On 07/16/10 15:52, I wrote:
A .EDU with insecure offices, network outlets, and labs, is trying to
track down a rogue DHCP client on their network that also happens to be
infected with conficker.
They have a completely open DHCP setup:
ddns-update-style ad-hoc;
authoritative;
subnet 192.168.9.0 netmask 255.255.255.0 {
range 192.168.9.125 192.168.9.200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.9.255;
option routers 192.168.9.1;
option domain-name-servers 192.168.9.4;
option domain-name "xxx.xxx.xxx";
}
Any connected machine can get an address from the range specified in the
config file. Bouncing this one's lease merely results in it getting a
new one.
They know the rogue machine's MAC address, of course. Can they deny it a
DHCP address based only on the MAC? How?
Resolved this with a change in the dhcpd.conf file, as follows:
class "rogue-clients" {
match substring (hardware, 1, 6);
ignore booting;
}
subclass "rogue-clients" XX:XX:XX:XX:XX:XX;
}
The 'ignore booting' entry tells dhcpd to ignore requests for an address
from the specified MAC address. Once the existing lease expired, the PC
could not get it renewed (or get a new one).
--
Tim Evans, TKEvans.com, Inc. | 5 Chestnut Court
UNIX System Admin Consulting | Owings Mills, MD 21117
http://www.tkevans.com/ | 443-394-3864
http://www.come-here.com/News/ | [email protected]
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
