DHCPD / Webmin: how to allow only MAC whitelist to get IP?
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
DHCPD / Webmin: how to allow only MAC whitelist to get IP?
Hello people.
I'm using Webmin on CentOS, where I register machines with their MAC and assign an IP for each of them. In each of them I set dynamic IP, but Webmin sends them their reserved address.
The problem is that some people with a little bit of knowledge are copying the connection info and plugging their devices to the network by searching an available IP.
When I need to install a new machine, I set x.x.x.10 fixed IP (reserved for logging into Webmin at people's desk), then I search for an available IP and bind that machine MAC to an address. I return the machine to dynamic address.
On Webmin I have all the machines with their MAC info, is there a way to block MACs that aren't listed in my "whitelist"? How?
Hello people.
I'm using Webmin on CentOS, where I register machines with their MAC and assign an IP for each of them. In each of them I set dynamic IP, but Webmin sends them their reserved address.
The problem is that some people with a little bit of knowledge are copying the connection info and plugging their devices to the network by searching an available IP.
When I need to install a new machine, I set x.x.x.10 fixed IP (reserved for logging into Webmin at people's desk), then I search for an available IP and bind that machine MAC to an address. I return the machine to dynamic address. On Webmin I have all the machines with their MAC info, is there a way to block MACs that aren't listed in my "whitelist"? How?
I bolded a part above, for emphasis only. If they are manually putting an address in, there is nothing you can do on the DHCP server, to prevent that. Mainly, because they aren't USING the DHCP server to get an address. Since you're giving out/binding IP addresses to MAC addresses, the simplest way to do this is to turn off DHCP totally. You already have a list of IP addresses and their corresponding MAC addresses....just look at the list before you set up a new machine, and increment the address.
You *CAN* build a class within the DHCP config file, with a list of MAC addresses, and use the "deny unknown-clients" directive, but that won't prevent them from just ping'ing around and putting in an address manually, sidestepping your entire setup.
What you really need to do is get your higher-ups on board, and deal with these rogue users via talking-tos/write-ups/smacks-to-the-head, so they get the message.
I bolded a part above, for emphasis only. If they are manually putting an address in, there is nothing you can do on the DHCP server, to prevent that. Mainly, because they aren't USING the DHCP server to get an address. Since you're giving out/binding IP addresses to MAC addresses, the simplest way to do this is to turn off DHCP totally. You already have a list of IP addresses and their corresponding MAC addresses....just look at the list before you set up a new machine, and increment the address.
You *CAN* build a class within the DHCP config file, with a list of MAC addresses, and use the "deny unknown-clients" directive, but that won't prevent them from just ping'ing around and putting in an address manually, sidestepping your entire setup.
What you really need to do is get your higher-ups on board, and deal with these rogue users via talking-tos/write-ups/smacks-to-the-head, so they get the message.
Hello TB, thanks for the reply.
What I'm doing is: I have a machine to install, I set the machine to use x.x.x.6 so I can log in on Webmin and register that machine MAC and then set an IP for it. After I set the IP, I change the machine settings to use dynamic IP again, because I can't take a tablet/phone/laptop with me to access Webmin.
But thinking again, if I block unregistered MACs I wouldn't be able to use x.x.x.6 and do my thing, right?
I guess the easy way is to go to their desk, write down their MAC, set the DNS/gateway, set a reboot within 30 minutes, go back to my desk, allow that MAC and when their machine restarts it's all working.
Hello TB, thanks for the reply.
What I'm doing is: I have a machine to install, I set the machine to use x.x.x.6 so I can log in on Webmin and register that machine MAC and then set an IP for it. After I set the IP, I change the machine settings to use dynamic IP again, because I can't take a tablet/phone/laptop with me to access Webmin. But thinking again, if I block unregistered MACs I wouldn't be able to use x.x.x.6 and do my thing, right?
Correct.
Quote:
I guess the easy way is to go to their desk, write down their MAC, set the DNS/gateway, set a reboot within 30 minutes, go back to my desk, allow that MAC and when their machine restarts it's all working.
You're making it harder than it needs to be, for what you're doing. If you're already (essentially) hard-coding addresses for each system, having DHCP is pointless. Assuming you have a small number of machines (since you're tracking MAC/IP's for every system; untenable for larger environments unless you have abundant resources/personnel), just make a list, or a simple database (even a spreadsheet would work). Addresses/MAC's.
Setting up a new machine? Look at the list...find the highest address, add one, and go configure. Write down MAC address while you're there, plug into spreadsheet when you get back. No need for tablet/phone/webmin at ALL.
Think about what the folks are doing, and examine the issue. Assuming you just disable ICMP on your network (which may/may not be a good idea), so they can't ping around to get a free address..then what? They will just TAKE one, and conflict with another machine, maybe a server...and take it up and down along with theirs. Not good. Modify DHCP? Sure...to what end? They'll just find a free address and take it manually. You're trying to solve a personnel problem with tech, and you can't. You can either:
Go with your existing DHCP setup.
Use all static addresses, set up elaborate monitoring for unauthorized connections, and watch it like a hawk.
Or (best) get your bosses to take some action against these folks
People will find a way around ANYTHING...it's a fools errand to try to 'fix' a situation like this, because even *IF* you come up with something clever...so what? If nothing happens to these jokers, what's going to stop them from getting another address five minutes after they're caught, putting you back where you started? Having someone called into bosses office and reprimanded/written up for doing something that breaks IT policy sends a message.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.