From: Chris Smith (chris@smu.edu)
Date: Fri Aug 18 2000 - 17:13:46 CDT
Okay, I just didn't think the code was either a good read or a good laugh.
Here 'tis:
I use bash/snmpwalk (getmacs) to output the router arp cache, since I'm
not good enough at perl to use external libraries. I use perl (frogues) to
produce a rogue list from getmacs and the lease file. Finally, I use
expect (frogue.kill) to telnet to our router and perform arp poisoning. If
our router had vendor mib extensions that allowed arp sets, I would use
snmpset instead and run it right out of the poison script. To poison,
frogue.kill is called with the ouput of frogue as input, which uses
getmacs.
The modularity lets me use getmacs and frogues for other purposes, like
building a historical router arp database and providing realtime rogue
info screens on the netreg admin pages.
Here's what the scripts currently look like.
getmacs:
~~~
#! /bin/ksh
#JCS051698
#set -x
(snmpwalk -r 1 -t 3 129.119.X.X community .1.3.6.1.2.1.3.1.1.2 | awk
'BEGIN {FS="\\\.| "}
{printf("%s.%s.%s.%s\t%s%s%s%s%s%s\n",$7,$8,$9,$10,$14,$15,$16,$17,$18,$19)
}'
~~~
frogue:
~~~
#!/usr/bin/perl
#use diagnostics -verbose;
# read in router arps
open (ARPSFILE, "getmacs|");
@RARPS = <ARPSFILE>;
close (ARPSFILE);
#rogues.good contains permitted static hosts
open (ALLOWFILE, "rogues.good");
@ALLOWS = <ALLOWFILE>;
close (ALLOWFILE);
# read in dhcpd.leases
open (LEASEFILE, "/var/dhcpd/dhcpd.leases");
while (<LEASEFILE>)
{
if ($_ !~ /#/)
{
if ($_ !~ /}/)
{
chomp($_);
$LEASES[$I] = join('', $LEASES[$I],$_);
}
else {
$LEASES[$I] = join('', $LEASES[$I],$_);
$I++;
}
}
}
close (LEASEFILE);
# read arps
foreach $arp (@RARPS)
{
($RIP, $RMAC) = split(/\t/, $arp);
($TRASH, $TRASH, $TRASH, $RIP4) = split(/\./, $RIP);
# check for allows
$LMATCH="FALSE";
foreach $allow (@ALLOWS)
{
chomp($allow);
if ("$RIP" eq "$allow" )
{
$LMATCH="TRUE";
}
}
# check for permanent pool address
if (($RIP4 > 10) && ($RIP4 < 224) && ("$LMATCH" eq "FALSE"))
{
# ok, adjust MAC for testing, I wish I was better at perl
$RMAC =~ s/(..)/$1:/g;
$RMACB = substr($RMAC,0,17);
$RMACC = lc($RMACB);
chomp($RMACB);
# find leases with that MAC
$AMATCHL="FALSE";
$IMATCHL="FALSE";
foreach $lease (@LEASES)
{
if ($lease =~ /$RMACC\W/i)
# found!, compare router ip to leased ip
{
$AMATCHL="TRUE";
($TRASH, $IP, $TRASH) = split(/\{| +|\;/,
$lease);
# compare router ip to leased ip
if ("$RIP" eq "$IP")
{
# not a rogue afterall
$IMATCHL="TRUE";
}
}
}
if (!$RMACB){$RMACB="is DISABLED,";}
if ("$AMATCHL" eq "FALSE")
{
print "$RIP Unregistered Rogue: $RMACB has no
lease\n";
}
elsif ("$IMATCHL" eq "FALSE")
{
print "$RIP Registered Rogue $RMACB doesn't match
lease\n";
}
}
}
~~~
frogue.kill
~~~
#!/usr/bin/expect --
exp_version -exit 5.0
if {[llength $argv]<1} {
send_user "usage: $argv0 deny|allow address \[address address
...\]\n"
send_user " twiddles router arps to deny or allow service\n"
exit
}
set flag [lindex $argv 0]
set argv [lrange $argv 1 end]
set force_conservative 1 ;# set to 1 to force conservative mode even if
;# script wasn't run conservatively originally
if {$force_conservative} {
set send_slow {1 .001}
proc send {ignore arg} {
sleep .01
exp_send -s -- $arg
}
}
set timeout -1
spawn $env(SHELL)
