Re: Identifying a computer

[Bryan Allen <bda () mirrorshades net>]

On Dec 3, 2003, at 10:38 AM, Cheetah wrote:
> Is there any way I can get some information out of this computer 
> without
> running around
> and asking everyone what their IP is?

Block the IP address at the border (at your Linux gateway/firewall).

Whoever comes and complains is your culprit.

Also, set up firewalling to only allow hosts which have an entry in 
dhcpd.leases (don't allow unknown statics) so it can't happen again and 
people have to play by your rules (though really you should design your 
network so things like this can't happen, either with physical/logical 
subnets or VLANs).

Depending on how your network is designed, you can usually figure out 
which segment the host is sitting on and work from there. It's 
certainly much easier if your switches are managed, but it's not too 
hard to do even if they're dumb.

If your switches are dumb, you'll have to actually go and check 
machine's ARP tables to find out on what segment the host is living on.

If your network only has one dimension, well, the easiest thing to do 
is block their MAC address at the border (using the iptables MAC 
filtering module). That way, even if they switch over to using DHCP, 
they still have to come talk to someone in IT, so you can explain them 
the finer points of being a polite network citizen.

Eventually you'll want to consider generating a MAC address to owner 
relationship chart, so when some host starts acting like a punkass, you 
can go beat up the appropriate party.

Look into implementing QoS. It's relatively simple and there are plenty 
of HOWTOs. Google is your friend.
--
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org


---------------------------------------------------------------------------
----------------------------------------------------------------------------