Linux - Wireless NetworkingThis forum is for the discussion of wireless networking in Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I had 5 workstation and a server running RHEL 4 AS connected to a switch. It runs Squid Proxy and
Oracle 10g R2.The next time I went back to the site I noticed that there I.T. Staff put an Access Point that was plugged into the switch and I noticed that there laptop can even connect to my server they can ping the server, they can query the databases, what can I do to disable that connection without removing the Access Point to the switch?
I had 5 workstation and a server running RHEL 4 AS connected to a switch. It runs Squid Proxy and
Oracle 10g R2.The next time I went back to the site I noticed that there I.T. Staff put an Access Point that was plugged into the switch and I noticed that there laptop can even connect to my server they can ping the server, they can query the databases, what can I do to disable that connection without removing the Access Point to the switch?
Unclear: Are you not able to disconnect the AP, or you simply don't want to?
If you don't have access the the Access Point, I know of no way to disable the connection for sure. Alternatively, you can configure iptables to block/drop incoming traffic from and to the MAC address of the laptop.
Using MAC addresses as a security measure isn't a good idea as they are insanely easy to spoof.
Can you move the AP to a different subnet? That might keep the casual instruder away. Otherwise, you need to lock down the Oracle server so that only authorized users can get to the database.
Using MAC addresses as a security measure isn't a good idea as they are insanely easy to spoof.
Yes, but as the original poster mentioned - this is an IT Staff responsible for the rogue access point. If he doesn't have physical access to the Access Point, or if he's a "guest in their house" it may be one of the only measures he can take.
If they do forge MAC addresses after locking down, a utility like arpwatch will record this activity. If the IT House continues to access joporpilla's machines inappropriately, it may waive his organization of liability should a problem arise (of course, I don't understand the working relationship joporpilla has with the IT Staff).
jporpilla
- Do you have access or priveleges to the switch in question? What machines do you have access to? Just the 5 Workstations and the Oracle machine?
- Have you spoken to the IT Staff in question about this issue?
- Why must the Access Point be there? Is your company contracted for this service?
So I had to use Iptables just to allow only the five MAC of workstations to be permitted? How to do that for example the workstation have 00-30-18-BA-BA-C1, 00-30-18-BA-BA-C2, 00-30-18-BA-BA-C3, 00-30-18-BA-BA-C4 and 00-30-18-BA-BA-C5?
I don't have access to the switch they provide the switches and all cables, I have only access to the Server and 5 Workstations. How can I configure iptable just to allow the workstations MAC? or how can I deny the MAC of the AP without knowing or access to the AP?
Alternatively, you can check your logs to see if it has captured the address of the rogue laptop.
Like Hangdog42 said, someone clever can get around it, so you may want to plan on seeing what you can get done in the long run to prevent further access.
Essentially "Allow these five, block everything else"
No, that simply isn't going to work unless jporpilla is connected directly to the local network. From the sounds of it, he is accessing from a remote location and MAC addresses aren't preserved across the Internet.
Quote:
If the IT House continues to access joporpilla's machines inappropriately, it may waive his organization of liability should a problem arise
I'm sorry, but I just don't buy this as a reason not to do some serious lock-down on the machine. And by my book, MAC address filtering doesn't even come close to being serious security. Of course one caveat here is that the IT department apparently has physical access to the box. If that is the case, then no security is going to be able to keep them out if they want to get in.
Quote:
iptables -A INPUT -m mac --mac-source 00:4F:62:00:1E:44 -j DROP
This rule is technically correct, but functionally wrong. Packets coming from computers attached to this AP are probably retaining their own MAC addresses since they are on the same LAN as your server. Even if this did work, all they would have to do is either put in a different AP or spoof the MAC address and they are past your security.
You've never stated what services need to be publicly accessible from this server, so what I'm about to suggest may need some modification.
You need to lock down the firewall completely. That means using DROP as all of the iptables defaults. Then add rules to open only the services that absolutely need to be publicly available (again, if you can give us a description of how your are trying to use the server it would really help). General access to the server should be by SSH only and it should use key-based authentication. That allows you to control what computers have general access. SSH port forwarding may be able to substitute for public access to some of the services. Again, it really depends upon what you are trying to do with this server. For example, if you are simply serving up web pages with data pulled from the database, you don't need to have the database ports exposed. If you need to access those ports from your remote location, you could forward the appropriate ports through an SSH tunnel.
Distribution: Vector Linux 5.1 Std., Vector Linux 5.8 Std., Win2k, XP, OS X (10.4 & 10.5)
Posts: 344
Rep:
I would suggest that you send them a polite letter asking them to disconnect the rogue AP since it compromises the security of the server that you have installed for them.
Opening a dialogue with them may save you a lot of work if you can make them understand the implications of what they are doing and the effects it can have.
thorn168: Yes, I already send them a letter informing of the security risks of the current situation but as what I have said their IT are hard-headed pretending they we're too intelligent and since the location and all the infrastruture belongs to them they can do experimentation..
Hangdog42 Basically I came to the site and visiting it every weekends I never go an SSH or throughout the internet. I use a MAC Scanner to scan all MAC address conneted to the network and as what I have said I do the iptables iptables -A INPUT -m mac --mac-source 00:4F:62:00:1E:44 -j DROP and I'm very unsuccessful with this. As we will notice there's no way those wireless laptops can connect to the LAN if I can block the MAC of the AP isn't it?
Unfortunately, if they have physical access to install the AP itself, if you block that - they can physically connect a new device directly and spoof whatever IP address IS allowed.
One you get IP tables working, I suggest using arpwatch. It will log any duplicate MAC addresses in the case of spoofing, and perhaps you can script this to shut off the interface.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.