Re: dhcp delivered subnet broadcast address: 255.255.255.255
Hello, I'm having the same issue. I can broadcast to the ###.###.###.255 fine but my switches/routers throw out 255.255.255.255. Have you found any solution? Matt Kincaid --- DISCLAIMER: Information contained in this message and/or attachment(s) may contain confidential information of Zetec, Inc. If you have received this transmission in error, please notify the sender by return email. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ---
Re: dhcp delivered subnet broadcast address: 255.255.255.255
On Thu, Jan 29, 2009 at 12:26:46PM -0800, Matt Kincaid wrote: Hello, I'm having the same issue. I can broadcast to the ###.###.###.255 fine but my switches/routers throw out 255.255.255.255. Routers must have dhcp-relay function. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: DHCP - rootkit
On Fri, 01 Nov 2002 at 06:41:43PM -0400, Peter Cordes wrote:
MD5 is still believed to be secure. i.e. Nobody can modify a binary so
that it has different contents but the same MD5 hash, unless they are _very_
_very_ lucky. The task becomes even more difficult if you check the length
of the file as well as the hash.
if (filename == MYHACKEDFILE) {
cout WHATEVERIEXPECTTHEMD5SUMTOBE
}
AFA file legnth go...the kernel source is available and I am sure you
could re-write that also...
--
Phil
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #239: IRQ-problems with the Un-Interruptable-Power-Supply
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
On Fri, 01 Nov 2002 at 06:41:43PM -0400, Peter Cordes wrote:
MD5 is still believed to be secure. i.e. Nobody can modify a binary so
that it has different contents but the same MD5 hash, unless they are _very_
_very_ lucky. The task becomes even more difficult if you check the length
of the file as well as the hash.
if (filename == MYHACKEDFILE) {
cout WHATEVERIEXPECTTHEMD5SUMTOBE
}
AFA file legnth go...the kernel source is available and I am sure you
could re-write that also...
--
Phil
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #239: IRQ-problems with the Un-Interruptable-Power-Supply
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 05:10:12PM -0800, Alvin Oga wrote: am not as worried about the determined hacker/crackers that can modify binaries such that md5sum matches my tripewire db and other security precautions (databases and baseline) of my servers MD5 is still believed to be secure. i.e. Nobody can modify a binary so that it has different contents but the same MD5 hash, unless they are _very_ _very_ lucky. The task becomes even more difficult if you check the length of the file as well as the hash. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 05:10:12PM -0800, Alvin Oga wrote: am not as worried about the determined hacker/crackers that can modify binaries such that md5sum matches my tripewire db and other security precautions (databases and baseline) of my servers MD5 is still believed to be secure. i.e. Nobody can modify a binary so that it has different contents but the same MD5 hash, unless they are _very_ _very_ lucky. The task becomes even more difficult if you check the length of the file as well as the hash. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BC
Re: DHCP
On Tue, 29 Oct 2002 at 10:52:22AM +1100, Stewart James wrote: I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. Be weary of wireless. I take an 802.11b card and can pick an addy even If I am just joe smo public. Draw a 1000 feet circle around your wireless AP and that is the range at which I can get an addy from your DHCP... -- Excuse #71: Someone is standing on the Ethernet cable causing a kink in the cable Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
On Mon, 28 Oct 2002 at 11:18:23PM -0800, Brandon High wrote: On Mon, Oct 28, 2002 at 07:38:38PM -0600, Hanasaki JiJi wrote: Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. That's the idea behind PPPoE. Yuck. Or you could do ipsec: Laptop (IPSEC CLient) - WAP - Server (DHCP AND IPSEC Host) - Local Network. In order to get inside the network you will have to get past the IPSEC Host, which of course will require a key that has a valid certificate from the local CA. Just a thought... -- Excuse #218: The co-locator cannot verify the frame-relay gateway to the ISDN server. Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP msg07572/pgp0.pgp Description: PGP signature
RE: DHCP
We are currently looking into wireless where I work also. Just a few weeks ago, we had this company come in to give a demo of an appliance that enforces restrictions on the wireless network. http://www.verniernetworks.com/ It seems to be along the path of what we are looking for, YMMV. Oh, and we don't have any active relationship with this firm, they are just the first to demo anything here :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
On Tue, Oct 29, 2002 at 09:35:01AM -0500, Phillip Hofmeister wrote: Laptop (IPSEC CLient) - WAP - Server (DHCP AND IPSEC Host) - Local Network. In order to get inside the network you will have to get past the IPSEC Host, which of course will require a key that has a valid certificate from the local CA. IPsec has the added advantage that it can be used to protect all wireless traffic from eavesdroppers. At the USENIX Annual Technical Conference in Monterey, CA this past June, the company providing wireless network connectivity used such a system. Since it was IPsec, people using *BSD, Windows, Linux, etc were able to use it. They also had things configured in such a way that if you couldn't or didn't want to use IPsec, you could use guest mode, which didn't require anything other than basic 802.11b functionality, but meant that you could do only a limited amount of stuff on the network (i.e. most outgoing ports were filtered, especially ones that would have you sending your password in the clear over a wireless link). I forget the name of that company, but could dig it up if anybody wants it. Of course, all they really did was take a Linux box and configure it just right to get this functionality, so if time is more plentiful for you than money, you could likely build the same kind of system yourself. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07574/pgp0.pgp Description: PGP signature
Re: DHCP - rootkit
hi ya rick yes... got that part ... ( the after breaking in part ) was exepecting to see it helps one to breakin and exploit the vulnerabilities so it didn't sink in at first when i was reading all the talk-backs ( didnt see what i wanted to see ;-) thanx alvin On Mon, 28 Oct 2002, Rick Moen wrote: Quoting Alvin Oga ([EMAIL PROTECTED]): i read all the talkbacks... - no definition of rootkit posted in the talkbacks Look again. Anyhow, a rootkit is not anything that allows an un-educated user to just run that tool to break into other peoples network and machines. It's something the intruder uses _after_ breaking in. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
