Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i was wondering if it is possible to write a script which only allows certain MAC addresses to connect to my server. so the server rejects connections if the MAC address doesn't match with the MAC addresses given to it's database.
and if yes, what would be the level of security it would add?
Very little.....MAC address matching is only good for your LAN. Once packets are out on the Internet, the MAC addresses are changed and reflect the last machine to handle them, not their originating source. Also, MAC addresses are fairly easy to spoof so even from your LAN it may not add any security.
Actually I respectfully and completely disagree with bruj3w and I stand by my first post. From my point of view, filtering on MAC addresses just doesn't give you that much in terms of added security. It certainly doesn't hurt, but it isn't going to be much of a deterrent either. It is just too easy to spoof as I showed with the ifconfig command. Anybody who can read a man page can spoof a MAC address. And as I said, even if you do filter for MAC addresses, it is only valid for computers on your LAN. Probably the biggest danger (in my opinion) is the false sense of security people may feel when filtering on MAC addresses because they somehow feel it is more secure than other forms of identification.
I guess it boils down to what you are trying to accomplish. Most servers you are likely to run have ways of restricting access and/or locking them down so if someone does gain unauthorized access, they may be limited in what they can do. Of course if you are allowing others to access your machine you should always be running an IDS like Snort and a file integrity checker like Tripwire or Aide.
ok for example i just want to do it for an internal network. the goal being that no one comes and connects a laptop to the lan with tools on it to hack the server.
question is, ok MAC spoofing is easy, but wouldn't it take a loooong time for a person to spoof the right MAC address which matches with the MAC's on the servers database?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
No, not at all. They can simply flood the switch with ARP entries, then they see all the LAN traffic on that switch and they can see all the MAC addresses. At that point they only have to clone one. If you're on a hub rather than a switch, or you have any broadcast traffic (almost always the case) it's even easier because the traffic will come right to them without the need to ARP flood.
If you're trying to protect against crackers, MAC filtering isn't going to help because they're skilled attackers. MAC address filtering only works against unskilled users who might casually try to get around things.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Oh by the way, as a practical example of just how easy this is, I was recently at a company meeting in a convention center and unfortunately the convention center's idea of "Internet access" was to put a couple of switches around the room and string miles of Cat5 over all the tables. To make matters worse, some of the switches didn't even work so half the people with cables couldn't even get access.
We bought a $60 access point at lunch and brought it in. At first it didn't work because the convention center's network required for you to pay for accounts, but the fatal flaw was that it used MAC address verification to figure out who had paid. Since it wouldn't let you get to the sign-up page if you were connecting through the WAP (strange), we just sniffed a MAC off the network of someone who was browsing the Internet and cloned it into the WAP. After that, the entire room could log on with wireless
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.