match_max 100000
expect -exact "# "
send -- "telnet router\r"
expect -exact "telnet router\r"
expect {
ogin: {
send -- "root\r"
} timeout {
send_user "connection to router timed out\n"
exit
} eof {
send_user "connection to router failed\n"
exit
}}
expect -exact "assword: "
send -- "XXXXXX\r"
expect -exact "# "
switch -- $flag \
"deny" {
while {[llength $argv]>0} {
send -- "ip arp add [lindex $argv 0] 66-66-66-66-
66-66 9.6\r"
expect -exact "system# "
set argv [lrange $argv 1 end]
}
} "allow" {
while {[llength $argv]>0} {
send -- "ip arp del [lindex $argv 0]\r"
expect -exact "system# "
set argv [lrange $argv 1 end]
}
}
send -- "exit\r"
expect -exact "exit\r"
expect -exact "# "
send -- "exit\r"
expect eof
~~~
Poisoning, cron every 10 minutes:
if (test -f poisoned)
then frogue.kill allow `cat poisoned` && rm -f poisoned
else frogue.kill deny `frogue | cut -d " " -f 1 | tee poisoned`
fi
On 18 Aug 00, at 14:53, Jonn Martell wrote:
>
> Sure, I'd love to see ugly cose :-) Probably better than mine... :-)
>
> On Fri, 18 Aug 2000, Chris Smith wrote:
>
> > Date: Fri, 18 Aug 2000 11:41:02 -0500
> > From: Chris Smith <chris@smu.edu>
> > Reply-To: netreg@southwestern.edu
> > To: netreg@southwestern.edu
> > Subject: Re: DHCP clients specifying DNS
> >
> > Uh, until I get through deployment, it's not useable by others. I would
> > really need to implement it all in perl and annotate before sending it out
> > for others to try. But, I'm no perl expert, so that could take a while.
> >
> > If anyone else REALLY wants to know, I'll send the current, ugly code to
> > the list.
> >
> >
> > On 18 Aug 00, at 9:49, Steve Hideg wrote:
> >
> > > Care to share your perl code?
> > >
> > > At 9:12 AM -0500 8/18/00, Chris Smith wrote:
> > > >Why ping?
> > > >
> > > >My approach to detecting and correcting rogues is to run perl every 10
> > > >minutes that compares the student router's (10-minute aging) arp cache (1
> > > >snmpwalk) to current leases. Those using a permanent pool address have
> > > >their cache entry poisoned (ip -> 66:66:66:66:66:66 -> to a down port),
> > > >unless they were poisoned the last run. This means 10 minutes on the
> > > >network, 10 off, until they stop using the address. It's now in production
> > > >and working well.
> > > >
> > > >
> > > >On 17 Aug 00, at 16:29, Jonn Martell wrote:
> > > >
> > > >>
> > > >> That's not really a good way anymore. The crop of new personal firewalls
> > > >> drop ping packets.
> > > >>
> > > >> ..Jonn
> > > >>
> > > >> On Thu, 17 Aug 2000, Steve Hideg wrote:
> > > >>
> > > >> > Date: Thu, 17 Aug 2000 12:25:12 -0500
> > > >> > From: Steve Hideg <hideg@saintmarys.edu>
> > > >> > Reply-To: netreg@southwestern.edu
> > > >> > To: netreg@southwestern.edu
> > > >> > Subject: Re: DHCP clients specifying DNS
> > > >> >
> > > >> > Yeah, you could ping each address in the unregistered pool that
> > > >> > doesn't have a lease and find rouges in there. We're using static
> > > >> > addressing for our resnet with 9 subnets of our class-C network
> > > >> > allocated to registered machines. I suppose we could ping all
> > > >> > unregistered addresses, but pinging is a crap-shoot and with 9
> > > >> > subnets, that's a helluva lot of pinging!