A rootkit is a selection of modified standard programs that usually replace (among others) ls ps netstat users and pretty much everything else you would use to check your machine. It will also include a backdoor. Sometimes the primary part of the rootkit is either a module or a complete replacement of the kernel with one that does not respond to the normal users (root) with any info about the new owner. Rootkits are *INSTALLED* after a successful root exploit. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya dale Rootkits are *INSTALLED* after a successful root exploit. maybe i missing something here ... that i been wonderng about for years.. if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system if they quietly do what they do, like run irc chat or spam bomb just a few a day ... nobody might notice ??? ( until sleepy admin watch the logs or see whats running - erasing the logs is a dead give away you got a problem ( that something happened there's more alarms going off when things are modified on a normal box ?? if only irc ran ... it might be overlooked till the load on the box is too high ?? - changing/trojaning all the binaries will definitely give yourself away - either way... to trojan the binaries or not .. etiher way the sleepy admin wont notice... - sharp ones will catch it within a few minutes/hours... or not happen (not exploited) at all .. -- guess i would do a minimum disturbance if i got into somebodys box and wanted to use their resources as opposed to tripping over everything c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya dale if anybody modifies the typical binaries.. i'll know within the hour.. hourly/randomly system checks or instaneously if i happen to be reading emails at the time ... they are attacking... i say modifying files is a give away .. that says come find me which is trivial since its modified binaries see below On Wed, 30 Oct 2002, Dale Amon wrote: On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system No it doesn't. It makes them and everything they do vanish into thin air as if they weren't there. They can log into you computer, create files, run a Warez and you can sit on your remote terminal blithely unaware because nothing you do will show you anything they are doing. Their files don't show in your ls Their disk space usage doesn't show in your df Their processes don't show on your ps thats dumb if you use the hacked binaries to check for them c ya alvin - most of the machines now days... even if they did get into my customers boxes.. they might not be able to run the programs ... just depends on which rootkit ( usually i get a copy of their attempts to get in ( once a year or so ..but it fails to run .. - thats when it gets fun -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: i say modifying files is a give away .. that says come find me which is trivial since its modified binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07581/pgp0.pgp Description: PGP signature
Re: DHCP - rootkit
hi ya noah On Tue, 29 Oct 2002, Noah L. Meyerhans wrote: On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: i say modifying files is a give away .. that says come find me which is trivial since its modified binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've if they do get in... i wanna know within a second (wishfully) that they got in ( an email is sent elsewhere of who/where they came from ) - than if i am online ... i got um in the act ... i've done rm their_code.c while they are in the machine ... makes um wonder :-) and move files around on them .. :-) am not as worried about the determined hacker/crackers that can modify binaries such that md5sum matches my tripewire db and other security precautions (databases and baseline) of my servers - if they do come visiting ... we've got a serious problem and my clients aren't banks ( literally/figuratively ) i just want to make 90-95% of the attempts fail from the script kidies and local wanna be admins that goes around changing the lan network, config files, topology, passwds etc - 80-90% of all these attempts are users trying to bypass corp security policy - or just playing .. tripping all the alrms in the process of testing/learning what they can do - and they very quickly find dhcp is disallowed :-) and they cant send email that dhcp doesnt work :-) and they cant randomly or add +1 to their current assigned ip# to get online - always leave an easy guinne pig ( decoys ) for them to play with ... c ya alvin seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
On Mon, Oct 28, 2002 at 07:38:38PM -0600, Hanasaki JiJi wrote: Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. That's the idea behind PPPoE. Yuck. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Things are more like they are today than they ever have been before. pgpgEktOnIcg4.pgp Description: PGP signature
Re: DHCP
On Mon, 28 Oct 2002 at 11:18:23PM -0800, Brandon High wrote: On Mon, Oct 28, 2002 at 07:38:38PM -0600, Hanasaki JiJi wrote: Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. That's the idea behind PPPoE. Yuck. Or you could do ipsec: Laptop (IPSEC CLient) - WAP - Server (DHCP AND IPSEC Host) - Local Network. In order to get inside the network you will have to get past the IPSEC Host, which of course will require a key that has a valid certificate from the local CA. Just a thought... -- Excuse #218: The co-locator cannot verify the frame-relay gateway to the ISDN server. Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP pgpVX5yXo4lgm.pgp Description: PGP signature
RE: DHCP
We are currently looking into wireless where I work also. Just a few weeks ago, we had this company come in to give a demo of an appliance that enforces restrictions on the wireless network. http://www.verniernetworks.com/ It seems to be along the path of what we are looking for, YMMV. Oh, and we don't have any active relationship with this firm, they are just the first to demo anything here :)
Re: DHCP
On Tue, Oct 29, 2002 at 09:35:01AM -0500, Phillip Hofmeister wrote: Laptop (IPSEC CLient) - WAP - Server (DHCP AND IPSEC Host) - Local Network. In order to get inside the network you will have to get past the IPSEC Host, which of course will require a key that has a valid certificate from the local CA. IPsec has the added advantage that it can be used to protect all wireless traffic from eavesdroppers. At the USENIX Annual Technical Conference in Monterey, CA this past June, the company providing wireless network connectivity used such a system. Since it was IPsec, people using *BSD, Windows, Linux, etc were able to use it. They also had things configured in such a way that if you couldn't or didn't want to use IPsec, you could use guest mode, which didn't require anything other than basic 802.11b functionality, but meant that you could do only a limited amount of stuff on the network (i.e. most outgoing ports were filtered, especially ones that would have you sending your password in the clear over a wireless link). I forget the name of that company, but could dig it up if anybody wants it. Of course, all they really did was take a Linux box and configure it just right to get this functionality, so if time is more plentiful for you than money, you could likely build the same kind of system yourself. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpQZrZelUnL3.pgp Description: PGP signature
Re: DHCP - rootkit
hi ya rick yes... got that part ... ( the after breaking in part ) was exepecting to see it helps one to breakin and exploit the vulnerabilities so it didn't sink in at first when i was reading all the talk-backs ( didnt see what i wanted to see ;-) thanx alvin On Mon, 28 Oct 2002, Rick Moen wrote: Quoting Alvin Oga ([EMAIL PROTECTED]): i read all the talkbacks... - no definition of rootkit posted in the talkbacks Look again. Anyhow, a rootkit is not anything that allows an un-educated user to just run that tool to break into other peoples network and machines. It's something the intruder uses _after_ breaking in.
Re: DHCP - rootkit
A rootkit is a selection of modified standard programs that usually replace (among others) ls ps netstat users and pretty much everything else you would use to check your machine. It will also include a backdoor. Sometimes the primary part of the rootkit is either a module or a complete replacement of the kernel with one that does not respond to the normal users (root) with any info about the new owner. Rootkits are *INSTALLED* after a successful root exploit.
Re: DHCP - rootkit
hi ya dale Rootkits are *INSTALLED* after a successful root exploit. maybe i missing something here ... that i been wonderng about for years.. if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system if they quietly do what they do, like run irc chat or spam bomb just a few a day ... nobody might notice ??? ( until sleepy admin watch the logs or see whats running - erasing the logs is a dead give away you got a problem ( that something happened there's more alarms going off when things are modified on a normal box ?? if only irc ran ... it might be overlooked till the load on the box is too high ?? - changing/trojaning all the binaries will definitely give yourself away - either way... to trojan the binaries or not .. etiher way the sleepy admin wont notice... - sharp ones will catch it within a few minutes/hours... or not happen (not exploited) at all .. -- guess i would do a minimum disturbance if i got into somebodys box and wanted to use their resources as opposed to tripping over everything c ya alvin
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system No it doesn't. It makes them and everything they do vanish into thin air as if they weren't there. They can log into you computer, create files, run a Warez and you can sit on your remote terminal blithely unaware because nothing you do will show you anything they are doing. Their files don't show in your ls Their disk space usage doesn't show in your df Their processes don't show on your ps The attack script, if it is a good one, will not only crack root, it will install the root kit and clean up signs of the entry. They're actions are only visible for a matter of minutes or more likely seconds. A successful attack can be detected by a good admin, often by anomalous traffic on the LAN, or by comparison with tripwire files (with the comparison done off line by booting from a CD to run the checks against a tripwire db that was also off line). It is also the case that a lot of exploit scripts are much less than perfect and will leave some evidence. I have a few other forensic tricks for checking but I won't share them with strangers :-) -- -- Nuke bin Laden: Dale Amon, CEO/MD improve the global Islandone Society gene pool. www.islandone.org --
Re: DHCP - rootkit
hi ya dale if anybody modifies the typical binaries.. i'll know within the hour.. hourly/randomly system checks or instaneously if i happen to be reading emails at the time ... they are attacking... i say modifying files is a give away .. that says come find me which is trivial since its modified binaries see below On Wed, 30 Oct 2002, Dale Amon wrote: On Tue, Oct 29, 2002 at 03:28:20PM -0800, Alvin Oga wrote: if they exploited a root vulnerability and got in... why modify silly binaries like ps, top, ls, find, etf ?? that gives themself away as having modified the system No it doesn't. It makes them and everything they do vanish into thin air as if they weren't there. They can log into you computer, create files, run a Warez and you can sit on your remote terminal blithely unaware because nothing you do will show you anything they are doing. Their files don't show in your ls Their disk space usage doesn't show in your df Their processes don't show on your ps thats dumb if you use the hacked binaries to check for them c ya alvin - most of the machines now days... even if they did get into my customers boxes.. they might not be able to run the programs ... just depends on which rootkit ( usually i get a copy of their attempts to get in ( once a year or so ..but it fails to run .. - thats when it gets fun
Re: DHCP - rootkit
On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: i say modifying files is a give away .. that says come find me which is trivial since its modified binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpY6PFenwrHX.pgp Description: PGP signature
Re: DHCP - rootkit
hi ya noah On Tue, 29 Oct 2002, Noah L. Meyerhans wrote: On Tue, Oct 29, 2002 at 04:12:54PM -0800, Alvin Oga wrote: i say modifying files is a give away .. that says come find me which is trivial since its modified binaries If they do it right, it's not a giveaway. If they're quick, thorough, and accurate, they can certainly do it right. On the other hand, I've if they do get in... i wanna know within a second (wishfully) that they got in ( an email is sent elsewhere of who/where they came from ) - than if i am online ... i got um in the act ... i've done rm their_code.c while they are in the machine ... makes um wonder :-) and move files around on them .. :-) am not as worried about the determined hacker/crackers that can modify binaries such that md5sum matches my tripewire db and other security precautions (databases and baseline) of my servers - if they do come visiting ... we've got a serious problem and my clients aren't banks ( literally/figuratively ) i just want to make 90-95% of the attempts fail from the script kidies and local wanna be admins that goes around changing the lan network, config files, topology, passwds etc - 80-90% of all these attempts are users trying to bypass corp security policy - or just playing .. tripping all the alrms in the process of testing/learning what they can do - and they very quickly find dhcp is disallowed :-) and they cant send email that dhcp doesnt work :-) and they cant randomly or add +1 to their current assigned ip# to get online - always leave an easy guinne pig ( decoys ) for them to play with ... c ya alvin seen cracked Solaris boxes on which the rootkit installed a patched version of GNU's ls in place of the default ls. That was a pretty obvious giveaway. The thing with rootkits is that they're pretty target-specific. They're not usually robust enough to be installed on a different Linux distribution or even a different version of the intended target distro. Rootkits aren't what I usually worry about; It's the determined, knowledgeable attackers that I don't like. Fortunately there aren't as many of them to worry about.
Re: DHCP
As far as I know there's not much to it, my dhcp server was very simple to set up with very little security options. My only suggestion is just make sure you have the latest version, and make sure you have the security updates source in your sources.list file for your dists ie: deb http://security.debian.org stable/updates main contrib non-free for woody(stable). Then run an update. And subscribe to debian-security-announce, and keep an eye out for any future flaws in your dhcpd. Steve On Mon, 2002-10-28 at 17:03, Stewart James wrote: I was hoping someone could help me out here. Currently I am still on a netowrk using static IP configurationon each machine, we are finally moving towards DHCP. Are there any security considerations to be made to ensure there is no gapping security hole. the various howto's I have seen don;t seem to have a clear Security section and I havent seen it mentioned in any of the faq's Thanks for any assistance, Stewart James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DHCP
u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:03 To: [EMAIL PROTECTED] Subject: DHCP I was hoping someone could help me out here. Currently I am still on a netowrk using static IP configurationon each machine, we are finally moving towards DHCP. Are there any security considerations to be made to ensure there is no gapping security hole. the various howto's I have seen don;t seem to have a clear Security section and I havent seen it mentioned in any of the faq's Thanks for any assistance, Stewart James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DHCP
I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: [EMAIL PROTECTED] u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:03 To: [EMAIL PROTECTED] Subject: DHCP I was hoping someone could help me out here. Currently I am still on a netowrk using static IP configurationon each machine, we are finally moving towards DHCP. Are there any security considerations to be made to ensure there is no gapping security hole. the various howto's I have seen don;t seem to have a clear Security section and I havent seen it mentioned in any of the faq's Thanks for any assistance, Stewart James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
I'm not a huge expert on all of this, but here are a couple of thoughts... Unless you're monitoring IP/MAC addresses to try and detect spoofing, knowing a machine's IP address is already useless from a security POV. Even then, MAC addresses can be spoofed. Given that, DHCP can't really make things much worse :) Another problem is that ISTR some mis-configured Win2K boxes run a DHCP server by default, and some mis-configured students will doubtless enjoy bringing rogue servers onto your network. You should make sure to look out for any unauthorised DHCP-offer packets floating around. Similarly, students could potentially use a rogue DHCP server as the first stage in an attack against another machine. This would be a lot of work, though - anyone smart enough to do this is probably wouldn't need to change their marks on the exam :) - Andrew Sayers msg07547/pgp0.pgp Description: PGP signature
Re: DHCP
hi andrew i think you want at least one level of protection against dhcp - prevent any tom, dick and harry from creating havoc by running their rootkits by connecting their laptop to the network - it is bad to allow just anybody plug in their laptops with all the fun virus' and rootkits and let them run amuck and than disappear after causing major email traffic: what happened and have to go fix it ( whatever they did ) - all you know is somebody plugged something in at a ip# or mac address - i like setting up a dummy 386 machine that uses up all the unused ip# to prevent people from picking arbitrary ip# that they should NOT be using ( that is supposedly available ) - spoofing and other techie stuff requires one more year of school and yes... that is lot harder to prevent by the determined hacker or employee-that-wanna-get-around-the-dumb-security-policy c ya alvin On Tue, 29 Oct 2002, Andrew Sayers wrote: I'm not a huge expert on all of this, but here are a couple of thoughts... Unless you're monitoring IP/MAC addresses to try and detect spoofing, knowing a machine's IP address is already useless from a security POV. Even then, MAC addresses can be spoofed. Given that, DHCP can't really make things much worse :) Another problem is that ISTR some mis-configured Win2K boxes run a DHCP server by default, and some mis-configured students will doubtless enjoy bringing rogue servers onto your network. You should make sure to look out for any unauthorised DHCP-offer packets floating around. Similarly, students could potentially use a rogue DHCP server as the first stage in an attack against another machine. This would be a lot of work, though - anyone smart enough to do this is probably wouldn't need to change their marks on the exam :) - Andrew Sayers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DHCP
ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:53 To: [EMAIL PROTECTED] Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: [EMAIL PROTECTED] u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DHCP
Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:sjones08;eds.com] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; [EMAIL PROTECTED] Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:53 To: [EMAIL PROTECTED] Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: [EMAIL PROTECTED] u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. Any way to make the same host name resolve to your IP irreguardless of what IP is allocted to your box by dhcp? Haines, Charles Allen wrote: Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:sjones08;eds.com] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; [EMAIL PROTECTED] Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:53 To: [EMAIL PROTECTED] Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: [EMAIL PROTECTED] u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- = http://www.sun.com/service/sunps/jdc/javacenter.pdf= =www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = = = Noone wants advice - only corroboration - John Steinbeck = ==== = Pawns can become Royalty in Life or in Chess = = Life, the only game where Royalty can be a pawn,= =and not even know it = = Chess, the only game where pawns really are pawns = -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL
RE: DHCP
Actually, we have to create a host name when we register out MAC addresses. This allows the same host name to be resolved to our IP. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Hanasaki JiJi [mailto:hanasaki;hanaden.com] Sent: Monday, October 28, 2002 8:39 PM To: Haines, Charles Allen Cc: [EMAIL PROTECTED] Subject: Re: DHCP Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. Any way to make the same host name resolve to your IP irreguardless of what IP is allocted to your box by dhcp? Haines, Charles Allen wrote: Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:sjones08;eds.com] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; [EMAIL PROTECTED] Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:53 To: [EMAIL PROTECTED] Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: [EMAIL PROTECTED] u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network
