hi people,

i was wondering if it is possible to write a script which only allows certain MAC addresses to connect to my server. so the server rejects connections if the MAC address doesn't match with the MAC addresses given to it's database.
and if yes, what would be the level of security it would add?


thanks in advance

Very little.....MAC address matching is only good for your LAN. Once packets are out on the Internet, the MAC addresses are changed and reflect the last machine to handle them, not their originating source. Also, MAC addresses are fairly easy to spoof so even from your LAN it may not add any security.

i disagree with the previous poster, although it is possbile, mac address's are alot more difficult to fake than say ip address's.

match ip address's up to mac address's using iptables.

I am at a complete loss as to how it gets any easier.

thanks for the replies,

Hangdog42, do you agree with bruj3w, and if yes, which parts of your first statement are still true?

thank you

Actually I respectfully and completely disagree with bruj3w and I stand by my first post. From my point of view, filtering on MAC addresses just doesn't give you that much in terms of added security. It certainly doesn't hurt, but it isn't going to be much of a deterrent either. It is just too easy to spoof as I showed with the ifconfig command. Anybody who can read a man page can spoof a MAC address. And as I said, even if you do filter for MAC addresses, it is only valid for computers on your LAN. Probably the biggest danger (in my opinion) is the false sense of security people may feel when filtering on MAC addresses because they somehow feel it is more secure than other forms of identification.

I guess it boils down to what you are trying to accomplish. Most servers you are likely to run have ways of restricting access and/or locking them down so if someone does gain unauthorized access, they may be limited in what they can do. Of course if you are allowing others to access your machine you should always be running an IDS like Snort and a file integrity checker like Tripwire or Aide.

ok for example i just want to do it for an internal network. the goal being that no one comes and connects a laptop to the lan with tools on it to hack the server.

question is, ok MAC spoofing is easy, but wouldn't it take a loooong time for a person to spoof the right MAC address which matches with the MAC's on the servers database?

thanks

No, not at all. They can simply flood the switch with ARP entries, then they see all the LAN traffic on that switch and they can see all the MAC addresses. At that point they only have to clone one. If you're on a hub rather than a switch, or you have any broadcast traffic (almost always the case) it's even easier because the traffic will come right to them without the need to ARP flood.

If you're trying to protect against crackers, MAC filtering isn't going to help because they're skilled attackers. MAC address filtering only works against unskilled users who might casually try to get around things.

i stand corrected.

Oh by the way, as a practical example of just how easy this is, I was recently at a company meeting in a convention center and unfortunately the convention center's idea of "Internet access" was to put a couple of switches around the room and string miles of Cat5 over all the tables. To make matters worse, some of the switches didn't even work so half the people with cables couldn't even get access.

We bought a $60 access point at lunch and brought it in. At first it didn't work because the convention center's network required for you to pay for accounts, but the fatal flaw was that it used MAC address verification to figure out who had paid. Since it wouldn't let you get to the sign-up page if you were connecting through the WAP (strange), we just sniffed a MAC off the network of someone who was browsing the Internet and cloned it into the WAP. After that, the entire room could log on with wireless