Date: Sun, 26 Mar 2006 08:37:00 -0600 From: "Jonathan Horne" <jhorne@dfwlp.com> To: <freebsd-questions@freebsd.org> Subject: RE: How do you keep users from stealing other user's ip?? Message-ID: <200603261436.k2QEaa5h069092@zeus.int.dfwlp.com> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNMEIJFDAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
You make it sound like they are doing it on purpose. Could it be the lease duration is so short that the ips are going back into the pool before they are truly abandoned by the original user? If you look at the behavior of the MS DHCP server, the lease duration is 8 days (with standard 4 day renewal). If it takes 8 days for it to back into the pool, this should be more than enough time for a user to go home for the weekend, and hopefully get the same ip when they get back to work. I would suggest increasing the lease duration time and see if that stops users from stepping on each others dhcp leases (don't forget, in the typical dhcp-request conversation, the client asks "hey, I had x.x.x.x last, is it still available for me?" you want the server to be able to say "sure"). On my freebsd router, the DHCP server came with a 1 hour lease duration (which causes a 30 minute renewal.. IMO this is too fast). Second, you mentioned that users could just download software that would allow them to change their mac address. It sounds like some users have too high a rights assignment, if they are causing mischief like that. Cheers, jonathan -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Ted Mittelstaedt Sent: Sunday, March 26, 2006 4:06 AM To: Mark Jayson Alvarez; questions@freebsd.org Subject: RE: How do you keep users from stealing other user's ip?? Hi Mark, The only way you can really lock it down is to statically assign everything (either with a DHCP server that has a table of mac addresses) and maintain an accurate list of mac addresses, and use managed switches that have filtering capabilities. We do this on bridged DSL networks (except for the managed switch part) and it's actually a lot easier to manage that most people think. What you have to do is when a new person hooks into the network, you give them a test IP address, you ping that, get their MAC for that, then hard code that into your DHCP server and tell them to switch over to DHCP to get their permanent address. Once they do that, hard- code the IP address and mac in the router ARP table, and install a filter on the switch port going to them that ignores any traffic that originates from a different MAC than the one that you probed from them. Ted >-----Original Message----- >From: owner-freebsd-questions@freebsd.org >[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mark Jayson >Alvarez >Sent: Thursday, March 23, 2006 10:26 PM >To: questions@freebsd.org >Subject: How do you keep users from stealing other user's ip?? > > >Good day, > > > We are trying to reorganize our local area network and I need >some tips on how you are managing your own lan... > > We have a vanilla pc router with interface facing our private >lan and interface facing the Internet. > > One problem which we are experiencing right now is that any >user from private lan can use any ip address he wants. If he >boots his computer with a stolen ip address, the poor owner of >that machine(not active at the moment) will give automatically >up his ip address to this user. The same scenario for public ip >addresses. Basically, we need to track down the users through >their ip address.. But this is trivial as of now since anyone >can use any ip he wants. Even if there is a solution out there >to tie up his mac address to his ip address..(sort of checking >the mac first before giving him an ip, possibly through dhcp..) >still, users can just download applications which will enable >him to change his mac address.... > > Now, where thinking about authenticating users before he is >allowed to use a particular network service(internet proxy, >mail etc.) because I guess it is a clever way of keeping the >bad users from doing something bad within your network when >after all, the reason why he is plugging his lancard to the >network is to use a particular service. However, it still >doesn't keep them from playing around and steal other ip >addresses or mac addresses and thus denying network access to >those legitimate owners. I'm thinking about tying dhcp with >authentication, and freeradius comes to mind.. I just need some >more tips from you. User's workstations are mixed Windows and >*nixes. Some have laptops with wireless interfaces. > > Any idea how to handle this situations?? > Thanks... > > > >--------------------------------- >New Yahoo! Messenger with Voice. Call regular phones from your >PC and save big. >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to >"freebsd-questions-unsubscribe@freebsd.org" > >-- >No virus found in this incoming message. >Checked by AVG Free Edition. >Version: 7.1.385 / Virus Database: 268.3.1/292 - Release Date: 3/24/2006 > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200603261436.k2QEaa5h069092>