spoofing MAC was Re: Visitor based netoworking
quote who=Alex (LEX) Borges On Wired networks its not so easy to cheat the mac address, this number is set uniquely for each card in the world (or so my teacher said). It's very easy to set the MAC Address on a linux box: ifconfig eth0 hw ether 01:00:00:00:00:01 Anyhow, its probably not all that hard either, but i think its a good enough solution for controlled corporative environment where all you want is to apply policies per user and such. The best thing would be to use x509 certs stored on USB tokens or smartcards greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spoofing MAC was Re: Visitor based netoworking
It's very easy to set the MAC Address on a linux box: ifconfig eth0 hw ether 01:00:00:00:00:01 Damn thats cool! Awright, i guessbut still, i dont think there is much of a choice. Windows does the trick, but hacking/killing the protocol at the socket level with winsocks and their proxy. You see, whats needed really is that your linux server would be able to be a cool proxy/controller for windows (or anything) boxen. I think nocat is a good idea then cause it only opens a window (of time!) for your ip if youre authenticated, offers the posibility of applying policies when your users login and all. Its cool i said! Lex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
On Wed, Jun 11, 2003 at 06:20:57PM -0500, Alex (LEX) Borges wrote: -snip- On Wired networks its not so easy to cheat the mac address, this number is set uniquely for each card in the world (or so my teacher said). Anyhow, its probably not all that hard either, but i think its a good enough solution for controlled corporative environment where all you want is to apply policies per user and such. - Keegan No problem at all to change the mac. At least with my 3Com 3c905B Ethernet card. Look at the manpage for ifconfig. -- Frode Haugsgjerd Norway
spoofing MAC was Re: Visitor based netoworking
quote who=Alex (LEX) Borges On Wired networks its not so easy to cheat the mac address, this number is set uniquely for each card in the world (or so my teacher said). It's very easy to set the MAC Address on a linux box: ifconfig eth0 hw ether 01:00:00:00:00:01 Anyhow, its probably not all that hard either, but i think its a good enough solution for controlled corporative environment where all you want is to apply policies per user and such. The best thing would be to use x509 certs stored on USB tokens or smartcards greets Uwe -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ IPv6: http://www.ipv6.x-tec.de/
Re: spoofing MAC was Re: Visitor based netoworking
It's very easy to set the MAC Address on a linux box: ifconfig eth0 hw ether 01:00:00:00:00:01 Damn thats cool! Awright, i guessbut still, i dont think there is much of a choice. Windows does the trick, but hacking/killing the protocol at the socket level with winsocks and their proxy. You see, whats needed really is that your linux server would be able to be a cool proxy/controller for windows (or anything) boxen. I think nocat is a good idea then cause it only opens a window (of time!) for your ip if youre authenticated, offers the posibility of applying policies when your users login and all. Its cool i said! Lex
Re: Visitor based netoworking
I took a look at nocat and it really seems to do almost the things I'm looking for *g* Thank you. But I have a recommendation / question: Wouldn't it be possible to also check the MAC of clients on the net? This way we could make IP- hijacking (as written in the nocat-whitepaper) a lot harder I think. Unfortunately I don't know if this is possible with something like iptables - since mac-addresses work on a different (lower) layer. On 10 Jun 2003 at 16:02, Keegan Quinn wrote: On Tuesday 10 June 2003 10:53 am, Stefan Neufeind wrote: But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. I think what you're looking for is implemented in a system called NoCatAuth, which was also mentioned by John Keimel. It's fairly simple Perl, and is easily extensible to authenticate against just about any database. Patches already exist for Radius, and others. There is also a C version called NoCatSplash. See http://nocat.net/ This system is in wide use here in Portland, Oregon, for displaying messages to anonymous clients of public wireless networks. It is easily adaptable. Neither NoCatAuth or NoCatSplash are yet in Debian, due primarily to a complete disregard for the FHS, but if anyone is sufficiently motivated, this could be changed...
Re: [despammed] Re: Visitor based netoworking
Wednesday, June 11, 2003, 5:53:59 AM, debian-isp@lists.debian.org (debian-isp) wrote: Stefan I took a look at nocat and it really seems to do almost the things Stefan I'm looking for *g* Thank you. Stefan But I have a recommendation / question: Wouldn't it be possible to Stefan also check the MAC of clients on the net? This way we could make IP- Stefan hijacking (as written in the nocat-whitepaper) a lot harder I think. Stefan Unfortunately I don't know if this is possible with something like Stefan iptables - since mac-addresses work on a different (lower) layer. I think iptables can, but it doesn't really matter. MAC addresses are not secure. On most NICs they can simply be changed by the operating system. -- | Eddie J Schwartz [EMAIL PROTECTED]|m00.net] | | AIM: Uncaring Eyes ICQ: 35576339 YHOO: edmcman2 | | We Trills have an expression -- at forty, you| | think you know everything. At four hundred you| | realize you know nothing. - Dax, Startrek DS9| --
Re: Visitor based netoworking
On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote: I took a look at nocat and it really seems to do almost the things I'm looking for *g* Thank you. But I have a recommendation / question: Wouldn't it be possible to also check the MAC of clients on the net? This way we could make IP- hijacking (as written in the nocat-whitepaper) a lot harder I think. Unfortunately I don't know if this is possible with something like iptables - since mac-addresses work on a different (lower) layer. Sure. The problem is that NoCat is designed for wireless networks, and you cannot trust MAC addresses from them - they are too easily spoofed. I think wired networks may suffer from the same issue, but have not verified this. FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless you disable it. If you really need control down to the individual port, just get a box with a very large number of network interfaces, instead of a switch, and hack NoCatAuth to operate based on physical interface instead of addressing. - Keegan
Re: Visitor based netoworking
El mié, 11 de 06 de 2003 a las 12:40, Keegan Quinn escribió: On Wednesday 11 June 2003 02:53 am, Stefan Neufeind wrote: I took a look at nocat and it really seems to do almost the things I'm looking for *g* Thank you. But I have a recommendation / question: Wouldn't it be possible to also check the MAC of clients on the net? This way we could make IP- hijacking (as written in the nocat-whitepaper) a lot harder I think. Unfortunately I don't know if this is possible with something like iptables - since mac-addresses work on a different (lower) layer. Sure. The problem is that NoCat is designed for wireless networks, and you cannot trust MAC addresses from them - they are too easily spoofed. I think wired networks may suffer from the same issue, but have not verified this. FWIW, NoCatAuth already -does- match MAC addresses with IP addresses, unless you disable it. If you really need control down to the individual port, just get a box with a very large number of network interfaces, instead of a switch, and hack NoCatAuth to operate based on physical interface instead of addressing. On Wired networks its not so easy to cheat the mac address, this number is set uniquely for each card in the world (or so my teacher said). Anyhow, its probably not all that hard either, but i think its a good enough solution for controlled corporative environment where all you want is to apply policies per user and such. - Keegan
Re: Visitor based netoworking
hi, perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. On 10 Jun 2003 at 9:06, Bastian Winkler wrote: perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
one way would be be to first redirect all outgoing traffic via iptables to a webserver with an auth-cgi. after authentication new iptables/tc rules are inserted for the current user-ip. i don't know if there is already such a script, but i think it would be no big problem. perhaps the pam_iptables is also possible with pam_auth in squid... buz On Die, 2003-06-10 at 19:53, Stefan Neufeind wrote: But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. On 10 Jun 2003 at 9:06, Bastian Winkler wrote: perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
On Tuesday 10 June 2003 10:53 am, Stefan Neufeind wrote: But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. I think what you're looking for is implemented in a system called NoCatAuth, which was also mentioned by John Keimel. It's fairly simple Perl, and is easily extensible to authenticate against just about any database. Patches already exist for Radius, and others. There is also a C version called NoCatSplash. See http://nocat.net/ This system is in wide use here in Portland, Oregon, for displaying messages to anonymous clients of public wireless networks. It is easily adaptable. Neither NoCatAuth or NoCatSplash are yet in Debian, due primarily to a complete disregard for the FHS, but if anyone is sufficiently motivated, this could be changed... - Keegan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
hi, perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi)
Re: Visitor based netoworking
But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. On 10 Jun 2003 at 9:06, Bastian Winkler wrote: perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi)
Re: Visitor based netoworking
one way would be be to first redirect all outgoing traffic via iptables to a webserver with an auth-cgi. after authentication new iptables/tc rules are inserted for the current user-ip. i don't know if there is already such a script, but i think it would be no big problem. perhaps the pam_iptables is also possible with pam_auth in squid... buz On Die, 2003-06-10 at 19:53, Stefan Neufeind wrote: But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. On 10 Jun 2003 at 9:06, Bastian Winkler wrote: perhaps the following could fit your needs: http://linux-rep.fnal.gov/howtos/Authentication-Gateway-HOWTO/ personally i use pam_iptables in combination with a samba PDC to control network access with iptables+htb for windoze-clients on domain logon. its a nice way to control some special kaazaa users whatever machine they use ;-) buz On Mon, 2003-06-09 at 22:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi)
Re: Visitor based netoworking
On Tuesday 10 June 2003 10:53 am, Stefan Neufeind wrote: But what if you need an open system? Not loggin into domain but loggin in via webinterface? E.g. when they try to surf the net they get redirected to authenticate here first. I think what you're looking for is implemented in a system called NoCatAuth, which was also mentioned by John Keimel. It's fairly simple Perl, and is easily extensible to authenticate against just about any database. Patches already exist for Radius, and others. There is also a C version called NoCatSplash. See http://nocat.net/ This system is in wide use here in Portland, Oregon, for displaying messages to anonymous clients of public wireless networks. It is easily adaptable. Neither NoCatAuth or NoCatSplash are yet in Debian, due primarily to a complete disregard for the FHS, but if anyone is sufficiently motivated, this could be changed... - Keegan
Visitor based netoworking
I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
Really interesting question. Just thought about that some time ago. Are you planning to have a login-page to authenticate (or maybe use a credit-based system) for surfing? What I'm looking for is a solution that allows several websites to be accessible (e.g. hotel-website etc.) but disallows regular internet-usage until you buy some credits. Did anybody already hack together such a solution? Does a project for such a thing exist or maybe would anyone vamp one up? On 9 Jun 2003 at 15:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Visitor based netoworking
On Mon, Jun 09, 2003 at 03:36:22PM -0500, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) I've used the following two solutions personally: - Nomadix gateway. Great product, if the customer has money, use it. - NoCatAuth - perhaps something that you're looking for. It's open, so you can change it how you want. Dynamic resets of either iptables or ipchains (whichever you have, it'll setup for) on authentication by users. HTH j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Visitor based netoworking
I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi)
Re: Visitor based netoworking
Really interesting question. Just thought about that some time ago. Are you planning to have a login-page to authenticate (or maybe use a credit-based system) for surfing? What I'm looking for is a solution that allows several websites to be accessible (e.g. hotel-website etc.) but disallows regular internet-usage until you buy some credits. Did anybody already hack together such a solution? Does a project for such a thing exist or maybe would anyone vamp one up? On 9 Jun 2003 at 15:36, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi)
Re: Visitor based netoworking
On Mon, Jun 09, 2003 at 03:36:22PM -0500, Alex (LEX) Borges wrote: I know this is doable by hand, but im wondering if anyone knows of a cool set of scripts or something for visitor based netoworking (something like dhcp+cbq+iptables to control whos accesing what and to allow acces to a network where you should on a time basis...etc. Think hotels with eth access or airports with wifi) I've used the following two solutions personally: - Nomadix gateway. Great product, if the customer has money, use it. - NoCatAuth - perhaps something that you're looking for. It's open, so you can change it how you want. Dynamic resets of either iptables or ipchains (whichever you have, it'll setup for) on authentication by users. HTH j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + ==
