temporarily blocking an IP: dhcp users & arpwatch

temporarily blocking an IP: dhcp users & arpwatch

Post by gaius.petroni » Tue, 25 Dec 2001 18:15:19





> > This might be simple, but somehow i doubt it:

> > i have some windoze users who are configured via dhcp by my linux
> > dhcp/bootp server.  There are some creative users who want to*
> > around with their tcpip and configure a static address.  This static
> > address sometimes conflicts with machines which bootup later in the
> > day and this render them useless until the problem is noticed.

> > is there a program (or a way to write one) that can prevent certain ip
> > address from broadcasting on the network unless they resolve to a
> > particular ethernet address?  i have a central switch at my disposal
> > as well.

> > what might be the best way to manage this assuming the users won't
> > listen to reason?

> Serve static IP numbers to users who want a static IP number.  

> There is a utility out there called arping that returns the mac addy
> when you ping the IP number which could be helpful.

> - cameron

ok guys the windoze crew is saying that this radius (??) software can
do the job and maintain a hash of ip and ethernet addresses, serving
only those dhcp client requests from the correct ethernet address.

i can't imagine we in the Unix world don't have a clean solution
outside of hacking the damn dhcpd daemon itself to maintain that hash
and only serve "authorized" ethernet addresses the "authorized" ip
address.

anyone have any comments/suggestions

and someone said Linux has radius True [] False []
so what
anyway i don't like the sound of this crap.

 
 
 

temporarily blocking an IP: dhcp users & arpwatch

Post by ynotsso » Tue, 25 Dec 2001 18:48:29




...
Quote:>>> i have some windoze users who are configured via dhcp by my linux
>>> dhcp/bootp server.  There are some creative users who want to*
>>> around with their tcpip and configure a static address.  This static
>>> address sometimes conflicts with machines which bootup later in the
>>> day and this render them useless until the problem is noticed.
...
>>> what might be the best way to manage this assuming the users won't
>>> listen to reason?
...
> ok guys the windoze crew is saying that this radius (??) software can
> do the job and maintain a hash of ip and ethernet addresses, serving
> only those dhcp client requests from the correct ethernet address.

> i can't imagine we in the Unix world don't have a clean solution
> outside of hacking the damn dhcpd daemon itself to maintain that hash
> and only serve "authorized" ethernet addresses the "authorized" ip
> address.

...

Why would any administrator want to play patty-cake with the users?

State the policy, DHCP only. If they won't follow the policy, simply disable
their account on the PDC until they straighten up and fly right.

Period. It's that simple. A network without discipline is anarchy.

    tony

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.veryComputer.com/ - The #1 Newsgroup Service in the World!
-----==  Over 80,000 Newsgroups - 16 Different Servers! =-----

 
 
 

temporarily blocking an IP: dhcp users & arpwatch

Post by avalo.. » Wed, 26 Dec 2001 00:06:37



Quote:> i can't imagine we in the Unix world don't have a clean solution outside
> of hacking the damn dhcpd daemon itself to maintain that hash and only
> serve "authorized" ethernet addresses the "authorized" ip address.

Why not just set up all static IPs in the dhcpd configuration, and leave
out the dynamic IP section.  I haven't tried that myself but don't see any
reason why it shouldn't work.  Of course, someone on here may know
better...

If you have to put a new NIC on the network, just pop it in a machine,
give it a static IP, and find out what the MAC address is.  That is,
unless the MAC address is printed on the card or the box it came in (as it
should be).

--
----------------------------------------------------------------------
Brian Smith  //  Sound it out:  avalon73 at arthurian dot nu
Software Developer  //  Gamer  //  Webmaster  //  System Administrator

 
 
 

temporarily blocking an IP: dhcp users & arpwatch

Post by cjackso » Wed, 26 Dec 2001 01:50:58


On 24 Dec 2001 01:15:19 -0800

[snipped]

Quote:

> and someone said Linux has radius True [] False []
> so what
> anyway i don't like the sound of this crap.

Remote Authentication Dial In User Service
Linux can be a great RADIUS server.
http://serverwatch.internet.com/articles/radius/
Cistron Telecom makes GPL RADIUS server ver 1.6.4 http://www.radius.cistron.nl

But this is conventionally used for dial-in service, not LAN ethernet. In M$ networking the OS gets an IP long before the user authenticates. If it were at all possible, all clients would have to be reconfigured as RADIUS clients. I think it would work. The real issue is this......

A) You are running DHCP.
B) Some prankster steals the IP by setting Computer A's IP to static.  
C) Computer B that was assigned that IP by DHCP reports an IP conflict.
D) Why doesn't the Linux DHCP server then say to Computer B "Your IP has been reassigned, please take this other IP that is available." and then the client says "OK, I'll release/renew. Thanks"
E) Is the client OS capable of releasing/renewing? I bet not, even using winipcfg/ipconfig.

Answer:
M$ DHCP is crap. It doesn't work on the server and it's really screwed on the clients, esp 9x. Get new clients or go static.

