|
Blocking dhcpd address lease for specific MAC address
I hv Cent OS 5.3 installed as server. I hv a network of approx 100 desktops and laptops. For a security purpose i want to block certain laptops from gaining a the network access using dhcp.
Can we block the ip address leasing if a specific MAC address request for a ip lease? |
Yes: In the config file, put as many hosts statements as you want like this:
host name{hardware ethernet 00:21:5a:06:49:f7;deny booting;} name must be unique for each |
It worked like a charm...
Thanks a million... This was one part of my problem. The actual scenario is as following... 1. DHCP server on Linux 2. All hosts (Laptop & Desktops) have got windows xp & vista OS I have only one nic on desktops so no problem there. But the problem is with Laptops. On every laptop we have NIC and WIFI. The laptop is also have two OS installed in separate partitions. In the first part i have allowed wifi with the ssid of our network and blocked the NIC with Group Policy In the second partition i have not given the ssid to the end users so that he cant connect using wifi. Using the solution given in this thread i hv blocked the mac address from taking the ip from dhcp. but in this case there is only one loop i think is open i.e. end users can give a static ip address as i cant put a Group Policy. Is there a way we can identify and block the network address if the users puts a static ip address to the NIC? We are not keen on investing on any firewall, NAC solutions as of now due to financial constraints Thanks Mandar |
dhcpd just gives out an IP or not. If you want to block an IP, you can use a firewall or some other daemon but not dhcpd. An intruder can always just unplug a printer and use that IP but then you are trying to control someone whose computer knowledge is in the the top 0.1% of your users and it becomes a very difficult game.
If that isn't a problem because you have good physical control, then you might look to the wifi access point for control. It might contain a firewall you can configure. Visiting laptops at my site must login to get access and, until they do, they get a bogus IP that is blocked at the firewall for all traffic except to a login web page. BTW, if a post does solve or help you, clicking on the thumbs up icon at the bottom right of the post, gives a little smile to the recipient as this forum does track the number of times a poster has been thanked. I guess it encourages folks to give helpful answers. |
See my problem is not with Wifi. In my environment, no one gets the ip from Wifi connectivity unless he has got the key. So that way its secure.
My issue is with the LAN card. If the person puts a static ip then i have a problem.... |
As do I. My reasoning is that I have no effective way to block an IP on my network except by my firewall at my router. If the intruder picks an address that is on my network, he's in. My current setup is to have a large network, 192.168.xxx.xxx, and use only a sub-network locally with limited scope. All of my machines are dynamically configured by dhcpd with fairly short lease times. I also run a local DNS for my network that is dynamically configured by my dhcpd (yes, even the printers). All leases are fairly short, and by changing the range of dhcp assignments to some other part of the available network space, can reassign IPs to all machines fairly quickly. Then I block all outside that small range at the gateway firewall.
I can't protect against the expert intruder, though, that has access to my wired network and knows what is an accessible IP. I'll continue to watch this thread to see if you get an answer that works. Obfuscation, in the manner described above, is somewhat similar to saying that "dilution is the answer to pollution" and not really a good solution. |
What type of switches/networking are you using? Depending on what devices you have, you maybe able to have certain events emailed/logged. Off the top of my head; you could setup a syslog-ng/snmp server that send messages on certain events/traps (port up and connected, IP used, MAC, etc.,).
But this might be handled more simply with a office/department policy - No ports are turned up until official request is issued. In other words you or your staff will activate a network port once someone asks. This might seem like a pain, but it shouldn't be that difficult to handle. The only problem being turning off the port after a certain time period. For that you could use expect ( best app EVAR ) to look for activated ports that aren't connected and have the expect script turn them off. To simplify turning on ports ( for a helpdesk staff, or those who might not be switch savvy ), a PHP webpage could be setup. With scripts ( expect/perl/ksh/PHP etc. ) you can do a lot. With company supported policies you can do more. Tom de ( my 1st post ) |
Oh yeah, you could also look into switch port authentication.
|
I would like to add another question to this thread.
I have two dhcp servers on the same Lan, but offering different subnets. How do i tell the primary server to not give an IP to a MAC adress, and redirect to the other server ? |
| All times are GMT -5. The time now is 08:20 PM. |