Re: DHCP
Quoting Alvin Oga ([EMAIL PROTECTED]): i think you want at least one level of protection against dhcp - prevent any tom, dick and harry from creating havoc by running their rootkits by connecting their laptop to the network Um, Alvin? You might want to look up the definition of rootkit. This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. -- Cheers,Before enlightenment, caffeine. Rick Moen After enlightenment, caffeine. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
Chuck, That sounds like a fantastic idea! Provide some sort of web interface where a student can use a library terminal or some such, plug in their MAC ADDR and their student number. I normally don't post a Good on you jim! message, but this one has set off ideas left right and centre. J - Original Message - From: Haines, Charles Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 29, 2002 12:35 PM Subject: RE: DHCP Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:sjones08;eds.com] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; [EMAIL PROTECTED] Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:stewart.james;vu.edu.au] Sent: Tuesday, 29 October 2002 12:53 To: [EMAIL PROTECTED] Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: [EMAIL PROTECTED] u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
hi ya rick On Mon, 28 Oct 2002, Rick Moen wrote: Quoting Alvin Oga ([EMAIL PROTECTED]): i think you want at least one level of protection against dhcp - prevent any tom, dick and harry from creating havoc by running their rootkits by connecting their laptop to the network Um, Alvin? You might want to look up the definition of rootkit. my definition ... anything that allows an un-educated user to just run that tool to break into other peoples network and machines ( there's too many rootkits to count ) This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. yes... but setting up a fake mac address and few additional things to do is the next level above the ordinary tom-dick-harry that receives a rootkit via email, clicks it and now gets to attack any machine susceptible to that rootkit i want the ordinary folks (script kiddies) to keep out of the network for everybodys sake especially if they (the ones being scanned/attacked) are click-happy ( not reading what it says before clicking ) c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
Jason Clarke wrote: Chuck, That sounds like a fantastic idea! Provide some sort of web interface where a student can use a library terminal or some such, plug in their MAC ADDR and their student number. I normally don't post a Good on you jim! message, but this one has set off ideas left right and centre. My school[1] paid a lot of money for a system from Lucent to do just this sort of thing. (Called QueueIP I think) Then again, there's the free/better solution from CMU. Secure, flexible, scalable. http://www.net.cmu.edu/netreg/ -davidu [1]: www.wustl.edu (to its credit though, the system works rather well) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
Quoting Alvin Oga ([EMAIL PROTECTED]): Um, Alvin? You might want to look up the definition of rootkit. my definition ... anything that allows an un-educated user to just run that tool to break into other peoples network and machines ( there's too many rootkits to count ) That's just not what a rootkit is. Sorry. This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? Read the talkbacks, at the bottom. - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. yes... but setting up a fake mac address and few additional things to do is the next level above the ordinary tom-dick-harry that receives a rootkit via email, clicks it and now gets to attack any machine susceptible to that rootkit 1. That's not what a rootkit does. 2. The sophistication required to read an ifconfig manpage is mighty low. -- Cheers, Learning Java has been a slow and tortuous process for me. Every Rick Moen few minutes, I start screaming 'No, you fools!' and have to go [EMAIL PROTECTED] read something from _Structure and Interpretation of Computer Programs_ to de-stress. -- The Cube, www.forum3000.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP - rootkit
hi ya rick On Mon, 28 Oct 2002, Rick Moen wrote: Quoting Alvin Oga ([EMAIL PROTECTED]): Um, Alvin? You might want to look up the definition of rootkit. my definition ... anything that allows an un-educated user to just run that tool to break into other peoples network and machines ( there's too many rootkits to count ) That's just not what a rootkit is. Sorry. like i said ... that was my definition in 1 minute... if you like a more formal definition of rootkit ... http://whatis.techtarget.com/definition/0,289893,sid9_gci547279,00.html This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? Read the talkbacks, at the bottom. i read all the talkbacks... - no definition of rootkit posted in the talkbacks - mostly the same arguments ( reformat or figure out what happened arguements after ( being kitted - reformatting or resinstalling etc is bad ... in my book - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. yes... but setting up a fake mac address and few additional things to do is the next level above the ordinary tom-dick-harry that receives a rootkit via email, clicks it and now gets to attack any machine susceptible to that rootkit 1. That's not what a rootkit does. okay ... i agree ... use hacking tools or script kiddit tools in its place or any other preferred word of choice 2. The sophistication required to read an ifconfig manpage is mighty low. yup ... but still 1 level higher than all the click on anything script kiddies have fun alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
On Mon, Oct 28, 2002 at 06:46:47PM -0800, Rick Moen wrote: This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? Read the talkbacks, at the bottom. Specifically, I think you're referring to http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV-0014 which talks about the difference between a rootkit and an attack-kit with a rootkit bunled in. snip 2. The sophistication required to read an ifconfig manpage is mighty low. To be exact, changing your MAC address consists of: # ifdown eth0 # ifconfig eth0 hw ether arbitrary ethernet address # ifup eth0 ... but that's not really the point. The average script-kiddie will (for example) have learned enough chemistry in school to make some very lethal explosives, but it doesn't occur to them to use that knowledge. In practice, even a very low security barrier will stop the 90% of clueless abusers - but (to drag this thread bag on-topic), that's no excuse for basing the security of your network on a fundamentally insecure way of identifying computers. Ultimately, the only secure assumption is that machines which you don't control will spew whatever incorrect or invalid data they like onto your network. - Andrew msg07560/pgp0.pgp Description: PGP signature
