Setting up a DHCP Server (part 2)

posted onJune 28, 2000
by hitbsecnews

Whussup whussup? I'm back once again to finish off what I started last
month. As promised, I shall be talking to you about the nifty GUI applications
for administration purposes (for the server itself) and delve a little
into security issues with regards to running a DHCP server. So without
further ramblings - lets get to it.

Although
the configuration of the DHCP server is pretty straightforward, having
to administer a huge number of systems by editing files can be come rather
tedious *not to mention a mess as well*. One simple way around this problem
is to use Webmin (http://www.webmin.com). The tool provides a graphical
based interface to a large number of system functions including DHCP.
Creating a new subnet with Webmin is practically a no-brainer - All you
need is to type in the network address and the netmask. Although other
values can be included, for example, the default lease time etc, only
the network address and netmask is needed.

Each
object on the page is individually controlled, and you have the ability to change and save options on specific machines. With complex DHCP configurations,
its often a little complex to tell which parameter applies to which hosts
- but you need to remember two things. First, host or group declarations
can be specifically overwritten the global definition and the host declarations
can override the group declaration.

Second,
definitions are not necessarily applied in he order in which they appear
in the dhcpd.conf file. The values are applied starting from the specific
and moving on to the more general. That is., the server first checks for
a specific host configuration, then for a group configuration then the
subnet configuration, followed lastly by the global declarations. Configuration
options are only added to and not over written. Therefore, the configuration
for the smaller, more specific units (like hosts) overrides those of the
more general units (like global parameters). When you are troubleshooting
a DHCP server, always start at the bottom and make your way upwards.

Perhaps
the most basic troubleshooting technique is to look at the leases the
server has assigned. This is done by looking at the leases file (located
at /var/state/dhcp/dhcp.leases) which maintains the current state of all
the active leases. One thing to note is that the file is overwritten from
time to time, to keep the file from growing too large. First a temporary
copy is made and the old file is renamed. Although it is rare, sometimes
the server dies at this point. When this happens there is no dhcpd.leases
file and the server cannot restart. Rather than simple creating an empty
dhcpd.leases file, you'll need to rename the old file back to dhcpd.leases.
The contents of the dhcpd.leases file is very straightforward with the
keyword lease followed by the IP address and a block configuration information
within curly brackets. Here's an example.

lease 192.168.41.2
starts 0 2000/02/27 08:42:54;
ends 5 2000/04/04 08:03:22;
hardware ethernet
00:43:05:52:D5:57;
uid 01:00:52:03:53:D5:57;
client-hostname "hackinthebox40" ;

The starts and ends statements indicate the period when the lease is valid.
Each entry is in the form weekday yyyy/mm/dd hh:mm:ss ;

The weekday is the numerical value for the day of the week staring with
0 on Sunday. The date and time are GMT not local time. The hardware entry
is the same as from the dhcpd.conf file and lists the hardware address
of the card. The uid entry is a unique identifier for the client, using
either an ASCII string client identifier supplied by the client or the
hardware address preceded by hardware type.

Configuring
the client

How you
configure your client system is dependent on your distribution. If you're
using SuSE 6.3, then all you need to do is get into the network configuration
portion of YasT and select the basic networking configuration. Pressing
F3 sets auto-IP configuration, which gives you the choice of configuring
either DHCP or BOOTP. If you select DHCP, changes will be made to /etc/rc.config file. You could always have some interfaces use DHCP while others use
static addresses. When the system boots, the /etc/rc.d/network script
is called. If it finds that the IFCONFIG line for the respective card
equals "dhcpclient" it will skip the configuration for that
interface. Later in the boot process, the DHCP client script is started.
Now the client will try o get its configuration from your DHCP server.

If you're
on a Red Hat based system, changes to your network settings can be done
via netconf. The tools has to be run as root, and the option is made under
the first tab at the top of the list. Just below your card entry and the
eth0 field, there will be a check box which enables you to select the
IP assignment option.

Securing
it all

There really
isn't very much to secure on a DHCP server, however a few precautions
are in order. The first consideration is the machine itself. Although
an outage of a couple of hours might be something you can deal with, any
long outage means that there may be a number of machines without a valid
configuration and perhaps without a valid IP address. There fore, you
need to look at what other services the machine with your DHCP server
provides. Since there is very little computer power required to support
DHCP, you can easily get away with running it on a 386 or 486 box. Personally,
this would be the route that I would take - to have my DHCP server running
on a separate lower-powered machine.

Another
issue to consider is the likelihood of encountering a Denial of Service
attack (DoS). If your DHCP server were accessible from the Internet, it
would be possible for someone to just use all your IP addresses leaving
nothing for your own machines. So make sure that you block DHCP traffic
through your firewall. If your firewall is running on a Linux machine,
this can be done with ipchains set to block port 67 (the listen port)
and port 68 (the sending port).

Well that's
about it! Let me know if you have any questions or if you run into any
problems. I'll try to help you out as much as I can. Peace.

1.)
HardAttack
: Review of Gateway Microserver -
L33tdawg

2.)
Setting up
a DHCP server (Part 2) -
L33tdawg

3.)
WINS
vs DNS -
Haven

4.)
Self
Actualisation through broadband
- L33tdawg

5.)
Somebody
loves you - an analysis of the ILOVEYOU Worm -
Black Hand

6.)
Distributed
Tools -
sasha / lifeline

7.)
Fun
with Windows (Part 2) -
xearthed

8.)
Inside
the box : Comparison of Linux distributions
- Liquid Sphear

9.)
A look at
SNMP
- Haven

10.)
Things
to do in Ciscoland when you're dead
- gauis

11.)
Future
of Viruses
- Cpt ZZap

Source

Tags

Intel

You May Also Like

Other Articles In This Section

Recent News

Friday, November 29th

North Korean hackers posing as IT workers steal over $1B in cyberattack
OpenAI is at war with its own Sora video testers following brief public leak
Found on VirusTotal: The world’s first UEFI bootkit for Linux

Tuesday, November 19th

CISA Director Jen Easterly, in Place Since 2021, to Step Down
Korea extradites Russian, Vietnamese suspects linked to $16M ransomware scheme
WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Friday, November 8th

North Korean hackers target cryptocurrency with malware
Man sick of crashes sues Intel for allegedly hiding CPU defects
Law enforcement operation takes down 22,000 malicious IP addresses worldwide

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes