Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
The Internet

Web-Based DHCP Server Frontends? 36

Posted by Cliff from the making-maintenance-easy dept.
Strog writes "We are securing our administrative network and one thing we decided to implement is allowing only known MAC addresses get an address from the DHCP server. The techs aren't very Unix-centric so we would prefer to keep them out of the server directly. A web-based admin tool is what we are looking for. I've used webmin for a while but it likes to give each host a nice little icon which wouldn't be so good once we get all ~750 machines entered. Dixie looks good too but leaves a few too many options for techs to look at. I'm in the process of hacking webmin into what I need but wondered if anyone out there has some good options to offer. What we really need is boxes for hostname, MAC address and apply button and a list of current entries and a delete button." This was recently asked on a mailing list, but so far, no answers have been given. Might someone here have experience with such software that they would like to share?
This discussion has been archived. No new comments can be posted.

Web-Based DHCP Server Frontends? More

Web-Based DHCP Server Frontends?

Comments Filter:
  • I find it excellent for adding lots of static hosts to DHCP.
  • ie ya don't want the techies doing it, just admin staff doing the details from a change form.

    Most sites I've seen roll their own database for this sort of thing. You get then change management form (signed by the appropriate person) and a non-techie puts in the changes to a little app. The app updates the database and the database updates the DNS/DHCP settings....

    Not very helpful, but there you go..

  • Perl (Score:3, Insightful)

    by droyad ( 412569 ) on Wednesday December 18, 2002 @06:07AM (#4914560)
    Sounds like a job for a good Perl script using CGI
    • You mean like this [webmin.com]?

      I realize a good perl script could do this and would write one if that's what it takes. I was asking about solutions others have done.

      It's nice to reuse existing code. You get something that has been tested more thoroughly and had the bugs shaken out(mostly at least). It's nice to see proven error trapping and what does and doesn't work. Why should you go through all the trouble of writing a new program and the downtimes when it needs more debugging when someone has already gone through this and is sharing their results?

      Your comment could as easily said python, php, monkeys with typewriters, etc. but it really wouldn't have added too much to the discussion. What would you do with your perl script, how would you go about structuring it, what kind of error checking? These would be better comments to add.
  • I hope this helps you. If you click on the module config button in webmin, the second option from the top is labled;
    Display subnets and hosts as _ Icons _ List
    If you set this option to list, webmin wil not display an icon for each host. Further more, if you have a large number of DHCP clients, you may also want to use groups to help organize some of those clients into smaller lists.
    • I submitted this article Friday so I've had some time with webmin this weekend.

      Goto your theme directory and put noicons=1 in the config file (/usr/share/webmin/themename/config in my system). This gives icons in the categories but none in the module itself. This looks like it will scale up to hundreds of entries with ease. I have 150 in my test machine now and you don't have to scroll much yet.

      I'm editing out all the unneeded fields and buttons in the cgi files now. Mostly consists of rem'ing out the print statements in the index.cgi, edit_host.cgi and params-lib.pl files so far. I've got the buttons down to create, save, delete and apply.

      I can't seem to get rid lease time, dynamic DNS and a couple other options without it breaking. It tries to send a null instead of going with the default. It's really in a workable state for us right now but I'd love to get it down to our 2 boxes we want and nothing else.

      It is said that 10% of the project takes 90% of the time. Looks like it is holding up here on this project for me.
  • I'm assuming this is for some kind of security measure. Have you implimented something like proxy arp so that people can't just listen for arp requests and have a list of valid MACs for use at a later time? It is rather easy to change your MAC on most network cards, especially the popular Realtek 8139s
    • Thanks for the heads up. I'm completely aware that MAC spoofing is easy.

      This is just one piece to the puzzle. The problem is most of the puzzle pieces are in other people's hands. :-P
  • "What we really need is boxes for hostname, MAC address and apply button and a list of current entries and a delete button... "

    This just sounds like the dhcp manager (/usr/sadm/admin/bin/dhcpmgr) which ships with Solaris 8/9...but it's a java application and not web based (well ssh X tunneling, exporting Display and xhost + is sort of web based isn't it?? ;-) .With this thing I'm doing exactly the stuff at home (on a lesser scale of course), which you intend to do at your work....
    • I've found that it's a bit slow and unstable though. When you get a lot of domains and hosts it's a bit slow. I have 40 remote sites each with many hundres of machines (some with over a thousand) and displaying that many hosts, it gets a bit pokey, even on the console, and scrolling is slow too. I also got a bad taste in my mouth when one of the domain files got messed up a bit (server updated the lease time and it messed something up) and if I clicked on it it would hang the app, I had to delete the file and recreate it. Then Sun patched everything and changed the file format and broke it for me. I switched to ISC's dhcp server. No front end for me though, just vi, but I don't have to edit the file ever now that it's set up. I really liked the sun app though, it got my machines up and running very quickly. I haven't used the newer versions (I stopped using it about 8 months ago) though, and not in Sol9.
  • if all that's preventing webmin from serving the purpose you need is an icon for each client, then for pete's sake, modify the source or replace the icon with a 1 pixel jpg or something. that's the whole point of open-source right?
    • That's part of it and I have that figured out(read my reply up a few posts). I'm removing the rest of the options and buttons that I don't want now. Webmin's code is pretty nice for hacking. You gotta love open source.

      I was really looking for other solutions that might be a better starting point. I also would like to hear from others that have already done it and what snags they might have run into.
  • Have we gotten to the stage where regular sysadmins can't code these days?