> > > >> >
> > > >> > ++Steve
> > > >> >
> > > >> >
> > > >> > At 9:54 AM -0700 8/17/00, Greg wrote:
> > > >> > >hmm, you raise a good point.
> > > >> > >
> > > >> > >we are pretty explicit in the printout instructions for students but i'm
> > > >> > >sure this will crop up. our students start arriving next week....
> > > >> > >
> > > >> > >i have long wanted to write a script which i antcipate calling
> > > >> > >"squatter"
> > > >> > >squatter would take as input the dhcpd.leases file and extract all
> > > >> > >current valid leases.
> > > >> > >it would then ping the subnets in question and compare the results.
> > > >> > >it could then alert you if there is someone on an unregistered ip
> > > >> > >allowing you to call the offending squatter.
> > > >> > >
> > > >> > >i'll email the list when i get around to "squatter"
> > > >> > >
> > > >> > >greg
> > > >> > >
> > > >> > >Steve Hideg wrote:
> > > >> > >>
> > > >> > >> Greetings netreggers.
> > > >> > >>
> > > >> > >> I found some disturbing behavior in Windows and Macintosh DHCP
> > > >> > >> clients yesterday. Behavior that can (and has) totally bypass netreg.
> > > >> > >>
> > > >> > >> With the Windows 95 client, in the Network control panel on the DNS
> > > >> > >> Configurations tab, if DNS is enabled and it contains a list of valid
> > > >> > >> servers, this will override the server specified by the netreg DHCP
> > > >> > >> server, regardless of the "obtain an IP address automatically"
> > > >> > >> setting of the client.
> > > >> > >>
> > > >> > >> We've observed that the Win 98 client doesn't appear to be so bold,
> > > >> > >> but we are now instructing all Windows users to disable DNS in the
> > > >> > >> network control panel.
> > > >> > >>
> > > >> > >> The same problem can appear with the TCP/IP control panel on Mac OS.
> > > >> > >> If the User Level on the control panel is set to anything other than
> > > >> > >> Basic, you can specify DNS servers in the control panel and they take
> > > >> > >> precedence over the one(s) specified by the DHCP server. Here, we'll
> > > >> > >> instruct users to make sure it is set to Basic (we're counting on
> > > >> > >> this being less of a problem since TCP/IP is usually set to Basic &
> > > >> > >> DHCP out of the box as of late).
> > > >> > >>
> > > >> > >> This problem cropped up (especially on the Windows side) with
> > > >> > >> returning students who have DNS turned on from being in our ResNet
> > > >> > >> last year.
> > > >> > >>
> > > >> > >> As is always the case, instructing users is far from an adequate
> > > >> > >> solution, especially when a kid has a father who "knows about
> > > >> > >> computers" and doesn't bother to read the ResNet instructions we
> > > >> > >> provide (this has already happened, to one of our RCCs no less).
> > > >> > >>
> > > >> > >> Does anybody have any other workaround for this? I can't find
> > > >> > >> anything about the ISC DHCP server or DHCP in general that would
> > > >> > >> allow the specifications from the server to override any local
> > > >> > >> settings.
> > > >> > >>
> > > >> > >> This is quite alarming to me since students can easily (and
> > > >> > >> unknowingly) bypass netreg altogether (and potentially exhaust our
> > > >> > >> unregistered IP address pool). Is there something sneaky we can do to
> > > >> > >> lease & renewal times in the unregistered pool perhaps?
> > > >> > >>
> > > >> > >> Obviously, the problem of hard-coded addresses still exists, but this
> > > >> > >> DNS problem is a major loophole.
> > > >> > >>
> > > >> > >> Thanks.
