Re: [rhelv5-list] Deny DHCP Address by MAC Address?

Sun, 18 Jul 2010 21:02:28 -0700 

greg_sw...@aotx.uscourts.gov wrote:
> rhelv5-list-boun...@redhat.com wrote on 07/16/2010 02:52:05 PM:
> 
>> A .EDU with insecure offices, network outlets, and labs, is trying to
>> track down a rogue DHCP client on their network that also happens to be
>> infected with conficker.
>>
>> They have a completely open DHCP setup:
>>
>> ddns-update-style ad-hoc;
>> authoritative;
>> subnet 192.168.9.0 netmask 255.255.255.0 {
>>   range 192.168.9.125 192.168.9.200;
>>    option subnet-mask 255.255.255.0;
>>    option broadcast-address 192.168.9.255;
>>    option routers 192.168.9.1;
>>    option domain-name-servers 192.168.9.4;
>>    option domain-name "xxx.xxx.xxx";
>> }
>>
>> Any connected machine can get an address from the range specified in the
>> config file. Bouncing this one's lease merely results in it getting a
>> new one.
>>
>> They know the rogue machine's MAC address, of course.  Can they deny it
>> a DHCP address based only on the MAC? How?
> 
> 
> I'm a bit rusty, but i'm pretty sure you can do the following (I used this
> page as a reference:
> http://thelowedown.wordpress.com/2008/01/24/using-dhcp-client-classing/)
> 
> Which leads to this config:
> 
> ddns-update-style ad-hoc;
> authoritative;
> subnet 192.168.9.0 netmask 255.255.255.0 {
>    range 192.168.9.125 192.168.9.200;
>     option subnet-mask 255.255.255.0;
>     option broadcast-address 192.168.9.255;
>     option routers 192.168.9.1;
>     option domain-name-servers 192.168.9.4;
>     option domain-name "xxx.xxx.xxx";
>     deny members of "rogue-clients";
> }
> 
> class rogue-clients {
>     match hardware;
> }
> 
> subclass "rogue-clients" xx:xx:xx:xx:xx:xx;
> subclass "rogue-clients" xx:xx:xx:xx:xx:xy;
> subclass "rogue-clients" xx:xx:xx:xx:xx:xz;
> 
> 
> -greg
> 
> 

I used to have script check all switches and Bridge/CAM tables to identify
switch ports for every client MAC back in my EDU days.

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
Something like this to log from all switches might be helpful.



-- 
Subhendu Ghosh
Red Hat
Email: sgh...@redhat.com


_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list

Reply via email to