Blocking dhcpd address lease for specific MAC address
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
This was one part of my problem. The actual scenario is as following...
1. DHCP server on Linux
2. All hosts (Laptop & Desktops) have got windows xp & vista OS
I have only one nic on desktops so no problem there. But the problem is with Laptops.
On every laptop we have NIC and WIFI. The laptop is also have two OS installed in separate partitions.
In the first part i have allowed wifi with the ssid of our network and blocked the NIC with Group Policy
In the second partition i have not given the ssid to the end users so that he cant connect using wifi. Using the solution given in this thread i hv blocked the mac address from taking the ip from dhcp. but in this case there is only one loop i think is open i.e. end users can give a static ip address as i cant put a Group Policy.
Is there a way we can identify and block the network address if the users puts a static ip address to the NIC?
We are not keen on investing on any firewall, NAC solutions as of now due to financial constraints
dhcpd just gives out an IP or not. If you want to block an IP, you can use a firewall or some other daemon but not dhcpd. An intruder can always just unplug a printer and use that IP but then you are trying to control someone whose computer knowledge is in the the top 0.1% of your users and it becomes a very difficult game.
If that isn't a problem because you have good physical control, then you might look to the wifi access point for control. It might contain a firewall you can configure. Visiting laptops at my site must login to get access and, until they do, they get a bogus IP that is blocked at the firewall for all traffic except to a login web page.
BTW, if a post does solve or help you, clicking on the thumbs up icon at the bottom right of the post, gives a little smile to the recipient as this forum does track the number of times a poster has been thanked. I guess it encourages folks to give helpful answers.
As do I. My reasoning is that I have no effective way to block an IP on my network except by my firewall at my router. If the intruder picks an address that is on my network, he's in. My current setup is to have a large network, 192.168.xxx.xxx, and use only a sub-network locally with limited scope. All of my machines are dynamically configured by dhcpd with fairly short lease times. I also run a local DNS for my network that is dynamically configured by my dhcpd (yes, even the printers). All leases are fairly short, and by changing the range of dhcp assignments to some other part of the available network space, can reassign IPs to all machines fairly quickly. Then I block all outside that small range at the gateway firewall.
I can't protect against the expert intruder, though, that has access to my wired network and knows what is an accessible IP. I'll continue to watch this thread to see if you get an answer that works. Obfuscation, in the manner described above, is somewhat similar to saying that "dilution is the answer to pollution" and not really a good solution.
What type of switches/networking are you using? Depending on what devices you have, you maybe able to have certain events emailed/logged. Off the top of my head; you could setup a syslog-ng/snmp server that send messages on certain events/traps (port up and connected, IP used, MAC, etc.,).
But this might be handled more simply with a office/department policy - No ports are turned up until official request is issued. In other words you or your staff will activate a network port once someone asks. This might seem like a pain, but it shouldn't be that difficult to handle. The only problem being turning off the port after a certain time period. For that you could use expect ( best app EVAR ) to look for activated ports that aren't connected and have the expect script turn them off. To simplify turning on ports ( for a helpdesk staff, or those who might not be switch savvy ), a PHP webpage could be setup.
With scripts ( expect/perl/ksh/PHP etc. ) you can do a lot. With company supported policies you can do more.