart the network service on the server.

Any help is appreciated.
 
Old 10-04-2009, 01:56 PM   #2
MS3FGX
Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
You can't really, not in any completely satisfactory way. If a machine connects to your network with a static IP you are already using, there is nothing you can do to stop them. You can have the server hammer ARP to always maintain it's association with the IP, but that is going to flood the network with constant chatter.

A better option would be to set static ARP entries in all of your clients, but then this has it's own problems. Namely, if your client machines are mobile or dynamic, which is to say that you allow machines to simply be added or removed from the network at the user's will (which seems the case here, since this person brought in his own machine). It could also be a hassle later on when the server hardware is changed, your successor might have quite a time trying to figure out why none of the machines are talking to the new server. It should also be noted that this won't necessarily stop somebody from intentionally trying to confuse the client machines, as an attacker could simply spoof the MAC that is statically listed in the client's ARP tables.

Advanced switches can do static ARP tables, which would be a little easier to manage than having to set it in all the client machines. You would need to check what your network hardware is capable of.

Last edited by MS3FGX; 10-04-2009 at 01:58 PM.
 
Old 10-04-2009, 02:25 PM   #3
DrLove73
Senior Member
 
Registered: Sep 2009
Location: Srbobran, Serbia
Distribution: CentOS 5.5 i386 & x86_64
Posts: 1,118
Blog Entries: 1

Rep: Reputation: 129Reputation: 129
Best option would be to move from 192.168.0.0/24, 192.168.1.0/24, etc subnets, and use something like 192.168.199.0/24. I do not understand why EVERYBODY have to use 1192.168.0.0/24 and 192.168.1.0/24 subnets when 95% of worlds WAN, ADSL and wireless routers and AP's use them. That is like standing in the middle of the fastest lane on a crowded motorway hoping you will not be hit by speeding cars.

Also, it is good practice to set your DHCP server, gateway and such to IP's other the .1 Why not use .100 or .200 for such devices/routers? Once set, you will forget all about then unless you need to test your network.

Yet another advice is to establish a separate logical (another subnet) or physical network that will serve as easy access for business partners, with much higher level of security.

Last edited by DrLove73; 10-04-2009 at 07:39 PM.
 
Old 10-04-2009, 07:24 PM   #4
todd_dsm
LQ Newbie
 
Registered: Oct 2007
Location: Des Moines, IA
Distribution: Slacware 12
Posts: 23

Original Poster
Rep: Reputation: 16
Interesting, but how...

Quote:
Originally Posted by DrLove73 View Post
est option would be to move from 192.168.0.0/24, 192.168.1.0/24, etc subnets, and use something like 192.168.199.0/24.

Yet another advice is to establish a separate logical (another subnet) or physical network that will serve as easy access for business partners, with much higher level of security.
I like both answers but DrLove73 is making manageable sense.

I know that vpn's can link different logical networks but that seems like over kill. If you're talking about something different, then please throw some key words at me. I'll do the legwork, test, and post the results.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing Static IP Addresses Biggen Slackware 15 07-13-2009 09:51 PM
Howto Assign Multiple Static Public IP Addresses under SBC's PPPoE Static Ip system o trekgraham Linux - Networking 8 04-17-2007 11:51 AM
Static IP addresses BCarey Linux - Networking 5 05-06-2006 05:30 PM
Multiple static IP addresses fr0zen Linux From Scratch 5 11-23-2005 07:47 PM
2 static IP addresses on 2 eth cards Zingaro2002 Linux - Networking 8 01-21-2003 01:16 PM


All times are GMT -5. The time now is 07:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration