Security Basics mailing list archives

RE: Identifying a computer

From: "JAVIER OTERO" <jotero () SMARTEKH com>
Date: Thu, 4 Dec 2003 09:44:19 -0600

Try www.lightspeedsystems.com/ they have a demo for 10 days, the information presented is GOOD.

Ing. Fco. Javier Otero De Alba 
Diplomado en Seguridad Informática ITESM CEM 
Grupo Smartekh 
Antivirus Expertos 
Bussiness Continuity 
Inftegrity 
5243-4782 al 84 Ext.300
México, D.F. 



-----Mensaje original-----
De: Bryan Allen [mailto:bda () mirrorshades net]
Enviado el: Miércoles, 03 de Diciembre de 2003 03:25 p.m.
Para: security-basics () securityfocus com
Asunto: Re: Identifying a computer



On Dec 3, 2003, at 10:38 AM, Cheetah wrote:

Is there any way I can get some information out of this computer 
without
running around
and asking everyone what their IP is?


Block the IP address at the border (at your Linux gateway/firewall).

Whoever comes and complains is your culprit.

Also, set up firewalling to only allow hosts which have an entry in 
dhcpd.leases (don't allow unknown statics) so it can't happen again and 
people have to play by your rules (though really you should design your 
network so things like this can't happen, either with physical/logical 
subnets or VLANs).

Depending on how your network is designed, you can usually figure out 
which segment the host is sitting on and work from there. It's 
certainly much easier if your switches are managed, but it's not too 
hard to do even if they're dumb.

If your switches are dumb, you'll have to actually go and check 
machine's ARP tables to find out on what segment the host is living on.

If your network only has one dimension, well, the easiest thing to do 
is block their MAC address at the border (using the iptables MAC 
filtering module). That way, even if they switch over to using DHCP, 
they still have to come talk to someone in IT, so you can explain them 
the finer points of being a polite network citizen.

Eventually you'll want to consider generating a MAC address to owner 
relationship chart, so when some host starts acting like a punkass, you 
can go beat up the appropriate party.

Look into implementing QoS. It's relatively simple and there are plenty 
of HOWTOs. Google is your friend.
--
bda
Cyberpunk is dead.  Long live cyberpunk.
http://mirrorshades.org


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Identifying a computer Mike (Dec 03)
- Re: Identifying a computer Paul Kurczaba (Dec 04)
- <Possible follow-ups>
- RE: Identifying a computer McGill, Lachlan (Dec 04)
  - Re: Identifying a computer Jimi Thompson (Dec 08)
- FW: Identifying a computer Alex Pimperton (Dec 04)
- RE: Identifying a computer Batkin, Seva (Dec 04)
- RE: Identifying a computer Shawn Jackson (Dec 04)
- Re: Identifying a computer gregh (Dec 04)
- RE: Identifying a computer JAVIER OTERO (Dec 04)
- RE: Identifying a computer Dean Davis (Dec 08)