Network security, DHCP, and Linux

I'm setting up a webserver using Linux, Apache, and a fixed IP address.

Clients connecting will be Windows XP Pro. Their IP addresses are assigned by DHCP.

The Linux security texts I've consulted talk about network security in the context of fixed IPs. That is, things like tcpwrappers, xinetd, apache configuration files, and packet filtering in the kernel all imply that one goes about letting hosts connect to the server based on their IP address.

What to do if the addresses are assigned by DHCP?


Reply to
Loading thread data ...


To get to know the pool of IP addresses assigned by DHCP.


Reply to
Mikhail Zotov

Choose a local network. Filter fake traffic away on the zone border. Allow this local network. Configure DHCP so that only addresses of this local network are spread locally.

If you have to control physical access, do so - or use 802.1x or something like that.

Yours, VB.

Reply to
Volker Birk (06-07-06 10:16:05):

You cannot authenticate users by their IP addresses, as they can be faked easily. Instead, set up OpenVPN [1] and do your DHCP assignments there. Still, every user has their own key, and you can authenticate by that.

Better yet, use real, user-based authentication instead of host-based. That's not only easier to set up, but also more secure and more decentral (users don't have to work on a fixed terminal to do their work; they can switch easily).

Regards, E.S.

Reply to
Ertugrul Soeylemez

You need to determine what your Security Policy needs to achieve, and whether it is affected by the use of DHCP vs static IP addresses.

Until you've done this we cannot help you implement it. Chris

Reply to
Chris Davies wrote: [...] In future please set FUT field with crosspost!

Reply to
Damian 'LegioN' Szuberski

DHCP is a security nightmare. How can you stop people setting up "rogue" DHCP servers?

Reply to

Not really, if you control your environment.

formatting link

Reply to
Ansgar -59cobalt- Wiechers Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.