Security Basics mailing list archives
Re: Identifying a computer
From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Wed, 03 Dec 2003 14:26:16 -0800
On Wed, 2003-12-03 at 07:38, Cheetah wrote:
Hello. I am helping the sysadmin on my local LAN to manage the network, etc. We have limited internet-bandwidth, and therefore it is necessary to make sure no-one is taking to much of the bandwidth, as others will not be able to use the internet connection. For the last 2 days, a new IP has appeared, and it is constantly using a lot of bandwidth. We have a linux-server running DHCP, DNS and the internet-connection. I have checked the dhcpd.leases file, but the IP isn't there. I have also tried to ping and scan this IP, but the computer is running a strong firewall, shows no open ports and doesn't even respond to pings. Is there any way I can get some information out of this computer without running around and asking everyone what their IP is? Tore --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Stop thinking at the IP level and start thinking at the MAC level. Cos the MAC address is the only thing that is attached to the machine. IPs can come and go, but MACs are forever. So, do an "arp -n -a" and locate the mac address for the IP you want to block. then run iptables -I INPUT -p all -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP This will block the mac address so that even if they try another IP, it wont work. They'll have to change their physical NIC (or if they are savvy, their might change their mac address temporarily http://www.alobbs.com/macchanger - BEWARE: "macchanger eth0" will increment eth0 mac address). But you are assured that they have to do atleast as much work as you have to - and this should make them go away. If you want to block only TCP traffic, and let their pings work. iptables -I INPUT -p tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP This will make them scratch their head and wonder what is going on!! :D But this does mean that they might still flood ping your server itself. Best is to play it safe and use -p all. this will only stop the comp from using your gateway to reach the Internet. Next step is to stop it from using your internal network. You need to figure that out on your own. Final step is to track down the IP and nail the server. Crackers think they can get away with stuff like this because of the deluge of packets and bits and bytes. The way to tackle this issue is to break the problem down into manageable pieces, literally. Use a (managed) switch to breakup your network into smaller segments: * If you already have managed switches deployed in your network, you should look thru their mac tables to see which direction the source mac address is coming from. * If you dont have managed switches, now's the time to go get one. Use it to keep on homing in on the source cable. Eventually you WILL get the source cable - I can assure you of that. When you find the machine and the person involved, I would confiscate the machine and fire the person involved. Unless, of course, you end up at a wireless access point, which would indicate voluntary or involuntary negligence on part of the person who installed it. Remove/secure the WAP in that case and have an interview with the person who installed it. -- Ranjeet Shetye Senior Software Engineer Zultys Technologies Ranjeet dot Shetye2 at Zultys dot com http://www.zultys.com/ The views, opinions, and judgements expressed in this message are solely those of the author. The message contents have not been reviewed or approved by Zultys. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Epithet Steve . Kirby (Dec 02)
- Re: Epithet Alexander Lukyanenko (Dec 02)
- Identifying a computer Cheetah (Dec 03)
- Re: Identifying a computer Bryan Allen (Dec 03)
- RE: Identifying a computer Optrics Engineering - Shaun Sturby, MCSE (Dec 03)
- Re: Identifying a computer Ranjeet Shetye (Dec 03)
- Re: Identifying a computer ~Kevin DavisĀ³ (Dec 04)
- Re: Identifying a computer Ranjeet Shetye (Dec 05)
- Identifying a computer Cheetah (Dec 03)
- RE: Identifying a computer David Gillett (Dec 03)
- Re: Identifying a computer Tim Willard (Dec 03)
- RE: Identifying a computer Jason Balicki (Dec 04)
- Re: Identifying a computer Meritt James (Dec 05)
- Re: Epithet Alexander Lukyanenko (Dec 02)
- RE: Identifying a computer Duston Sickler (Dec 04)
- Re: Identifying a computer Andy Cuff [Talisker] (Dec 04)
- Re: Identifying a computer David Glosser (Dec 19)
- Re: Identifying a computer Peter Wohlers (Dec 19)