 
 
 

temporarily blocking an IP: dhcp users & arpwatch

Post by gaius.petroni » Wed, 26 Dec 2001 10:17:26


Quote:

> Why would any administrator want to play patty-cake with the users?

> State the policy, DHCP only. If they won't follow the policy, simply disable
> their account on the PDC

PDC?
HELLO
This is Unix dhcpd and win98/win2000 machines.

But you do have a point here when you suggest attacking the problem at
the intersection of user account and ip.  Unfortunately i have not
seen any link in Unix between a user's account and the ip.  The 'last'
command and the messages, samba log files can tell me that they have
logged in _after_ the fact.

What kind of a solution would it be to scan the logs for an ip and
then kill the session if it is not an authorized username-ip
combination?

If this is a good solution for a network in general, then i'd have to
change the way we map ips to machines and simply map ips to users.

i originally wanted an ip to map to an ethernet address and presumably
a machine, where multiple username logins were acceptable.

but i am interested in any comments on the above method of handling
this problem.  Of course then i'd need to locate their samba session
in the process table and kill it.

 
 
 

temporarily blocking an IP: dhcp users & arpwatch

Post by gaius.petroni » Wed, 26 Dec 2001 10:25:06




> > i can't imagine we in the Unix world don't have a clean solution outside
> > of hacking the damn dhcpd daemon itself to maintain that hash and only
> > serve "authorized" ethernet addresses the "authorized" ip address.

> Why not just set up all static IPs in the dhcpd configuration, and leave
> out the dynamic IP section.  

That is *exactly* what i have been doing all along.
if you read the original post, the problem is when a different machine
boots with a static ip before the authorized ethernet address can
obtain his reserved ip address.

Quote:> I haven't tried that myself but don't see any
> reason why it shouldn't work.  Of course, someone on here may know
> better...

It's very easy: see man dhcpd.conf

Quote:

> If you have to put a new NIC on the network, just pop it in a machine,
> give it a static IP, and find out what the MAC address is.  That is,
> unless the MAC address is printed on the card or the box it came in (as it
> should be).

Thanks for the tip on determining ethernet addresses.
i used arp on the server side and winipcfg.exe on the user's windoze
os.
 
 
 

temporarily blocking an IP: dhcp users & arpwatch

Post by gaius.petroni » Wed, 26 Dec 2001 14:13:11



> On 24 Dec 2001 01:15:19 -0800

> [snipped]

> > and someone said Linux has radius True [] False []
> > so what
> > anyway i don't like the sound of this crap.

> Remote Authentication Dial In User Service
> Linux can be a great RADIUS server.
> http://serverwatch.internet.com/articles/radius/
> Cistron Telecom makes GPL RADIUS server ver 1.6.4 http://www.radius.cistron.nl

> But this is conventionally used for dial-in service, not LAN ethernet. In M$
> networking the OS gets an IP long before the user authenticates. If it were
> at all possible, all clients would have to be reconfigured as RADIUS clients.
> I think it would work. The real issue is this......

NOT.
The real issue is still the *original* issue of blocking the damn ip
address from the subnet in the first place.

Quote:

> A) You are running DHCP.
> B) Some prankster steals the IP by setting Computer A's IP to static.  
> C) Computer B that was assigned that IP by DHCP reports an IP conflict.
> D) Why doesn't the Linux DHCP server then say to Computer B "Your IP has been reassigned, please take this other IP that is available." and then the client says "OK, I'll release/renew. Thanks"

That doesn't stop the theft of the ip address.

Quote:> E) Is the client OS capable of releasing/renewing? I bet not, even using winipcfg/ipconfig.

> Answer:
> M$ DHCP is crap. It doesn't work on the server and it's really screwed on the clients, esp 9x. Get new clients or go static.

That may well be, but unless you've noticed,
I'M NOT RUNNING MICROSOFT ON MY SERVERS

i like Doug's suggestion
and i think i may need to go for a hack of dhcpd.
this will probably be painful.

if i really take that step i will start a new thread.

 
 
 

1. temporarily blocking an IP: dhcp users & arpwatch

This might be simple, but somehow i doubt it:

i have some windoze users who are configured via dhcp by my linux
dhcp/bootp server.  There are some creative users who want to screw
around with their tcpip and configure a static address.  This static
address sometimes conflicts with machines which bootup later in the
day and this render them useless until the problem is noticed.

is there a program (or a way to write one) that can prevent certain ip
address from broadcasting on the network unless they resolve to a
particular ethernet address?  i have a central switch at my disposal
as well.

what might be the best way to manage this assuming the users won't
listen to reason?

2. Help- iBCS errors

3. Concurrent, non-(blocking&&threaded&&forking) server

4. dial up, modem

5. recv on TCP non-blocking socket retured "Resource temporarily unavailable"

6. VL Ethernet card?

7. crazy question: temporarily blocking self from selected domains?

8. Need Pentium Pro 150 cpu - S-step sy010

9. Proxy control by user not IP in dhcp network

10. Let dhcp assign IP address for dial-in users?

11. DHCP USER/IP Identification

12. Blocking hosts & IP's from directories on Apache

13. rh72 & xf4 freezings (user input blocked)