On Wed, 2004-10-27 at 16:37, Matthew Palmer wrote: > On Wed, Oct 27, 2004 at 04:29:34PM +1000, Howard Lowndes wrote: > > If you are running a DHCP server on a network and have a block of IP > > addresses which you make available, how can you stop a (reasonably) > > knowledgeable luser from explicitly grabbing an address from that block > > by explicitly configuring their box with that address, thus preventing > > that IP address from being recorded in the leases, and hence you not > > immediately knowing that that box has been attached to the network. > > Remove the network card from their computer, or if it's onboard, filling the > RJ-45 connector with epoxy. Especially effective for lapdogs.
Mmmm... Break out the LARTs boys... > > Practically speaking, there is no way to stop them if they have physical > access to the network and/or administrative access to the machine, unless > you have an intelligent switch which is capable of being told "only let DHCP > traffic through by default", then getting the DHCP server to change the ACL > on the port for the requestor MAC address after successful DHCP lease > assignment. > > Yes, those sorts of switches are expensive. You can buy a lot of Araldite > for that. > > The problem is that your average dumb switch doesn't do any sort of > restriction at the LAN level, and that's as high as you need to get to cause > problems with conflicting IP addresses. > > Useful tools for tracking down and killing this type of luser are things > like arpwatch, which notify you if they see a MAC address they haven't seen > before, and I presume you could extend the tool (or someone's probably > already done it) to be able to cross-check leases with what they see, and > notify you in the event of a mismatch. That still leaves you with the job > of manually tracking them down and beating their computer to a pulp, but at > least the tricky part of the job (diagnosing the problem) can be automated. > > I'm thankful I don't administer that sort of environment any more... > > - Matt > > ______________________________________________________________________ > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Howard. LANNet Computing Associates; Your Linux people <http://www.lannetlinux.com> ------------------------------------------ "When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft." ------------------------------------------ "Flatter government, not fatter government; Get rid of the Australian states." -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
