On Wed, 2004-10-27 at 23:30, Ken Foskey wrote: > On Wed, 2004-10-27 at 16:29 +1000, Howard Lowndes wrote: > > If you are running a DHCP server on a network and have a block of IP > > addresses which you make available, how can you stop a (reasonably) > > knowledgeable luser from explicitly grabbing an address from that block > > by explicitly configuring their box with that address, thus preventing > > that IP address from being recorded in the leases, and hence you not > > immediately knowing that that box has been attached to the network. > > arpwatch ? > > I was under the impression that dhcp will query an IP before using it. > I assume that it does a warning when this happens.
It does, but if the one that has been grabbed is not the one that dhcp is allocating then it could be some time before it gets noticed, especially on a reasonably static network. I think a mix of snort, arpwatch and some awk'g on the dhcp leases file might be the best move. -- Howard. LANNet Computing Associates; Your Linux people <http://www.lannetlinux.com> ------------------------------------------ "When you just want a system that works, you choose Linux; when you want a system that just works, you choose Microsoft." ------------------------------------------ "Flatter government, not fatter government; Get rid of the Australian states." -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
