Security Issue

[mudasir]

AOA,

I want to ask that if two guyz using same MAC Address and only one should be allowed to use the internet from the Server, how can i do this.

Like one guy on my network has somehow managed to change the MAC Address of his LAN card. Now is there any way to stop him from using internet.

IP's are given by DHCP Server. Using a MAC Address base firewall posted here. And using Squid Proxy Server

Looking forward for some help.

[raheelahmad]

friend you are talking about MAC Spoofing .. if this happens your switch will start flooding ... frames i guess ... in this case use MAC to HOSTNAME binding ....this can help you securing the network little bit .. and If you need high security solutions ...

Use AD to authenticate and squid for cache bind hostname to mac addresses and use two-factor authentication .. little cmplex scenario but security is not cheap as well a not simple.

[mudasir]

AOA,

Thanks for the advice however i dont know how to configure AD on linux.....
If you can guide me or provide some links for configuring AD server on Linux and MAC to Hostname Binding stuff it will be great...

Looking Forward for Reply...

[raheelahmad]

How many users you have on your network ...

[mudasir]

AOA,

Deer Raheelahmed,

My network consists of approximately 100 users, i am running my custom made Firewall which does MAC Address Authenticaion.

Now i have come to know that one my users that i have blocked who should not use internet, is using it.

Now i dont know how, but this is for sure that he is using internet.

That is why i was asking a solution that can help me out in stopping him to use internet.

Can this be stopped if i bing that MAC Address with one single IP by using the dhcprestrict script posted by LAMBDA in other post.

Looking forward for reply....

[LinuxFreaK]

Dear mudasir,
Salam,

Please post your firewall rules and we will let you know.

There was script which has been developed by me can be found at below link.

FYI, http://www.linuxpakistan.net/forum2x/vi ... php?t=2182

Best Regards.

[raheelahmad]

agreed wid farrukh

[raheelahmad]

Dear friend , while checking the script farrukh has posted in forum I come to know that your problem will still exists in your network , you have to write the script which can stop MAC Spoofing which can be done as you said by binding IP to MAC plus you have to modify the script which before adding the allowed MAC to list will search if the mac already exists against any IP if yes block it else let it in ,if spoof your server MAC what will be happen if i am on same network ? flooding .. Spoofing ..

I hope this will help you ... much ...

please let us know your response ... I can write the script for you but on weekend sorry for delay ...

regards.

[mudasir]

I dont have that much experience in writing Scripts and Creating Firewall, I tried to create a firewall script and it worked, so i am using this firewall. Although it might not be a very strong Firewall.
This is the Firewall Script which i am using...

#!/bin/sh

# Firewall Script

#set -x

#################
## Defining Variables ##
#################

# Path to IPTABLES executable
IPT="/sbin/iptables"

# Interface Card Connected to Local Network
NETWORK="eth0"

# Interface Card Connected to Internet
INTERNET="eth1"

# Loopback Interface
LOOPBACK="lo"

# IP Addreses of Server
SERVER_IP="192.168.1.1"

# Local Network IP Range / Subnet
LOC_IP="192.168.1.1/24"

# INTERNAL Broadcast
LOC_BCAST=192.168.1.255

# IP On The Internet Interface
NET_IP="172.16.0.1/24"

# DHCP Server IP
DHCP_SERVER="192.168.1.1"

# Primiry DNS Server
P_DNS="203.135.1.117"

# Alternate DNS Server
A_DNS="203.135.0.70"

# Path To Directory Containing MAC Addresses
MACDIR="/files/macs"

# Path To File Containing MAC Addresses
MACFILE="/files/macs/allowed.macs"


###################
### Flushing IPTABLES ###
###################

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X


###########################
### Setting Default Policies to Drop ###
###########################

$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo Default Policies Set To Drop

##########################
### Setting Needed PROC Settings ###
##########################

echo 1 > /proc/sys/net/ipv4/ip_forward

######################
### Setting IPTABLES Rules ###
######################


######################
### MAC Addresses Filtering ###
######################

rm -f $MACDIR/mac.addresses
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses
rm -f $MACDIR/mac1
rm -f $MACDIR/mac2

echo ----------------------------------------
echo Marking Packets from Known MAC Addresses
echo ----------------------------------------

cat $MACDIR/mac.addresses | while read MACS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1
done

#sleep 5

echo ----------------------------------------
echo
echo ---- MAC Address Filtering Complete ----
echo
echo ----------------------------------------


##############################
### MAC Addresses Filtering Completed ###
##############################


#############################
### Redirecting All Un-Marked Packets ###
#############################


$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -p udp --dport 80 -m mark ! --mark 1 -j REDIRECT --to-port 8080


########################
### Accepting Marked Packets ###
########################


$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT


##########################
### Droping All Unmarked Packets ###
##########################


#$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP
#$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP


#######################################
### Accepting Voice/CAM Request for Marked Packets. ###
#######################################


$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT


######################################
### Droping Voice/CAM Traffic which is not Marked. ###
######################################


$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP


########################
### Accepting DHCP Request. ###
########################


$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT


###########################################
### Redirecting HTTP and FTP Traffic to Squid Proxy Server. ###
###########################################


$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port 8080


###################################
### MASQUERADE All packets that are Marked. ###
###################################


$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE


######################
### Rules for ICMP Protocol ###
######################

$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP


###############################
### No Restriction for Loopback Interface ###
###############################


$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT

##############################################
### Droping Packets coming from internet claming to be from Network
###############################################


$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP


$IPT -A INPUT -i $NETWORK -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -j ACCEPT


#####################################
### Accepting Extablished and Related Connections ###
#####################################


$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


###############################
### Droping Invalid and Unknown Packets ###
###############################

$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP
#$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP

[nomankhn]

Dear Brother Mudsair,

In above post you wrote mac do authentication through your script, its impossible, authentication is something different, but your script is really good, its show you are working good on linux.

Keep it up, my prayers are always with you.

Regards,
Noman Liaquat

[mudasir]

AOA,

Thanks Dear Noman bhai.

Now what i have done is that i have Fixed IP Address on that MAC Address, and have Binded it through IPTABLES

IPTABLES -t nat -A PREROUTING -i eth0 -m mac --mac-source XX:XX:XX:XX:XX -s 192.168.1.244 -j ACCEPT

IPTABLES -t nat -A PREROUTING -i eth0 -m mac --mac-source XX:XX:XX:XX:XX -s ! 192.168.1.244 -j DROP

Please tell me wheather this method is good or not, or wheather this will work or not.

Looking forward For Help

[nomankhn]

Hi Mudasir,

I think you should allow those users which are the part of your network and block rest of them or its better run authentication of users through squid through every user have separate username and password and then they can use when they do browsing.

Regards,
Noman Liaquat

[raheelahmad]

Dear mudasir I have already said ... please use dual factor authentication Noman is right , you can do authentication with squid but that will affect squid performance in real squid is not a authetication server it serves as proxy , you have to bear a server cost , If you authenticate by USing AD it can solve the problem ..........AD can run on a low speed server as well ...

Remember security sasti nahi hai bhai .............................................

Regards.

[mudasir]

AOA,

Can anyone provide me some links to undrstand AD on Linux and how to setup AD on Linux.

Looking forward for some help.

[nomankhn]

Why AD,

If he is using linux?


Regards,
Noman Liaquat