Saint Mary - PowerPoint PPT Presentation

1 / 68

About This Presentation

Title:

Saint Mary

Description:

Gets MAC from dhcpd leases file. Ensures MAC address is unique ... userAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; YComp 5.0.2.4) creator=netreg ... – PowerPoint PPT presentation

Number of Views:149

Avg rating:3.0/5.0

Slides: 69

Provided by: saint2

Category:

more less

Transcript and Presenter's Notes

Title: Saint Mary

1
ResNetReg AtSaint Marys College

Saint Marys Belles and Whistles

Steve Hideg Integrated Technologies
Programmer/Analyst Saint Marys College
2
NetReg

DHCP management system
Southwestern University
Peter Valian
Self-service
http//www.netreg.org/

3
NetReg v1.2

2 dynamic address pools
Unregistered (unknown hosts)
Network/Internet blocked
Registered (known hosts)
Network/Internet accessible

4
NetReg v1.2Registration

User redirected to registration web page
register.cgi
Gets MAC from dhcpd leases file
Ensures MAC address is unique
Creates host declaration, writes to dhcpd.conf
MAC address known by dhcpd
dhcpd assigns address in network-enabled pool

5
dhcpd.conf (line wrapped)

host coll4348 hardware ethernet
00010272D70F Mozilla/4.75 en (Win95
U)20020812220942

6
Enhancement Types

New features
New Functionality for Users Admins
Internal Changes
Facilitate other modifications
Performance/optimization
No outward changes

7
Enhancement Types

Simple enhancements
Can be applied to all 1.x versions
More elaborate enhancements
Architectural or algorithmic changes

8
Simple Enhancements
9
File Locking

Avoid race conditions
Multiple instances of register.cgi
Duplicate registrations
Web admin tools
Manual editing

10
Read/Write Race Condition
time
11
File Locking

Subroutine setdhcpdconfLock
Checks if semaphore file exists
When semaphore is gone, creates it
Subroutine releasedhcpdconfLock
Deletes semaphore file

12
Registration Notification

Send confirmation e-mail to user
Subroutine sendConfirmationEmail
Call after appending to dhcpd.conf.new
Assumes username_at_saintmarys.edu
Notifies student of responsibilities for
computer, includes AUP

13
E-mail Utility Routine

Subroutine sendAdminEmail
Useful for sending notices to admins
Unauthorized registration attempts
Error alerts

14
Hardware Banning

Disallow specific MAC Addresses
Lock out boyfriends laptop
Infraction enforcement
File hardware.deny
Subroutine hardwareBanned
Watch out ethernet card replaced, MAC address
spoofing

15
hardware.deny

this is a bad person00909619BAD1 I
don't remember why we banned this
one0020E06B9998

16
Non-Student Lockout

Only students may register machines
Identify student username
Exception list
File staff.allow
IT Staff, faculty, staff, admins, VIPs
Subroutine usernameAllowed

17
General User Lockout

Lock out any username
Subroutine usernameAllowed
File users.deny

18
New Student Lockout

Can register after IT orientation session
Assures student (and parents!) machine is on
network prior to registration
Incentive to attend orientation
Empower student to register machine
File temp.deny
Subroutine tempBlocked

19
tempBlocked (snippet)

if (-f "./temp.deny") open (BLOCK,
"./temp.deny") or return 0 while(ltBLOCKgt)
chomp only process
lines that aren't comments (comments begin with
) if (_ ! /./)
if(lc(_) eq lc(username))
close BLOCK
username found in the file, this user is
blocked get the error message
from a file see if message file
exists if (-f "./tempblockmessage.
txt")
open BLOCKMSG, "./tempblockmessage.txt" or return
defaultMessage read the
message text and store it in a variable to
return blockMessage ''
while(BLOCKMSG)
chomp
blockMessage . _
close BLOCKMSG
return blockMessage
if (-f "./tempblockmessage.txt")
else
couldn't find the message file,
return default message return
defaultMessage else, if
(-f "./tempblockmessage.txt")
if(lc(_) eq lc(username)) if
(_ ! /./) while(ltBLOCKgt)
close BLOCK

20
New Student Lockout

Enabling
Delete or rename temp.deny
manually
at or cron

21
Multiple Host Registration

Unique hostnames based on username
Subroutine uniqueHostname
Checks config file for username, username-2,
username-3, etc.
Returns first unused

22
uniqueHostName (line wrapped)
23
More Elaborate Enhancements
24
dhcpd.conf.newAs Database

Comment text in host declarations
netreg 1.2 already does this
All text after ignored by dhcpd
namevalue separated by
Can use split //, and split //, in Perl

