Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I need to deny unknown users who knows our LAN IP address to login to our LAN.. any body have solution for this?
Quote:
Originally Posted by Winanjaya
Except for internet browsing we able to deny them based on MAC Address .. , but they are still able to get shared file, folder and printer.. any idea?
can I also use dhcpd for doing this?
It sounds like they have physical access into your LAN (since you are referring to MAC addresses, which are directly above the physical layer), so a network firewall wouldn't help (and a DHCP server is beside the point). With that in mind, host-based security on the file/print server would be an option. What kind of file/print server is it? If you post that information, someone may show you how to setup authentication on it. Of course, this whole situation begs the question: How is it that they are gaining physical access in the first place?
The problem is they can manually configure an interface on their computer, is there any access control list that can block access in this case? such as client to have a certificate to access the network or something like that?
Are you sharing a LAN in a suite? Where are these people who can connect? Why don't you have physical control?
How is the file service offered? Is it NFS or Samba or other?
If it is samba, then you should be using at least "Security = User" mode so only authenticated users have access.
You can also include other options in your smb.conf file for host access controls.
Using DHCP, you could control who is automatically assigned an IP address, but a person could easily assign it manually. DHCP is just a convenience, that is used to provide the DNS, IP, gateway & netmask values.
---
p.s. I had this setting a while before I posted it, so some of the questions were subsequently
asked.
Yes, it is Windows NFS and I have LAN in a 2floors building, peoples can connect from any UTP faceplate..
what do you mean by physical control? .. is that Managable switch?
Physical control would involve, for instance, the ability to limit who can "connect from any UTP faceplate". Assuming you don't have any physical control, you should still be able to set authentication on the "Windows NFS" in order to deny access to non-authorized users. Another option would be to implement a centralized authentication system (RADIUS, Kerberos, etc) and use that to lock down access to all shared resources. Regardless of what you do, your lack of physical control creates huge security problems which go way beyond unauthorized file/print server access.
Windows NFS somehow sounds like an oxymoron. You will want to read the windows documentation on what kind of security it supports.
Quote:
For some background, from the nfs manpage (openSUSE linux):
sec=mode The RPCGSS security flavor to use for accessing files on this mount point. If the sec option is not specified, or if sec=sys is specified, the NFS client uses the AUTH_SYS security flavor for all NFS requests on this mount point. Valid security flavors are none, sys, krb5, krb5i, krb5p, lkey, lkeyi, lkeyp, spkm, spkmi, and spkmp. Refer to the SECURITY CONSIDERATIONS section for details.
You are in such a hostile environment, that you also should make sure you are running firewalls on all of your hosts.
You might also consider using a VPN tunnels between your hosts. Your situation is insanely insecure. NFS may be the least of your worries. You aren't in control of your network and are in an environment that resembles a hotel or open hotspot network.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.