rhelv5-list-boun...@redhat.com wrote on 07/16/2010 02:52:05 PM:
>
> A .EDU with insecure offices, network outlets, and labs, is trying to
> track down a rogue DHCP client on their network that also happens to be
> infected with conficker.
>
> They have a completely open DHCP setup:
>
> ddns-update-style ad-hoc;
> authoritative;
> subnet 192.168.9.0 netmask 255.255.255.0 {
> range 192.168.9.125 192.168.9.200;
> option subnet-mask 255.255.255.0;
> option broadcast-address 192.168.9.255;
> option routers 192.168.9.1;
> option domain-name-servers 192.168.9.4;
> option domain-name "xxx.xxx.xxx";
> }
>
> Any connected machine can get an address from the range specified in the
> config file. Bouncing this one's lease merely results in it getting a
> new one.
>
> They know the rogue machine's MAC address, of course. Can they deny it
> a DHCP address based only on the MAC? How?
I'm a bit rusty, but i'm pretty sure you can do the following (I used this
page as a reference:
http://thelowedown.wordpress.com/2008/01/24/using-dhcp-client-classing/)
Which leads to this config:
ddns-update-style ad-hoc;
authoritative;
subnet 192.168.9.0 netmask 255.255.255.0 {
range 192.168.9.125 192.168.9.200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.9.255;
option routers 192.168.9.1;
option domain-name-servers 192.168.9.4;
option domain-name "xxx.xxx.xxx";
deny members of "rogue-clients";
}
class rogue-clients {
match hardware;
}
subclass "rogue-clients" xx:xx:xx:xx:xx:xx;
subclass "rogue-clients" xx:xx:xx:xx:xx:xy;
subclass "rogue-clients" xx:xx:xx:xx:xx:xz;
-greg
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list