Re: DHCP - rootkit
Quoting Alvin Oga ([EMAIL PROTECTED]): i read all the talkbacks... - no definition of rootkit posted in the talkbacks Look again. Anyhow, a rootkit is not anything that allows an un-educated user to just run that tool to break into other peoples network and machines. It's something the intruder uses _after_ breaking in. -- Cheers, Learning Java has been a slow and tortuous process for me. Every Rick Moen few minutes, I start screaming 'No, you fools!' and have to go [EMAIL PROTECTED] read something from _Structure and Interpretation of Computer Programs_ to de-stress. -- The Cube, www.forum3000.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
Quoting Andrew Sayers ([EMAIL PROTECTED]): In practice, even a very low security barrier will stop the 90% of clueless abusers - but (to drag this thread bag on-topic), that's no excuse for basing the security of your network on a fundamentally insecure way of identifying computers. Right. If you want to control access meaningfully, you have to do it at some other level, e.g., a separate user login mechanism required before your newly issued IP address is routed to anything beyond the authentication server. -- Cheers, Yes, I _am_ an agent of Satan, Rick Moenbut my duties are largely ceremonial. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
On Mon, Oct 28, 2002 at 07:38:38PM -0600, Hanasaki JiJi wrote: Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. That's the idea behind PPPoE. Yuck. -B -- Brandon High [EMAIL PROTECTED] '98 Kawi ZX-7R Wasabi, '98 Kawi EX500 Harlot, '02 BMW R1150RS Things are more like they are today than they ever have been before. msg07564/pgp0.pgp Description: PGP signature
Re: DHCP
As far as I know there's not much to it, my dhcp server was very simple to set up with very little security options. My only suggestion is just make sure you have the latest version, and make sure you have the security updates source in your sources.list file for your dists ie: deb http://security.debian.org stable/updates main contrib non-free for woody(stable). Then run an update. And subscribe to debian-security-announce, and keep an eye out for any future flaws in your dhcpd. Steve On Mon, 2002-10-28 at 17:03, Stewart James wrote: I was hoping someone could help me out here. Currently I am still on a netowrk using static IP configurationon each machine, we are finally moving towards DHCP. Are there any security considerations to be made to ensure there is no gapping security hole. the various howto's I have seen don;t seem to have a clear Security section and I havent seen it mentioned in any of the faq's Thanks for any assistance, Stewart James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DHCP
u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:03 To: debian-security@lists.debian.org Subject: DHCP I was hoping someone could help me out here. Currently I am still on a netowrk using static IP configurationon each machine, we are finally moving towards DHCP. Are there any security considerations to be made to ensure there is no gapping security hole. the various howto's I have seen don;t seem to have a clear Security section and I havent seen it mentioned in any of the faq's Thanks for any assistance, Stewart James -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: DHCP
I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: debian-security@lists.debian.org u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:03 To: debian-security@lists.debian.org Subject: DHCP I was hoping someone could help me out here. Currently I am still on a netowrk using static IP configurationon each machine, we are finally moving towards DHCP. Are there any security considerations to be made to ensure there is no gapping security hole. the various howto's I have seen don;t seem to have a clear Security section and I havent seen it mentioned in any of the faq's Thanks for any assistance, Stewart James
Re: DHCP
I'm not a huge expert on all of this, but here are a couple of thoughts... Unless you're monitoring IP/MAC addresses to try and detect spoofing, knowing a machine's IP address is already useless from a security POV. Even then, MAC addresses can be spoofed. Given that, DHCP can't really make things much worse :) Another problem is that ISTR some mis-configured Win2K boxes run a DHCP server by default, and some mis-configured students will doubtless enjoy bringing rogue servers onto your network. You should make sure to look out for any unauthorised DHCP-offer packets floating around. Similarly, students could potentially use a rogue DHCP server as the first stage in an attack against another machine. This would be a lot of work, though - anyone smart enough to do this is probably wouldn't need to change their marks on the exam :) - Andrew Sayers pgpcxV8l8p6z9.pgp Description: PGP signature
Re: DHCP
hi andrew i think you want at least one level of protection against dhcp - prevent any tom, dick and harry from creating havoc by running their rootkits by connecting their laptop to the network - it is bad to allow just anybody plug in their laptops with all the fun virus' and rootkits and let them run amuck and than disappear after causing major email traffic: what happened and have to go fix it ( whatever they did ) - all you know is somebody plugged something in at a ip# or mac address - i like setting up a dummy 386 machine that uses up all the unused ip# to prevent people from picking arbitrary ip# that they should NOT be using ( that is supposedly available ) - spoofing and other techie stuff requires one more year of school and yes... that is lot harder to prevent by the determined hacker or employee-that-wanna-get-around-the-dumb-security-policy c ya alvin On Tue, 29 Oct 2002, Andrew Sayers wrote: I'm not a huge expert on all of this, but here are a couple of thoughts... Unless you're monitoring IP/MAC addresses to try and detect spoofing, knowing a machine's IP address is already useless from a security POV. Even then, MAC addresses can be spoofed. Given that, DHCP can't really make things much worse :) Another problem is that ISTR some mis-configured Win2K boxes run a DHCP server by default, and some mis-configured students will doubtless enjoy bringing rogue servers onto your network. You should make sure to look out for any unauthorised DHCP-offer packets floating around. Similarly, students could potentially use a rogue DHCP server as the first stage in an attack against another machine. This would be a lot of work, though - anyone smart enough to do this is probably wouldn't need to change their marks on the exam :) - Andrew Sayers
RE: DHCP
ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:53 To: debian-security@lists.debian.org Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: debian-security@lists.debian.org u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :)