25
host declaration (line wrapped)

host evan6770 fixed-address 147.53.136.11
hardware ethernet 00E0B849EEB4
integer34827ownerIDevan6770userAgentMozilla/
4.0 (compatible MSIE 6.0 Windows NT 5.1 YComp
5.0.2.4)creatornetregdate20030507time15561
3
allowed1

host evan6770 fixed-address 147.53.136.11
hardware ethernet 00E0B849EEB4 integer348
27 ownerIDevan6770 userAgentMozilla/4.0
(compatible MSIE 6.0 Windows NT 5.1 YComp
5.0.2.4) creatornetreg date20030507 time155
613 allowed1
26
dhcpd.conf.newAs Database

Parsing constructing host declarations
Subroutine parsedhcpdFields
Subroutine constructHostRecord

27
Read dhcpd.conf.newInto Memory

Entire file in an array (one line per element)
Hashes store indexes of host records in array
with keys for IP Address, Hostname, MAC Address
Hashes simplify searches and duplicate checks
Edit dhcpd.conf.new by replacing, deleting, or
inserting elements in array
Write dhcpd.conf.new by writing array

28
Read dhcpd.conf.new Into Memory

Subroutine getHosts read file into array,
populates index hashes
Subroutine writeConf writes array to file
Caveats
Scalability (SMC has lt 2000 hosts)
Index hashes can easily get out of sync
Subroutine resyncIndexHashes re-populates index
hashes

29
getHosts

sub getHosts get the file handle my
openfile shift my theInt clear
the _at_hosts array in case we're called more than
once in a run hosts -1
hostIndexByInteger -1 hostIndexByHostna
me -1 hostIndexByMAC -1 while
(ltopenfilegt) chomp
push _at_hosts, _ store array indices
of host declarations in some hashes for
easy access to array members (is it
possible to use references instead of indices?)
if(_ /host /i)
/integer(\d)/
hostIndexByInteger1 hosts
/host (\S) / hostIndexByHostname
1 hosts /ethernet (.17)/
hostIndexByMACuc(1) hosts
while (ltopenfilegt)
sub getHosts

30
writeConf

sub writeConf my openfile shiftforeach
line (_at_hosts) print openfile
"line\n"

31
Assigning Fixed Addresses

Hostnames based on username
khausman, khausman-2, etc.
Hostname used for DNS
Host declaration line
fixed-address declaration
Uniqueness Hostname, IP address, MAC address

32
Assigning Fixed Addresses

6 contiguous subnets
147.53.131.1 - 147.53.136.255
No geographic restrictions Plug into any ResNet
jack
Restricted addresses (in each subnet)
0 (network), 250 (gateway), 255 (broadcast),
251-254 (reserved)
Subroutine addressAllowed

33
Assigning Fixed Addresses

Easy to iterate through addresses
Integer address representation
Increment in loops
Store integer in host declaration
Address/Integer conversion utilities
Subroutine IPToInteger
Subroutine integerToIP

34
Assigning Fixed Addresses
Basic Process

get_host_info
Check for duplicate MAC address
Subroutine MACExists
append_host_entry
Get unused IP address
Subroutine findUnusedAddress
Get new unique hostname
Subroutine uniqueHostname

35
findUnusedAddress

sub findUnusedAddress my thisHost
"" for(my ik_integer_start
iltk_integer_end i) search through the
search range see if this
address is not in dhcpd.conf, and see if its is
allowed or not if (addressAllowed(i))
this integer i is in
allowed range, see if it's in dhcpd.conf
if there is no registered or virus-disabled
host with this integer, we consider
it available for use. This preserves the IP
addresses of infected machines so
they can be re-instated if(!defined
hostIndexByIntegeri) return
i
if(ik_integer_end) return
0

36
uniqueHostname

sub uniqueHostname first (only) argument
is the specified hostname my y shift
if we don't find this host name, it must be
unique, so return itif(!defined(hostIndexByHostn
amey)) return yelse find
a unique host name my extension 2 my
newHostname y . '-' . extension while
(defined(hostIndexByHostnamenewHostname))
hostname with current extension
exists increment extension and try
again extension newHostname
y . '-' . extension while
loop exited with a unique hostname return
newHostname else, if(!defined(hostIndex
ByHostnamey)) uniqueHostname

37
append_host_entry

sub append_host_entry pick a new IP address
for this client if(my newInteger
findUnusedAddress())
unused IP address has been found find a new
hostname newHostName uniqueHostname(FORM'u
ser') convert new integer to an IP
address newIP "147.53." .
integerToIP(newInteger) construct a
host entry (note that date stamp is created
in the subroutine my hostentry
constructHostrecord(newHostName,
newIP,
gMACaddress,
newInteger,
FORM'user',

ENV'HTTP_USER_AGENT',
"netreg",
allowed) append a host
entry print CONF "hostentry\n" close
CONF releasedhcpdconfLock()
send an email message to the user
sendConfirmationEmail() . . .

