How to block an unauthorized user to use net

Taking care of your Linux box.
Post Reply
smk08
Naik
Posts: 56
Joined: Fri Aug 08, 2008 1:44 pm
Location: Sheikhupura, Pakistan

How to block an unauthorized user to use net

Post by smk08 »

Assalmu Alaikum

Dear friend a user in my network uses internet illegally.


First I block his IP by using squid acl but he changes his ip address .

Now I apply MAC based restriction but now he change his mac address.


Please guide me how to get rid of this problem.



Jazaku Mullah
Shahid Mahmood
0321-4538113
i am crazy to learn linux
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

First I block his IP by using squid acl but he changes his ip address .

Now I apply MAC based restriction but now he change his mac address.
what kind of mac-based restrictions do you have? what are your squid.conf rules?

how is the user getting on your network in the first place?
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
smk08
Naik
Posts: 56
Joined: Fri Aug 08, 2008 1:44 pm
Location: Sheikhupura, Pakistan

Post by smk08 »

Asslamu Alaikum


the is user part of our network his machine IP address is 172.16.0.18
i apply the following acl to block him

acl time-office src 172.16.0.18
acl time-office1 arp 00:1C:70:40:B9:A4


http_access deny time-office
http_access deny time-office1

i also carefully put these on right place. he also knows that users from ips 10 to 15 are allowed to use internet. he reads there mac from arp table and uses internet illegally when someone is on rest.


thanks


Jazaku Mullah.
Shahid Mahmood
0321-4538113
i am crazy to learn linux
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

this isn't a technical problem, it's a social problem. this really needs a policy solution. are users allowed to change their ips/mac addresses by your management? if not, install arpwatch, wait until he changes his address, and then take the evidence in your logs to management. tell them, in writing if necessary, that you have a user who isn't permitted access to the internet, and is trying to circumvent your security checks. if the users use windows, you can try setting up a group policy on the pdc to prevent users from changing their network properties.

if your network switches allow it, force his port to his real mac address. that way if he changes it, it won't let his traffic through. your technical options on the server are to set up authentication in squid, and give your users usernames/passwords (different ones for each user). or, (it's wasteful) you can set up pppoe on the server and on valid client hosts and only allow access to squid from authenticated hosts.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
smk08
Naik
Posts: 56
Joined: Fri Aug 08, 2008 1:44 pm
Location: Sheikhupura, Pakistan

Post by smk08 »

Asslamu Alaikum

dear i install (arpwatch-2.1a11-7.9.4.legacy.i386.rpm) but don't know how to use this. so please give me any howto of this.


Jazaku Mullah
Shahid Mahmood
0321-4538113
i am crazy to learn linux
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

when it's running, it'll log changes to mac addresses on the local network: if 00.aa.bb.cc.dd.ee used the ip 192.168.1.10 to send packets to/through your server, and then ff.dd.ee.aa.bb.cc starts using the same ip address, it'll log it somewhere in /var/log.

i haven't used it in years. try reading its documentation for the specifics.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

If you are in office network then better solution is to use domain controller to restrict the user for being changing ip and mac or else use a manageable switch if you can go with active directory.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
azhar_748
Cadet
Posts: 2
Joined: Fri Dec 18, 2009 8:37 am

Post by azhar_748 »

Set a domain controller.
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re: How to block an unauthorized user to use net

Post by LinuxFreaK »

Dear smk08,
Salam,
smk08 wrote:Dear friend a user in my network uses internet illegally.
First I block his IP by using squid acl but he changes his ip address .
Now I apply MAC based restriction but now he change his mac address.
Please guide me how to get rid of this problem.
There are two types of policy.

1. Allow every one and deny few
2. Deny every one and allow few.

You have to use deny every one and allow few.

For Example:

# iptables -A INPUT -s 192.168.100.101 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
# iptables -A INPUT -j REJECT


Where 192.168.100.101 is client IP Address and 00:0F:EA:91:04:07 is his MAC Address.

Best Regards.
Farrukh Ahmed
guddibaaz
Cadet
Posts: 8
Joined: Mon Jul 09, 2007 2:44 pm
Location: Rawalpindi
Contact:

PPPOE

Post by guddibaaz »

Hi smoke,
There is no way to restrict if a user can change his mac address. For this you can configure RP-PPOE server http://www.roaringpenguin.com/products/pppoe which will only allow internet connection to authenticated users. You can integrate it with FREE RADIUS for accounting also but you will have to spend some time to achieve that
Guddibaaz
syedbilalmasaud
Naib Subedar
Posts: 347
Joined: Thu Aug 18, 2005 9:25 am
Location: Attock
Contact:

Post by syedbilalmasaud »

Dude ,


you can also do this in squid by recompiling with MAC support and allow only MAC's which are trusted rest of all should be denied some thing similar that furakh have suggested for Iptables which is also good solution on it
Cheers :)

:D B I L A L :D
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

yes, until the user changes his mac address as well as his ip -- something the user is already doing. again, another useless post.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Post Reply