LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 09-04-2009, 03:54 AM   #1
kulman
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Rep: Reputation: 0
Blocking dhcpd address lease for specific MAC address


I hv Cent OS 5.3 installed as server. I hv a network of approx 100 desktops and laptops. For a security purpose i want to block certain laptops from gaining a the network access using dhcp.

Can we block the ip address leasing if a specific MAC address request for a ip lease?
 
Old 09-04-2009, 05:11 AM   #2
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 266

Rep: Reputation: 57
Yes: In the config file, put as many hosts statements as you want like this:

host name{hardware ethernet 00:21:5a:06:49:f7;deny booting;}

name must be unique for each
 
Old 09-04-2009, 06:40 AM   #3
kulman
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
It worked like a charm...
Thanks a million...

This was one part of my problem. The actual scenario is as following...

1. DHCP server on Linux
2. All hosts (Laptop & Desktops) have got windows xp & vista OS

I have only one nic on desktops so no problem there. But the problem is with Laptops.

On every laptop we have NIC and WIFI. The laptop is also have two OS installed in separate partitions.

In the first part i have allowed wifi with the ssid of our network and blocked the NIC with Group Policy

In the second partition i have not given the ssid to the end users so that he cant connect using wifi. Using the solution given in this thread i hv blocked the mac address from taking the ip from dhcp. but in this case there is only one loop i think is open i.e. end users can give a static ip address as i cant put a Group Policy.

Is there a way we can identify and block the network address if the users puts a static ip address to the NIC?

We are not keen on investing on any firewall, NAC solutions as of now due to financial constraints


Thanks
Mandar
 
Old 09-04-2009, 07:15 AM   #4
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 266

Rep: Reputation: 57
dhcpd just gives out an IP or not. If you want to block an IP, you can use a firewall or some other daemon but not dhcpd. An intruder can always just unplug a printer and use that IP but then you are trying to control someone whose computer knowledge is in the the top 0.1% of your users and it becomes a very difficult game.

If that isn't a problem because you have good physical control, then you might look to the wifi access point for control. It might contain a firewall you can configure. Visiting laptops at my site must login to get access and, until they do, they get a bogus IP that is blocked at the firewall for all traffic except to a login web page.

BTW, if a post does solve or help you, clicking on the thumbs up icon at the bottom right of the post, gives a little smile to the recipient as this forum does track the number of times a poster has been thanked. I guess it encourages folks to give helpful answers.
 
Old 09-04-2009, 07:38 AM   #5
kulman
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
See my problem is not with Wifi. In my environment, no one gets the ip from Wifi connectivity unless he has got the key. So that way its secure.

My issue is with the LAN card. If the person puts a static ip then i have a problem....
 
Old 09-04-2009, 08:10 AM   #6
david1941
Member
 
Registered: May 2005
Location: St. Louis, MO
Distribution: CentOS6
Posts: 266

Rep: Reputation: 57
As do I. My reasoning is that I have no effective way to block an IP on my network except by my firewall at my router. If the intruder picks an address that is on my network, he's in. My current setup is to have a large network, 192.168.xxx.xxx, and use only a sub-network locally with limited scope. All of my machines are dynamically configured by dhcpd with fairly short lease times. I also run a local DNS for my network that is dynamically configured by my dhcpd (yes, even the printers). All leases are fairly short, and by changing the range of dhcp assignments to some other part of the available network space, can reassign IPs to all machines fairly quickly. Then I block all outside that small range at the gateway firewall.

I can't protect against the expert intruder, though, that has access to my wired network and knows what is an accessible IP. I'll continue to watch this thread to see if you get an answer that works. Obfuscation, in the manner described above, is somewhat similar to saying that "dilution is the answer to pollution" and not really a good solution.
 
Old 09-04-2009, 12:43 PM   #7
tdeboeser
LQ Newbie
 
Registered: May 2006
Posts: 3

Rep: Reputation: 0
What type of switches/networking are you using? Depending on what devices you have, you maybe able to have certain events emailed/logged. Off the top of my head; you could setup a syslog-ng/snmp server that send messages on certain events/traps (port up and connected, IP used, MAC, etc.,).

But this might be handled more simply with a office/department policy - No ports are turned up until official request is issued. In other words you or your staff will activate a network port once someone asks. This might seem like a pain, but it shouldn't be that difficult to handle. The only problem being turning off the port after a certain time period. For that you could use expect ( best app EVAR ) to look for activated ports that aren't connected and have the expect script turn them off. To simplify turning on ports ( for a helpdesk staff, or those who might not be switch savvy ), a PHP webpage could be setup.

With scripts ( expect/perl/ksh/PHP etc. ) you can do a lot. With company supported policies you can do more.

Tom de ( my 1st post )
 
Old 09-04-2009, 01:10 PM   #8
tdeboeser
LQ Newbie
 
Registered: May 2006
Posts: 3

Rep: Reputation: 0
Oh yeah, you could also look into switch port authentication.
 
Old 03-30-2013, 01:51 PM   #9
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,223

Rep: Reputation: 86
I would like to add another question to this thread.

I have two dhcp servers on the same Lan, but offering different subnets.

How do i tell the primary server to not give an IP to a MAC adress, and redirect to the other server ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting mac-address restrictions in dhcpd custangro Linux - Server 4 08-19-2008 06:33 PM
MAC address blocking ridwan77 Linux - Newbie 1 04-22-2007 12:08 PM
About blocking specific email address alucard001 Linux - Server 1 12-17-2006 07:48 AM
Blocking IP Address ranges in dhcpd.conf pmcdaid Linux - Networking 4 06-09-2004 09:18 AM
blocking connection through MAC address shahriars Linux - Security 7 06-02-2003 01:45 PM


All times are GMT -5. The time now is 06:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration