LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Blocking users who are not defined in DNS record (https://www.linuxquestions.org/questions/linux-security-4/blocking-users-who-are-not-defined-in-dns-record-822885/)

Since1995 07-29-2010 10:41 AM
Blocking users who are not defined in DNS record
 
Aloha friends!!

In our organization we use Static IP addressing scheme(Some departments have DHCP which is not related to this thread). We use Squid as proxy.

We assign each machine its IP address and make entry in our TinyDNS database, and provide those details to users, which they manually enter in their config and then access the network. We assign different range of IPs to different departments. This we consider as the "proper way" for our organization.

But we have found that lot many users are simply guessing some IPs and using them without having any entry in our DNS record. Though this works for some, most of the time we end up having IP conflicts and disorganization in our organizational allocation policy.

So, my question is, How do I block the specific IPs whose entry is not explicitly defined in our DNS record. In other word if the IP 192.168.20.15(lets say he is jack.ourorganization.com) is defined in our DNS, we should allow access... where as if IP 192.168.20.16(this does not translate to any user as it is not defined in our DNS) is not defined in our DNS we should not allow it access to our network.

I hope my friends here will be able to guide me. Thanks in advance.

anomie 07-29-2010 11:46 AM
What you really need to be doing is monitoring this on your subnets. If not at the managed switch level, look into the arpwatch program. It is extremely handy for this purpose.

By default, OpenSSH enables a feature (the sshd_config directive is UseDNS) that will warn you when a forward and reverse DNS lookup does not match for a client. If you've not created a DNS rec for a particular IP, this should fire off a warning to your logs, and you can deal with it at that time.

Additionally, tcp wrappers (controlled using /etc/hosts.allow) provides a PARANOID wildcard that can allow you to act on sshd clients whose DNS/rDNS recs don't match up.

Still, if someone grabs an IP address that is registered with your DNS, this doesn't help you. Again, the answer is to start monitoring your subnets and more forcefully addressing the root cause of the problem.

business_kid 07-29-2010 11:54 AM
I don't know if you will, if they are on the one network. If anyone is half determined, he can surely get around what you can do. dns resolves do dotted decimal, that's why blocking dotted decimal is a tricky approach. You could lose them for a while going to ipv6 in octal :-D. Can you split the thing up into departments, subnets, or levels and control access that way?

wertum 08-03-2010 03:40 AM
squid

unSpawn 08-05-2010 05:55 PM
Quote:
Originally Posted by wertum (Post 4053598)
squid
Please do not make single word or line posts without explaining yourself in this forum, especially since the OP already indicated using Squid.

Since1995 01-30-2011 09:50 AM
This is what I'm gonna do.

Block all local IPs in Squid and selectively allow only the registered IPs. Already compiled a database{Phew}.


** We have UPSes, Biometric access devices, IP Cam, Instruments, Fire alarm(?) etc which may not be registered in our DNS. So need to be careful before blocking them.

damade 02-03-2011 07:42 AM
I think you should try with this acl type

acl aclname srcdom_regex [-i] \.foo\.com ...
# regex matching client name [slow]


example:

acl good_ones srcdom_regex \.yourdomain\.com

later:
http_access deny !good_ones


hope works for you
salu2
damade

pd: if users changing your ip is a problem for your company, why dont you look to "arp inspection" feature on your switches.


All times are GMT -5. The time now is 02:21 AM.