RE: DHCP
Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:[EMAIL PROTECTED] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; debian-security@lists.debian.org Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:53 To: debian-security@lists.debian.org Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: debian-security@lists.debian.org u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. Any way to make the same host name resolve to your IP irreguardless of what IP is allocted to your box by dhcp? Haines, Charles Allen wrote: Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:[EMAIL PROTECTED] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; debian-security@lists.debian.org Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:53 To: debian-security@lists.debian.org Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: debian-security@lists.debian.org u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- = http://www.sun.com/service/sunps/jdc/javacenter.pdf= =www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone = = = = Noone wants advice - only corroboration - John Steinbeck = ==== = Pawns can become Royalty in Life or in Chess = = Life, the only game where Royalty can be a pawn,= =and not even know it = = Chess, the only game where pawns really are pawns =
RE: DHCP
Actually, we have to create a host name when we register out MAC addresses. This allows the same host name to be resolved to our IP. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Hanasaki JiJi [mailto:[EMAIL PROTECTED] Sent: Monday, October 28, 2002 8:39 PM To: Haines, Charles Allen Cc: debian-security@lists.debian.org Subject: Re: DHCP Too bad there is no way to do a secure handshake w/ an id/password or even SecureID cards. Any way to make the same host name resolve to your IP irreguardless of what IP is allocted to your box by dhcp? Haines, Charles Allen wrote: Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:[EMAIL PROTECTED] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; debian-security@lists.debian.org Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:53 To: debian-security@lists.debian.org Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: debian-security@lists.debian.org u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its
Re: DHCP
Quoting Alvin Oga ([EMAIL PROTECTED]): i think you want at least one level of protection against dhcp - prevent any tom, dick and harry from creating havoc by running their rootkits by connecting their laptop to the network Um, Alvin? You might want to look up the definition of rootkit. This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. -- Cheers,Before enlightenment, caffeine. Rick Moen After enlightenment, caffeine. [EMAIL PROTECTED]
Re: DHCP
Chuck, That sounds like a fantastic idea! Provide some sort of web interface where a student can use a library terminal or some such, plug in their MAC ADDR and their student number. I normally don't post a Good on you jim! message, but this one has set off ideas left right and centre. J - Original Message - From: Haines, Charles Allen [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Tuesday, October 29, 2002 12:35 PM Subject: RE: DHCP Well here at WPI, we have to register each and every MAC address that we wish to use on campus. If your MAC address isn't registered, you get no network. It works the same way with wireless. And to the best of my knowledge, DHCP is used. - Chuck Haines GDC Systems Administrator Infinity Complex Developer WPILA Lab Manager - AIM: CyberGrex ICQ: 3707881 Yahoo: CyberGrex_27 Cell: (410) 610-6343. - Geek by nature, Linux by choice. -Original Message- From: Jones, Steven [mailto:[EMAIL PROTECTED] Sent: Monday, October 28, 2002 8:06 PM To: 'Stewart James'; debian-security@lists.debian.org Subject: RE: DHCP ik campus ik ik so zilch physical security you didnt say this in your earlier post, this has severe security implications, in fact Id suggest you'd be a danger to the internet I'd suggest a letter to the ppl that want this and tell them of the severe secuity implications of what they want. you'd be a hackers/spammers dream...sit in the carpark with a laptop and wi-fi and spam the world. cant use static mapping of IPs to MACs.to many unknown MACs, well you can request each person registers thier machine with the helldesk and gets a static IP given out locked to the MAC address they provide. Run arpwatch to look for illegal connections We are trialing wi-fi city wide, the wi-fi lan is behind a firewall and are blocking port 25, then opening up ports as requested based on merits. DHCP is the least of your worries... This is not really a debian security issue but a general security issue, I would suggest you get a security policy written and get it agreed with management. its your best set of defences from getting screwed over when something goes wrong. Also writing this and getting it agreed will give you time to research and get up to speed. Also the DHCP server should have a firewall of its own at the very least. It suggests careful planning is needed before implimentation, possibly a campus wide audit after a policy is agreed (you audit against the policy) regards Im writing a policy myself and its taking a while.it will be posted on the Internet once done for free use and comment. The debian security howto is good, if you have not read it please do. I'd split campus network up into a trusted and untrusted LAN )incl wi-fi network), the untrusted LAN should be treated as the Internet ie a danger zone and firewalled... i could go on and on..i suspect you have a lot to do.. regards Steven -Original Message- From: Stewart James [mailto:[EMAIL PROTECTED] Sent: Tuesday, 29 October 2002 12:53 To: debian-security@lists.debian.org Subject: RE: DHCP I had the very same thoughts, being a university you can imagine what physical security is like, plus management wants to give students the ability to walk on campus and plugin, plus start wireless services too. From what people have sent back from my question, I don;t think we will be any worse of security wise as far as moving to DHCP will go. Thanks for the various responses, if someone still thinks of a big issue I would love to hear it. Cheers, Stewart On Tue, 29 Oct 2002, Jones, Steven wrote: Date: Tue, 29 Oct 2002 12:19:06 +1300 From: Jones, Steven [EMAIL PROTECTED] To: 'Stewart James' [EMAIL PROTECTED], debian-security@lists.debian.org Subject: RE: DHCP Resent-Date: Mon, 28 Oct 2002 17:24:16 -0600 (CST) Resent-From: debian-security@lists.debian.org u could set dhcp to give out a fixed address dependant on a mac address, this would stop just anybody plugging a box into a network, if your network is physically secure then thats not a worry. (a cat5 jack in reception or some other public place is dodgy) Otherwise dhcp makes life easier...its the only way to manage a decent sized network. :) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DHCP
