How to block an unauthorized user to use net

Taking care of your Linux box.

How to block an unauthorized user to use net

Postby smk08 » Thu May 21, 2009 1:58 pm

Assalmu Alaikum

Dear friend a user in my network uses internet illegally.


First I block his IP by using squid acl but he changes his ip address .

Now I apply MAC based restriction but now he change his mac address.


Please guide me how to get rid of this problem.



Jazaku Mullah
Shahid Mahmood
0321-4538113
i am crazy to learn linux
smk08
Naik
 
Posts: 56
Joined: Fri Aug 08, 2008 1:44 pm
Location: Sheikhupura, Pakistan

Postby lambda » Thu May 21, 2009 2:17 pm

First I block his IP by using squid acl but he changes his ip address .

Now I apply MAC based restriction but now he change his mac address.
what kind of mac-based restrictions do you have? what are your squid.conf rules?

how is the user getting on your network in the first place?
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby smk08 » Thu May 21, 2009 2:55 pm

Asslamu Alaikum


the is user part of our network his machine IP address is 172.16.0.18
i apply the following acl to block him

acl time-office src 172.16.0.18
acl time-office1 arp 00:1C:70:40:B9:A4


http_access deny time-office
http_access deny time-office1

i also carefully put these on right place. he also knows that users from ips 10 to 15 are allowed to use internet. he reads there mac from arp table and uses internet illegally when someone is on rest.


thanks


Jazaku Mullah.
Shahid Mahmood

0321-4538113

i am crazy to learn linux
smk08
Naik
 
Posts: 56
Joined: Fri Aug 08, 2008 1:44 pm
Location: Sheikhupura, Pakistan

Postby lambda » Thu May 21, 2009 5:59 pm

this isn't a technical problem, it's a social problem. this really needs a policy solution. are users allowed to change their ips/mac addresses by your management? if not, install arpwatch, wait until he changes his address, and then take the evidence in your logs to management. tell them, in writing if necessary, that you have a user who isn't permitted access to the internet, and is trying to circumvent your security checks. if the users use windows, you can try setting up a group policy on the pdc to prevent users from changing their network properties.

if your network switches allow it, force his port to his real mac address. that way if he changes it, it won't let his traffic through. your technical options on the server are to set up authentication in squid, and give your users usernames/passwords (different ones for each user). or, (it's wasteful) you can set up pppoe on the server and on valid client hosts and only allow access to squid from authenticated hosts.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby smk08 » Wed May 27, 2009 3:26 pm

Asslamu Alaikum

dear i install (arpwatch-2.1a11-7.9.4.legacy.i386.rpm) but don't know how to use this. so please give me any howto of this.


Jazaku Mullah
Shahid Mahmood

0321-4538113

i am crazy to learn linux
smk08
Naik
 
Posts: 56
Joined: Fri Aug 08, 2008 1:44 pm
Location: Sheikhupura, Pakistan

Postby lambda » Wed May 27, 2009 3:48 pm

when it's running, it'll log changes to mac addresses on the local network: if 00.aa.bb.cc.dd.ee used the ip 192.168.1.10 to send packets to/through your server, and then ff.dd.ee.aa.bb.cc starts using the same ip address, it'll log it somewhere in /var/log.

i haven't used it in years. try reading its documentation for the specifics.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby x2oxen » Thu May 28, 2009 3:05 pm

If you are in office network then better solution is to use domain controller to restrict the user for being changing ip and mac or else use a manageable switch if you can go with active directory.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby azhar_748 » Sat Dec 19, 2009 11:58 am

Set a domain controller.
azhar_748
Cadet
 
Posts: 2
Joined: Fri Dec 18, 2009 8:37 am

Re: How to block an unauthorized user to use net

Postby LinuxFreaK » Tue Jan 26, 2010 11:49 am

Dear smk08,
Salam,

smk08 wrote:Dear friend a user in my network uses internet illegally.
First I block his IP by using squid acl but he changes his ip address .
Now I apply MAC based restriction but now he change his mac address.
Please guide me how to get rid of this problem.


There are two types of policy.

1. Allow every one and deny few
2. Deny every one and allow few.

You have to use deny every one and allow few.

For Example:

# iptables -A INPUT -s 192.168.100.101 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
# iptables -A INPUT -j REJECT


Where 192.168.100.101 is client IP Address and 00:0F:EA:91:04:07 is his MAC Address.

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

PPPOE

Postby guddibaaz » Tue Jan 26, 2010 6:26 pm

Hi smoke,
There is no way to restrict if a user can change his mac address. For this you can configure RP-PPOE server http://www.roaringpenguin.com/products/pppoe which will only allow internet connection to authenticated users. You can integrate it with FREE RADIUS for accounting also but you will have to spend some time to achieve that
Guddibaaz
guddibaaz
Cadet
 
Posts: 8
Joined: Mon Jul 09, 2007 2:44 pm
Website: http://eeducator.net
WLM: beauty_preacher
Yahoo Messenger: guddibaaz
Location: Rawalpindi

Postby syedbilalmasaud » Tue Apr 13, 2010 2:45 pm

Dude ,


you can also do this in squid by recompiling with MAC support and allow only MAC's which are trusted rest of all should be denied some thing similar that furakh have suggested for Iptables which is also good solution on it
Cheers :)

:D B I L A L :D
syedbilalmasaud
Naib Subedar
 
Posts: 347
Joined: Thu Aug 18, 2005 9:25 am
WLM: bm1984@hotmail.com
Yahoo Messenger: syedbilalmasaud@yahoo.com
Location: Attock

Postby lambda » Wed Apr 14, 2010 1:59 am

yes, until the user changes his mac address as well as his ip -- something the user is already doing. again, another useless post.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore


Return to “%s” Administration

Who is online

Users browsing this forum: No registered users and 2 guests