FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 11-25-2007, 01:39 PM
"desant1@tin.it"
 
Default how to find hidden host within LAN

Hi everybody
I'm using RH ES4 with iptables as gateway/firewall for my
LAN.
In the last week i notice in the iptables logs that a host within
my lan is doing a lot of traffic.
The destination/source address of the
packets and the used port suggest that this host is using peerToPeer
application (emule or similar).
The problem is that i'm not able to
identify this host within my LAN:
I can see his IP address (192.168.x.
y) and i can find his mac address througth ARP, but i can't ping it and
there is no host within my lan with this Mac address.
I can't
traceroute it.
Can someone help me to find this hidden host?

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 11-25-2007, 02:27 PM
"Madan Thapa"
 
Default how to find hidden host within LAN

You can track them..or restrict them with expesive technologies.. like
intelligent switches etc.

However.. if you want the easier way.. you can do the following.....

Assuming all node are windows PCs .... goto each pc on your lan.. (assuming
it is wired )

C:>ipconfig -all | findstr "Physical" > 1.txt

It will list the Mac Address of the PC.

The mac address in windows will look like ..
00-01-00-33-00-01



You can block the host using too much traffic with iptables..

# iptables -A INPUT -m mac --mac-source 00:01:00:33:00:01 -j DROP


notice the : (colon) instead of - (minus symbol ) in mac address
representation










On Nov 25, 2007 8:09 PM, desant1@tin.it <desant1@tin.it> wrote:

> Hi everybody
> I'm using RH ES4 with iptables as gateway/firewall for my
> LAN.
> In the last week i notice in the iptables logs that a host within
> my lan is doing a lot of traffic.
> The destination/source address of the
> packets and the used port suggest that this host is using peerToPeer
> application (emule or similar).
> The problem is that i'm not able to
> identify this host within my LAN:
> I can see his IP address (192.168.x.
> y) and i can find his mac address througth ARP, but i can't ping it and
> there is no host within my lan with this Mac address.
> I can't
> traceroute it.
> Can someone help me to find this hidden host?
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 11-25-2007, 05:25 PM
Chuck
 
Default how to find hidden host within LAN

If you know the MAC you should be able to drill down and find which
switch it is connected to. Hopefully whoever wired your building had
enough brain cells to create a logical mapping of network ports around
the building to a numbered patch panel port. Then just trace the
cable, find out which network port its connected to, then go find and
smash the workstation in question. If you don't have such a mapping,
take the time/money now to get one in place, it will save you
countless headaches in the future. (its a two person job and you need
a pair of network testers and some easy way to communicate throughout
your office while doing it -- we bought little cheap motorolla 2-way
radio's but cell phones would work)

btw: its easy to spoof a mac address so that "iptables -A INPUT -m mac
--mac-source 00:01:00:33:00:01 -j DROP" will not stop it. (its not a
weakness of iptables but a weakness of IP itself)

I had a similiar situation where a hardware dev had brought in a
wireless router so he could move his laptop around his work area w/o
being bothered with cabling. Well of course the idiot had no clue on
securing wireless so some users in the adjacent office were using his
wide open wireless gateway to download/browse the web without being
forced thru their local proxy server - which was monitoring web access
(which at this point in the wireless game nothing is secure,
encryption may protect your _traffic_ but not your network) When
consumption of our DS3 starting skyrocketing, I knew something was
amiss.

-CC


On Nov 25, 2007 7:27 AM, Madan Thapa <madan.feedback@gmail.com> wrote:
> You can track them..or restrict them with expesive technologies.. like
> intelligent switches etc.
>
> However.. if you want the easier way.. you can do the following.....
>
> Assuming all node are windows PCs .... goto each pc on your lan.. (assuming
> it is wired )
>
> C:>ipconfig -all | findstr "Physical" > 1.txt
>
> It will list the Mac Address of the PC.
>
> The mac address in windows will look like ..
> 00-01-00-33-00-01
>
>
>
> You can block the host using too much traffic with iptables..
>
> # iptables -A INPUT -m mac --mac-source 00:01:00:33:00:01 -j DROP
>
>
> notice the : (colon) instead of - (minus symbol ) in mac address
> representation
>
>
>
>
>
>
>
>
>
>
>
> On Nov 25, 2007 8:09 PM, desant1@tin.it <desant1@tin.it> wrote:
>
> > Hi everybody
> > I'm using RH ES4 with iptables as gateway/firewall for my
> > LAN.
> > In the last week i notice in the iptables logs that a host within
> > my lan is doing a lot of traffic.
> > The destination/source address of the
> > packets and the used port suggest that this host is using peerToPeer
> > application (emule or similar).
> > The problem is that i'm not able to
> > identify this host within my LAN:
> > I can see his IP address (192.168.x.
> > y) and i can find his mac address througth ARP, but i can't ping it and
> > there is no host within my lan with this Mac address.
> > I can't
> > traceroute it.
> > Can someone help me to find this hidden host?
> >
> > --
> > redhat-list mailing list
> > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> > https://www.redhat.com/mailman/listinfo/redhat-list
> >
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 11-25-2007, 05:27 PM
Chuck
 
Default how to find hidden host within LAN

By the way, I would also recommend placing an IDS (intrusion detection
system) in a strategic place in your network. They can be implemented
in a manner where they are "hidden" on the network by not using an IP
address, these "shadow boxes" as they are called are very usefull in
finding stuff like this out. Check out snort and their used to be a
decent front end for snort called acid. (not sure if acid is still
around or been renamed or whatever - its been years since I worked
somewhere they would't spring for a Cisco IDS.

-Chuck


On Nov 25, 2007 6:39 AM, desant1@tin.it <desant1@tin.it> wrote:
> Hi everybody
> I'm using RH ES4 with iptables as gateway/firewall for my
> LAN.
> In the last week i notice in the iptables logs that a host within
> my lan is doing a lot of traffic.
> The destination/source address of the
> packets and the used port suggest that this host is using peerToPeer
> application (emule or similar).
> The problem is that i'm not able to
> identify this host within my LAN:
> I can see his IP address (192.168.x.
> y) and i can find his mac address througth ARP, but i can't ping it and
> there is no host within my lan with this Mac address.
> I can't
> traceroute it.
> Can someone help me to find this hidden host?
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 11:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org