> > > >> > >>
> > > >> > >> ____________________________________________________________________
> > > >> > >> Steve Hideg
> > > >> > >> Technical Support Specialist, Saint Mary's College, Notre Dame IN
> > > >> > >> <hideg@saintmarys.edu>
> > > >> > >> ____________________________________________________________________
> > > >> > >> "There is another system." --Colossus
> > > >> > >> **********************************************************************
> > > >> > >> To unsubscribe from this list, send an e-mail message to
> > > >> > >> majordomo@southwestern.edu containing a single line with the words:
> > > >> > >> unsubscribe netreg
> > > >> > >> Send requests for assistance to: owner-netreg@southwestern.edu
> > > >> > >> **********************************************************************
> > > >> > >
> > > >> > >--
> > > >> > >____________________________________
> > > >> > > Greg Lawler
> > > >> > > Network Administrator
> > > >> > > grinch@westmont.edu 805.565.7249
> > > >> > > http://zulu.westmont.edu/routers
> > > >> > >____________________________________
> > > >> > >**********************************************************************
> > > >> > >To unsubscribe from this list, send an e-mail message to
> > > >> > >majordomo@southwestern.edu containing a single line with the words:
> > > >> > >unsubscribe netreg
> > > >> > >Send requests for assistance to: owner-netreg@southwestern.edu
> > > >> > >**********************************************************************
> > > >> >
> > > >> > **********************************************************************
> > > >> > To unsubscribe from this list, send an e-mail message to
> > > >> > majordomo@southwestern.edu containing a single line with the words:
> > > >> > unsubscribe netreg
> > > >> > Send requests for assistance to: owner-netreg@southwestern.edu
> > > >> > **********************************************************************
> > > >> >
> > > >>
> > > >> **********************************************************************
> > > >> To unsubscribe from this list, send an e-mail message to
> > > >> majordomo@southwestern.edu containing a single line with the words:
> > > >> unsubscribe netreg
> > > >> Send requests for assistance to: owner-netreg@southwestern.edu
> > > >> **********************************************************************
> > > >>
> > > >
> > > >
> > > >---
> > > >J. Christian Smith * Senior Network Engineer * http://www.smu.edu/smunet
> > > >Information Technology Services * PHONE:(214)768-2378 * FAX:(214)768-9999
> > > >Southern Methodist University * 6100 Ownby Drive * Dallas, TX * 75275-0262
> > > >**********************************************************************
> > > >To unsubscribe from this list, send an e-mail message to
> > > >majordomo@southwestern.edu containing a single line with the words:
> > > >unsubscribe netreg
> > > >Send requests for assistance to: owner-netreg@southwestern.edu
> > > >**********************************************************************
> > >
> > > **********************************************************************
> > > To unsubscribe from this list, send an e-mail message to
> > > majordomo@southwestern.edu containing a single line with the words:
> > > unsubscribe netreg
> > > Send requests for assistance to: owner-netreg@southwestern.edu
> > > **********************************************************************
> > >
> >
> >
> > ---
> > J. Christian Smith * Senior Network Engineer * http://www.smu.edu/smunet
> > Information Technology Services * PHONE:(214)768-2378 * FAX:(214)768-9999
> > Southern Methodist University * 6100 Ownby Drive * Dallas, TX * 75275-0262
> > **********************************************************************
> > To unsubscribe from this list, send an e-mail message to
> > majordomo@southwestern.edu containing a single line with the words:
> > unsubscribe netreg
> > Send requests for assistance to: owner-netreg@southwestern.edu
> > **********************************************************************
> >
>
>
--- J. Christian Smith * Senior Network Engineer * http://www.smu.edu/smunet Information Technology Services * PHONE:(214)768-2378 * FAX:(214)768-9999 Southern Methodist University * 6100 Ownby Drive * Dallas, TX * 75275-0262 ********************************************************************** To unsubscribe from this list, send an e-mail message to majordomo@southwestern.edu containing a single line with the words: unsubscribe netreg Send requests for assistance to: owner-netreg@southwestern.edu **********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:34 CDT