Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey all, some user showed me something I hadn't yet considered. I have all of my servers on static ip addresses with dhcp enabled on one for xp clients.
Various servers between 192.168.0.1 - 20
DHCP enabled for users between 192.168.0.200 - 250
Anyway, some business partner, from another business and network, walked in off the street. I got him on the network and before I knew it everything stopped working.
Some d-bag configured him with a static ip address - the same one as my dhcp/dns server. I need to insure this never happens again.
===
My question is: how would you protect a range of IP Adds on linux?
I would prefer that, even if a windows xp/vista user attempt to connect to this network, they receive the message telling them that the ip add is already in use - not me when I try to restart the network service on the server.
You can't really, not in any completely satisfactory way. If a machine connects to your network with a static IP you are already using, there is nothing you can do to stop them. You can have the server hammer ARP to always maintain it's association with the IP, but that is going to flood the network with constant chatter.
A better option would be to set static ARP entries in all of your clients, but then this has it's own problems. Namely, if your client machines are mobile or dynamic, which is to say that you allow machines to simply be added or removed from the network at the user's will (which seems the case here, since this person brought in his own machine). It could also be a hassle later on when the server hardware is changed, your successor might have quite a time trying to figure out why none of the machines are talking to the new server. It should also be noted that this won't necessarily stop somebody from intentionally trying to confuse the client machines, as an attacker could simply spoof the MAC that is statically listed in the client's ARP tables.
Advanced switches can do static ARP tables, which would be a little easier to manage than having to set it in all the client machines. You would need to check what your network hardware is capable of.
Best option would be to move from 192.168.0.0/24, 192.168.1.0/24, etc subnets, and use something like 192.168.199.0/24. I do not understand why EVERYBODY have to use 1192.168.0.0/24 and 192.168.1.0/24 subnets when 95% of worlds WAN, ADSL and wireless routers and AP's use them. That is like standing in the middle of the fastest lane on a crowded motorway hoping you will not be hit by speeding cars.
Also, it is good practice to set your DHCP server, gateway and such to IP's other the .1 Why not use .100 or .200 for such devices/routers? Once set, you will forget all about then unless you need to test your network.
Yet another advice is to establish a separate logical (another subnet) or physical network that will serve as easy access for business partners, with much higher level of security.
est option would be to move from 192.168.0.0/24, 192.168.1.0/24, etc subnets, and use something like 192.168.199.0/24.
Yet another advice is to establish a separate logical (another subnet) or physical network that will serve as easy access for business partners, with much higher level of security.
I like both answers but DrLove73 is making manageable sense.
I know that vpn's can link different logical networks but that seems like over kill. If you're talking about something different, then please throw some key words at me. I'll do the legwork, test, and post the results.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.