LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Unique ID of machine, other than IP-Addr/MAC-Addr to prevent spoofing (https://www.linuxquestions.org/questions/linux-security-4/unique-id-of-machine-other-than-ip-addr-mac-addr-to-prevent-spoofing-776809/)

anupamsaxena 12-18-2009 11:56 PM
Unique ID of machine, other than IP-Addr/MAC-Addr to prevent spoofing
 
Hi All,

I have some computers along with a server which binds the IP address to machine's MAC address; Idea was to force each machine to use only the assigned IP address to access LAN and Internet.
As it is also possible to change the MAC address of a machine, so one can do the spoofing.
Is there something else, which is unique to every machine and can be used to bind with IP address?

Regards,
Anupam

Web31337 12-19-2009 12:08 AM
a physical port on router, maybe.

AutoBot 12-19-2009 03:16 AM
Nmap can do OS fingerprinting to give you an idea of each PC.

anupamsaxena 12-19-2009 04:56 AM
Nmap can be used to infer the remote machine's OS, it is based on a remote device's responses on specific packets.
I'm not sure about whether this information is 'Unique' for machines.
Can we use nmap to get something like 'BIOS String ID' or 'Hard Drive's unique serial number'?
And is it possible to change these values?

Web31337 12-19-2009 05:40 AM
you know, if you apply such a methods, then you are probably expecting some kind of "hackish" users that may give you headache, and you probably won't solve problem the way you are trying to solve it now.
It would be better if you'd actually provided some more information about what are you really trying to do so people here can advice you something closer to actual problem solution.

anupamsaxena 12-19-2009 06:34 AM
Setup is like this...
A machine can contact DHCP server to get IP address corresponding to its MAC address.
After geting the IP, it goes to Internet via a gateway; Gateway is suppose to take care of whether this 'IP plus MAC combination' is right or not and then only allow/deny the packets to go outside.

As this binding is based on MAC address, so if a user changes its MAC address then it will be alloted a different IP address (which is been given to another user) OR
It can statically assign a different 'IP plus MAC combination'.

Of course it seems "hackish" :) ...., but I just want to make it sure that the machines are using only the alloted IP addresses. That is why searching an alternative of MAC-Address.

Web31337 12-19-2009 04:00 PM
i'm sorry, what is the problem to assign clients one MAC address and only allow these mac addresses to contact DHCP? or set up DHCP the way it will only assign corresponding IP to MAC address is in list? and drop all others? If guy has no real reason, he won't be so stupid to try all of possible MAC addresses to brute-force DHCP to assign him IP of other user. Also, all the other users could already be connected so he will never succeed.

AutoBot 12-19-2009 04:39 PM
I can easily spoof your MAC address, de associate you and connect as your MAC. Wireless or over LAN.

MAC address safety is a myth

You need to figure out a better method, maybe a radius server.

anupamsaxena 12-20-2009 10:49 PM
Thanks!
The radius server can solve this problem, now I'm configuring 'FreeRADIUS' software.

AutoBot 12-20-2009 10:58 PM
Your welcome.


All times are GMT -5. The time now is 07:01 PM.