hi ya rick On Mon, 28 Oct 2002, Rick Moen wrote: Quoting Alvin Oga ([EMAIL PROTECTED]): i think you want at least one level of protection against dhcp - prevent any tom, dick and harry from creating havoc by running their rootkits by connecting their laptop to the network Um, Alvin? You might want to look up the definition of rootkit. my definition ... anything that allows an un-educated user to just run that tool to break into other peoples network and machines ( there's too many rootkits to count ) This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. yes... but setting up a fake mac address and few additional things to do is the next level above the ordinary tom-dick-harry that receives a rootkit via email, clicks it and now gets to attack any machine susceptible to that rootkit i want the ordinary folks (script kiddies) to keep out of the network for everybodys sake especially if they (the ones being scanned/attacked) are click-happy ( not reading what it says before clicking ) c ya alvin
Re: DHCP
Jason Clarke wrote: Chuck, That sounds like a fantastic idea! Provide some sort of web interface where a student can use a library terminal or some such, plug in their MAC ADDR and their student number. I normally don't post a Good on you jim! message, but this one has set off ideas left right and centre. My school[1] paid a lot of money for a system from Lucent to do just this sort of thing. (Called QueueIP I think) Then again, there's the free/better solution from CMU. Secure, flexible, scalable. http://www.net.cmu.edu/netreg/ -davidu [1]: www.wustl.edu (to its credit though, the system works rather well)
Re: DHCP
Quoting Alvin Oga ([EMAIL PROTECTED]): Um, Alvin? You might want to look up the definition of rootkit. my definition ... anything that allows an un-educated user to just run that tool to break into other peoples network and machines ( there's too many rootkits to count ) That's just not what a rootkit is. Sorry. This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? Read the talkbacks, at the bottom. - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. yes... but setting up a fake mac address and few additional things to do is the next level above the ordinary tom-dick-harry that receives a rootkit via email, clicks it and now gets to attack any machine susceptible to that rootkit 1. That's not what a rootkit does. 2. The sophistication required to read an ifconfig manpage is mighty low. -- Cheers, Learning Java has been a slow and tortuous process for me. Every Rick Moen few minutes, I start screaming 'No, you fools!' and have to go [EMAIL PROTECTED] read something from _Structure and Interpretation of Computer Programs_ to de-stress. -- The Cube, www.forum3000.org
Re: DHCP - rootkit
hi ya rick On Mon, 28 Oct 2002, Rick Moen wrote: Quoting Alvin Oga ([EMAIL PROTECTED]): Um, Alvin? You might want to look up the definition of rootkit. my definition ... anything that allows an un-educated user to just run that tool to break into other peoples network and machines ( there's too many rootkits to count ) That's just not what a rootkit is. Sorry. like i said ... that was my definition in 1 minute... if you like a more formal definition of rootkit ... http://whatis.techtarget.com/definition/0,289893,sid9_gci547279,00.html This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? Read the talkbacks, at the bottom. i read all the talkbacks... - no definition of rootkit posted in the talkbacks - mostly the same arguments ( reformat or figure out what happened arguements after ( being kitted - reformatting or resinstalling etc is bad ... in my book - spoofing and other techie stuff requires one more year of school Setting a fake MAC address requires nothing more than reading the ifconfig manpage. Acquiring one to borrow requires nothing more than unning tcpdump or equivalent. yes... but setting up a fake mac address and few additional things to do is the next level above the ordinary tom-dick-harry that receives a rootkit via email, clicks it and now gets to attack any machine susceptible to that rootkit 1. That's not what a rootkit does. okay ... i agree ... use hacking tools or script kiddit tools in its place or any other preferred word of choice 2. The sophistication required to read an ifconfig manpage is mighty low. yup ... but still 1 level higher than all the click on anything script kiddies have fun alvin
Re: DHCP
On Mon, Oct 28, 2002 at 06:46:47PM -0800, Rick Moen wrote: This confusion has also come up elsewhere, on LinuxToday: http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV tht just talks about arresting some poor soul ?? Read the talkbacks, at the bottom. Specifically, I think you're referring to http://linuxtoday.com/news_story.php3?ltsn=2002-09-20-011-26-SC-SV-0014 which talks about the difference between a rootkit and an attack-kit with a rootkit bunled in. snip 2. The sophistication required to read an ifconfig manpage is mighty low. To be exact, changing your MAC address consists of: # ifdown eth0 # ifconfig eth0 hw ether arbitrary ethernet address # ifup eth0 ... but that's not really the point. The average script-kiddie will (for example) have learned enough chemistry in school to make some very lethal explosives, but it doesn't occur to them to use that knowledge. In practice, even a very low security barrier will stop the 90% of clueless abusers - but (to drag this thread bag on-topic), that's no excuse for basing the security of your network on a fundamentally insecure way of identifying computers. Ultimately, the only secure assumption is that machines which you don't control will spew whatever incorrect or invalid data they like onto your network. - Andrew pgprQ8BWZURVQ.pgp Description: PGP signature
Re: DHCP - rootkit
Quoting Alvin Oga ([EMAIL PROTECTED]): i read all the talkbacks... - no definition of rootkit posted in the talkbacks Look again. Anyhow, a rootkit is not anything that allows an un-educated user to just run that tool to break into other peoples network and machines. It's something the intruder uses _after_ breaking in. -- Cheers, Learning Java has been a slow and tortuous process for me. Every Rick Moen few minutes, I start screaming 'No, you fools!' and have to go [EMAIL PROTECTED] read something from _Structure and Interpretation of Computer Programs_ to de-stress. -- The Cube, www.forum3000.org
Re: DHCP
Quoting Andrew Sayers ([EMAIL PROTECTED]): In practice, even a very low security barrier will stop the 90% of clueless abusers - but (to drag this thread bag on-topic), that's no excuse for basing the security of your network on a fundamentally insecure way of identifying computers. Right. If you want to control access meaningfully, you have to do it at some other level, e.g., a separate user login mechanism required before your newly issued IP address is routed to anything beyond the authentication server. -- Cheers, Yes, I _am_ an agent of Satan, Rick Moenbut my duties are largely ceremonial. [EMAIL PROTECTED]
