Home page logo

basics logo Security Basics mailing list archives

Re: Identifying a computer
From: Bryan Allen <bda () mirrorshades net>
Date: Wed, 3 Dec 2003 16:25:13 -0500

On Dec 3, 2003, at 10:38 AM, Cheetah wrote:
Is there any way I can get some information out of this computer without
running around
and asking everyone what their IP is?

Block the IP address at the border (at your Linux gateway/firewall).

Whoever comes and complains is your culprit.

Also, set up firewalling to only allow hosts which have an entry in dhcpd.leases (don't allow unknown statics) so it can't happen again and people have to play by your rules (though really you should design your network so things like this can't happen, either with physical/logical subnets or VLANs).

Depending on how your network is designed, you can usually figure out which segment the host is sitting on and work from there. It's certainly much easier if your switches are managed, but it's not too hard to do even if they're dumb.

If your switches are dumb, you'll have to actually go and check machine's ARP tables to find out on what segment the host is living on.

If your network only has one dimension, well, the easiest thing to do is block their MAC address at the border (using the iptables MAC filtering module). That way, even if they switch over to using DHCP, they still have to come talk to someone in IT, so you can explain them the finer points of being a polite network citizen.

Eventually you'll want to consider generating a MAC address to owner relationship chart, so when some host starts acting like a punkass, you can go beat up the appropriate party.

Look into implementing QoS. It's relatively simple and there are plenty of HOWTOs. Google is your friend.
Cyberpunk is dead.  Long live cyberpunk.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]