38
Virus Blocking

Block a machine from Internet, campus network
services
Redirect browsers to Virus Warning page
E-mail notification to user
Optional e-mail to RCCs

39
Virus Blocking

Use known hosts dynamic address pool
Blocked address range
Distinct from unregistered range
Remove fixed-address portion of host declaration

40
Virus Blocking

Blocking
Identify IP address of infected machine
viruswarn.cgi
Remove fixed-address from host declaration
IP address preserved in integer field
Unblocking
virusenable.cgi
Re-insert fixed-address in host declaration

41
Virus Blocking

Redirect web clients based on IP address
IP in unknown pool registration page
IP in known pool virus warning page
otherwise index2.html
redirect.pl, redirect403.pl, redirect404.pl

42
index.html

ltHTMLgtltHEADgt ltTITLEgtlt/TITLEgt
ltMETA NAME"generator" CONTENT"BBEdit 5.1"gt
ltMETA HTTP-EQUIV"REFRESH" CONTENT"0
URL/cgi-bin/redirect.pl"gtlt/HEADgtltBODYgtlt/BODYgt
lt/HTMLgt

httpd.conf
43
redirect.pl

use CGI 'standard'if (remote_addr()/147\.53
\.199\./) my (a,b,c,d) split /\./
, remote_addr() if ((dgt230)
(dlt249)) print
redirect("/viruswarn/") else
print redirect("/register/")
else print redirect("/index2.htm
l")

44
redirect403.pl

use CGI 'standard'if (remote_addr()/147\.53
\.199\./) my (a,b,c,d) split /\./
, remote_addr() if ((dgt230) (dlt249))
print redirect("/viruswarn/")
else print
redirect("/register/") else
theURL url() sw
server_software() sp server_port()
sn server_name() print header(-statusgt403
, -typegt'text/html') print
start_html(-titlegt'404 Forbidden') print
"ltH1gtForbiddenlt/H1gt\n" print "ltPgtYou are not
allowed to access URL \"theURL\" on this
server.lt/Pgt\n" print "ltHRgt\n" print
"ltIgtsw at sn Port splt/Igt\n" print
end_html()

45
redirect404.pl

use CGI 'standard'if (remote_addr()/147\.53
\.199\./) my (a,b,c,d) split /\./
, remote_addr() if ((dgt230) (dlt249))
print redirect("/viruswarn/")
else print
redirect("/register/") else
theURL url() sw
server_software() sp server_port()
sn server_name() print header(-statusgt404
, -typegt'text/html') print
start_html(-titlegt'404 Not Found') print
"ltH1gtNot Foundlt/H1gt\n" print "ltPgtSorry, the
requested URL was not found on this
server.lt/Pgt\n" print "ltHRgt\n" print
"ltIgtsw at sn Port splt/Igt\n" print
end_html()

46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
Virus Blocking

Subroutine constructVirusHost
Host declaration with no fixed-address
Subroutine notifyUser
Subroutine notifyrccs

50
Virus Blocking

DHCP compliance required
Lease time considerations
Disabling/enabling not in effect until next
client lease renewal

51
Virus Blocking

Dynamic Address scenario
Assign fixed address to disable infected machine
Add fixed-address parameter in host declaration
Use leases file to identify MAC address

52
Generalized Blocking

Add field to dhcpd.conf.new to indicate reason
for blocking Virus, RIAA, Others
Separate web page for each reason
Redirect script enhancement
Check dhcpd.conf.new for value of reason field
Redirect to appropriate warning web page

53
Registration Limits Replacement

Limit number of registrations per user
Default for students one
Must request additional from IT
Give user option to replace registration
Address reuse
Force old machine to re-register

54
Registration Limits Replacement

Subroutine registration_check
Finds existing registrations for owner
Displays page with registration info
Calls replaceRegistration or append_host_entry
Subroutine replaceRegistration
Replaces one host record with new registration
Deletes any others marked for deletion

55
(No Transcript)
56
(No Transcript)
57
registration_check (snippet)

if ((!defined(FORM'mode')) or
(lc(FORM'mode') ne 'replace'))
We're here for moderegister find all
registrations by this user array _at_hosts
populated by subroutine initialize() hash
hostsByInteger populated by subroutine
initialize() my username FORM'user'
foreach my hostLine (_at_hosts) if
(hostLine /ownerIDusername/i)
this is a host record where the owner
matches the specified username save it
in our array push _at_ownedHosts,
hostLine foreach my hostLine
(_at_hosts) if we found no registered
hosts, let this user register normally
if(ownedHosts lt 0 )
append_host_entry() print_success()
probably redundant... exit
else have at least one
registration, so we can read the allowed field
if there is none, we stick with the
default assigned earlier in this routine
if(ownedHosts0 /allowed(\d)/i)
allowed 1

58
Registration Limits Replacement
Caveats

Must have at least 1 registration to change
allowed parameter
User-centric data stored in machine-centric
database
Changing allowed parameter editing records of
all machines registered by this user

59
Web Admin Interface

Search edit dhcpd.conf.new
Student data from Banner Oracle database
Registration Statistics (periodically generated)

60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
68
Tips