Outside computer on our network

[FN-GM]

In our DHCP I am repeatedly seeing an unknown computer picking up an ip address from the dhcp. I think either one of the staff or students are plugging into an ethernet point. How can track this machine down please?

We have 3com superstack switches, Windows Server 2003 R2 DHCP server.

Thanks

[Diello]

See if you can block MAC addresses on your switches - always upsets them

[FN-GM]

How would I go about it? Ii am not sure what switch they are using.

[Diello]

Block it on your backbone switches - stops them getting an IP address, DNS, Internet...

[localzuk]

How would I go about it? Ii am not sure what switch they are using.

What I'd do is set a reservation for their mac address which provides an unusable IP address.

[FN-GM]

good thinking

[sahmeepee]

If you have 3com network supervisor installed and you can run a scan while the machine is connected, you will be able to see which switch it's connected to and walk over to them. Also, you can take the MAC address from the DHCP list and pop it into this:

http://coffer.com/mac_find/

to give you a clue about the manufacturer of the laptop (although sometimes it will be the NIC manufacturer). I have a script which emails me when new DHCP leases are granted, so on the rare occasions when this has happened I've had a fighting chance of catching the perp.

[FN-GM]

Can you send the script please? If you dont mind of course.

Also is that software free?

Thanks alot

[enjay]

Here's an idea:
Unplug all your spare Ethernet points from the switches, so the only live ports already have PCs/printers on them. That will force the culprit to have to unplug something in order to get a working connection - that may act as sufficient deterrent in itself, but if it doesn't, just start pinging all your PCs when next you see the rogue one on the network (with a batch script of course!); whichever one doesn't respond is the one which has been unplugged, so go to that room and find out who has plugged their own laptop in (then batter them with the laptop until they agree to stop doing it!).

[FragglePete]

Here's an idea:
Unplug all your spare Ethernet points from the switches, so the only live ports already have PCs/printers on them. That will force the culprit to have to unplug something in order to get a working connection - that may act as sufficient deterrent in itself, but if it doesn't, just start pinging all your PCs when next you see the rogue one on the network (with a batch script of course!); whichever one doesn't respond is the one which has been unplugged, so go to that room and find out who has plugged their own laptop in (then batter them with the laptop until they agree to stop doing it!).

Do your managed switches support Port Locking & Device Security? Essentially you put each port on the switch in 'Learn' mode which when a device connects locks that particular MAC address to that port and then disable (or at least physically disconnect/unpatch) any un-used ports. Any device then that tries to associate with the switch will disable that particular port. You should be able to monitor which ports are disabled so you can see where these 'security breaches' are coming from.

HTH

Pete

[sahmeepee]

Can you send the script please? If you dont mind of course.

Also is that software free?

Thanks alot

The 3Com Network Supervisor is free, although they do have a pay-for version (never seen that running). The web page for it implies it's not free, but I think you can have it free with any qualifying switch. Linky: 3NS

The DHCP script is based on one by Chris Pratt, from here:

http://www.petri.co.il/forums/showthread.php?t=4850

(mine was the version 2.0 script) It said not to edit it, but I did a fair bit (erk, sorry) so I'm not sure about redistributing it! I used blat.exe to make it send emails. This is the batch file (dhcpcheck.bat) that runs every 10 mins on one of the DHCP servers:

Code:

cd /d c:\scripts
cscript //nologo dhcpchecker-DC1.vbs > %1
cscript //nologo dhcpchecker-DC2.vbs >> %1

REM This checks if DHCPCheckOutput.txt has anything in it to send:  
if %~z1 GTR 0 blat %1 -to alertrecipient@yourschool.com -subject "DHCP Alert (New Lease)" -server yoursmtpserver -f alertsender@yourschool.com

It's run with the command:

C:\Scripts\dhcpcheck.bat DHCPCheckOutput.txt


For simplicity at the time I just made two vbs files, dhcpchecker-DC1.vbs and dhcpchecker-DC2.vbs, which poll the logs on different DHCP servers. You will probably want to change all the bits in blue.

Hope some of that makes sense!

[Geoff]

If you want to go any futher than detection, you need to look at using an NAC solution. I'm using PacketFence for this purpose.

http://www.packetfence.org/

If you search the forums there are a fair few threads on it.

[FN-GM]

Thanks for the comments guys!

So does PacketFence only allowed re-approved devices on a network?

Thanks

[Geoff]

If you want it to. It's very flexible depending on what you want to achieve.

[FN-GM]

I can find a page that lists the features on the product.

Is it a DHCP Server? Will it allow traffic from other domains on the network? How does it decide what is good and bad traffic?

Thanks