I had 5 workstation and a server running RHEL 4 AS connected to a switch. It runs Squid Proxy and
Oracle 10g R2.The next time I went back to the site I noticed that there I.T. Staff put an Access Point that was plugged into the switch and I noticed that there laptop can even connect to my server they can ping the server, they can query the databases, what can I do to disable that connection without removing the Access Point to the switch?

I had 5 workstation and a server running RHEL 4 AS connected to a switch. It runs Squid Proxy and
Oracle 10g R2.The next time I went back to the site I noticed that there I.T. Staff put an Access Point that was plugged into the switch and I noticed that there laptop can even connect to my server they can ping the server, they can query the databases, what can I do to disable that connection without removing the Access Point to the switch?

Unclear: Are you not able to disconnect the AP, or you simply don't want to?

If you don't have access the the Access Point, I know of no way to disable the connection for sure. Alternatively, you can configure iptables to block/drop incoming traffic from and to the MAC address of the laptop.

Using MAC addresses as a security measure isn't a good idea as they are insanely easy to spoof.

Can you move the AP to a different subnet? That might keep the casual instruder away. Otherwise, you need to lock down the Oracle server so that only authorized users can get to the database.

Yes, but as the original poster mentioned - this is an IT Staff responsible for the rogue access point. If he doesn't have physical access to the Access Point, or if he's a "guest in their house" it may be one of the only measures he can take.

If they do forge MAC addresses after locking down, a utility like arpwatch will record this activity. If the IT House continues to access joporpilla's machines inappropriately, it may waive his organization of liability should a problem arise (of course, I don't understand the working relationship joporpilla has with the IT Staff).

jporpilla
- Do you have access or priveleges to the switch in question? What machines do you have access to? Just the 5 Workstations and the Oracle machine?
- Have you spoken to the IT Staff in question about this issue?
- Why must the Access Point be there? Is your company contracted for this service?

Off the top of my head use Iptables to only allow MAC addresses for permitted machines. That can be spoofed, but should keep most people out.

BTW, however puts a non-locked down access point in a business should be fired, IMO.


Soule

Off the top of my head use Iptables to only allow MAC addresses for permitted machines. That can be spoofed, but should keep most people out.

BTW, however puts a non-locked down access point in a business should be fired, IMO.

might be better to go to the owner/boss and show him/her how fast it is to connect and delete the database.


Soule

So I had to use Iptables just to allow only the five MAC of workstations to be permitted? How to do that for example the workstation have 00-30-18-BA-BA-C1, 00-30-18-BA-BA-C2, 00-30-18-BA-BA-C3, 00-30-18-BA-BA-C4 and 00-30-18-BA-BA-C5?

I don't have access to the switch they provide the switches and all cables, I have only access to the Server and 5 Workstations. How can I configure iptable just to allow the workstations MAC? or how can I deny the MAC of the AP without knowing or access to the AP?

You should be able to set up a rule that allows only the known MAC addresses.

Essentially "Allow these five, block everything else"

Just Google for "iptables filter MAC address"

See Something like...
http://www.cyberciti.biz/nixcraft/vi...-filtering.php

Alternatively, you can check your logs to see if it has captured the address of the rogue laptop.

Like Hangdog42 said, someone clever can get around it, so you may want to plan on seeing what you can get done in the long run to prevent further access.

I follwed the links but haven't successful yet the mac address of the AP is 00:4F:62:00:1E:44 so I input

iptables -A INPUT -m mac --mac-source 00:4F:62:00:1E:44 -j DROP

what was worng with it?

No, that simply isn't going to work unless jporpilla is connected directly to the local network. From the sounds of it, he is accessing from a remote location and MAC addresses aren't preserved across the Internet.

I'm sorry, but I just don't buy this as a reason not to do some serious lock-down on the machine. And by my book, MAC address filtering doesn't even come close to being serious security. Of course one caveat here is that the IT department apparently has physical access to the box. If that is the case, then no security is going to be able to keep them out if they want to get in.

This rule is technically correct, but functionally wrong. Packets coming from computers attached to this AP are probably retaining their own MAC addresses since they are on the same LAN as your server. Even if this did work, all they would have to do is either put in a different AP or spoof the MAC address and they are past your security.

You've never stated what services need to be publicly accessible from this server, so what I'm about to suggest may need some modification.

You need to lock down the firewall completely. That means using DROP as all of the iptables defaults. Then add rules to open only the services that absolutely need to be publicly available (again, if you can give us a description of how your are trying to use the server it would really help). General access to the server should be by SSH only and it should use key-based authentication. That allows you to control what computers have general access. SSH port forwarding may be able to substitute for public access to some of the services. Again, it really depends upon what you are trying to do with this server. For example, if you are simply serving up web pages with data pulled from the database, you don't need to have the database ports exposed. If you need to access those ports from your remote location, you could forward the appropriate ports through an SSH tunnel.

I would suggest that you send them a polite letter asking them to disconnect the rogue AP since it compromises the security of the server that you have installed for them.

Opening a dialogue with them may save you a lot of work if you can make them understand the implications of what they are doing and the effects it can have.

thorn168: Yes, I already send them a letter informing of the security risks of the current situation but as what I have said their IT are hard-headed pretending they we're too intelligent and since the location and all the infrastruture belongs to them they can do experimentation..

Hangdog42 Basically I came to the site and visiting it every weekends I never go an SSH or throughout the internet. I use a MAC Scanner to scan all MAC address conneted to the network and as what I have said I do the iptables iptables -A INPUT -m mac --mac-source 00:4F:62:00:1E:44 -j DROP and I'm very unsuccessful with this. As we will notice there's no way those wireless laptops can connect to the LAN if I can block the MAC of the AP isn't it?

Unfortunately, if they have physical access to install the AP itself, if you block that - they can physically connect a new device directly and spoof whatever IP address IS allowed.

One you get IP tables working, I suggest using arpwatch. It will log any duplicate MAC addresses in the case of spoofing, and perhaps you can script this to shut off the interface.