    If you can't do it, go to a secondary school and get someone to write the program for you.
    • You seemed to miss the point here. I said I was already in the process of hacking webmin. (RTFA?)

      I was looking for other people's experience to draw from. I want to know if someone has done it before and the good, bad, otherwise they ran into as it scales up. One of the best things about the internet and open source is the wealth of resources and collaboration that is possible.

      It's shame we have people locked in the basement whining about stuff instead of giving real input. Ask Slashdot could be a valuable resource. Sure there's a lot of dumb questions being asked e.g."I bought my first computer last week. How do I migrate a 6,000 computer datacenter without any downtime?". The "Ask Google", "code it yourself", "why can't you code?" and "Perl/PHP/GPL/BSD/Linux/OSX wars" comments really don't add anything productive to what could be a good sharing of ideas and experiences.

      Perhaps you were just trolling?

  • Two major problems (Score:3, Insightful)

    by TheSHAD0W ( 258774 ) on Wednesday December 18, 2002 @01:05PM (#4915961) Homepage
    I see two major problems with your authentication scheme.

    First off, you have a catch-22 in the assignment system. You don't want to give a DHCP address to a system without its being authenticated, but your system won't be able to hit the net and get to the administrative machine to BE authenticated. Aside from manually typing in the MAC address on the main server, which I think someone would find annoying. I suppose you could DHCP unrecognized machines to an intranet address that's null-routed except for that admin machine, which would ask for a password, sniff the MAC address, and then add it to the DHCP system.

    But there's an even larger flaw with your scheme, which is that there's nothing keeping users from turning off DHCP and choosing an unassigned IP, letting anyone with a little know-how hijack your connection without going through your authentication and possibly cause conflicts on your network. DHCP is MEANT to be easy; add complications and you've ruined the whole point of having it.

    If you want to have a secure network, you're going to have to use a whole different system, such as using a protocol like PPPoE (unencrypted) or PPTP (encrypted) to log in to a central station and then have that machine handle routing, etc. From an ease-of-use standpoint, this would be a lot simpler, both for end users and your inexpert managers; they add a name and password to the list, and each user needs his name and password to log in. If someone changes hardware, no problem.
    • Agreed. This is out of my hands as far as what we are going to do with the admin network. I'm really just a guest in this network although a respected one. The board makes technology decisions when they aren't qualified to understand the consequenses. We have all the other red tape, budget, politics, etc. too. Did I mentition that this is a college?

      We have an automated inventory system that we can get a list of authorized MAC addresses parsed into the list. The web interface would be for add, change and deletes. The individual tech responsible for their campus would be entering that and would only be a handful on a regular basis. Large purchases would be a pain though.:-(

      The other issues are going to be handled in hardware solutions or so I'm told. Yes, fixed IPs need to be watched out for. I'd love to run IPSec on critical systems but it's not my call.
      • > Did I mentition that this is a college?

        Then your answer is clear. Push for the board to look at the solutions other colleges have used, tell them that the others have already solved all the problems they're about to face, and they should adopt a complete package instead of trying to roll their own. Kerberos would do really well, and it'd be free.
        • While the answer should be clear, it doesn't seem to be.

          Kerberos would complement what we are doing here quite well and will likely be the next part to the puzzle that is our network. It wouldn't necessarily replace everything else.

          One problem is the database on a Tru64 box. It is maintained by the software vendor that doesn't support deviations from the normal way they do things. They are more concerned about things that aren't security related and security isn't even close to what it should be. The clients connect to it using telnet protocol (real secure there) using a proprietary client. Perhaps we can use stunnel [stunnel.org] or some other method of tunneling, etc. to externally secure the traffic but that might take more time and money than they are willing to provide.

          The MIS dept tries to work around these issues with management of switches, routers, etc. and access lists and other methods to try to limit the issues. Yes the MAC addresses could be worked around but it is a step in the right direction. I appreciate the input, keep it coming.
    • Use vlans then to make unathenticated stuff go to a web form, the web server then talks to your network management software to put the MAC on the whitelist.

  • NetReg (Score:2, Informative)

    by bongoras ( 632709 )
    NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs.

    http://www.netreg.org

  • DHCP "security" by only giving addresses to known mac addresses doesn't buy you anything. Anyone can still plug in and grab an address statically anyways. The only way to enforce this would be a manual static arp table in every machine (including the router) and disable true arp, and at that point you may as well stop using DHCP too. Even then you still have to take other measures to make it really work.

    Just run plain old wide-open DHCP, and implement network policy where it belongs - at the L3 devices like firewalls, L3 switches, routers - and in user AAA, be it windows domain logon, LDAP, or what have you.

  • Our local network only allows authorised MAC addresses to connect, but using the switches rather than a DHCP server. The switches we use only allow x changes before locking out the port, so for most "admin" machines x is set to 1, so only the machine connected at the time the switch is setup/reset is allowed to connect.

    There are exceptions to this for development machines etc. so we can swap boxes around etc.
  • You might as well static the IP addresses and shut the DHCP server down.
    • It allows you to have the 500 new lab machines be delivered and then just plugged in, netbooted and run through specific installs/reimaging dependant on IP just by having some poor PFY type in 500 MAC addresses.

      It allows you to base automated system modifications for lab machines on IP address.

      It allows, in a lab situation where configs can't be modified, an easy way to identify which machines was doing what without having to get into more complicated campus-wide monitoring of things like MAC addresses.

      There are a whole swathe of useful things using DHCP but still tying specific machines to specific addresses allows. Having said that, security is not really on of them.

  • Comment removed based on user account deletion

Slashdot Top Deals

Neutrinos have bad breadth.

Close