Networking

Set up ISC's dhcpd server


Large and small networks alike can take advantage of DHCP and often do. With the dhcpd server from Internet Systems Consortium (ISC) you can not only provide dynamic IP addresses to hosts on your network, you can also provide static IP addresses based on the host's MAC address. This is extremely useful in the case of servers that should consistently have the same IP address, but the setup of DHCP is easier than static IP addresses. One definite advantage here is in the case of network renumbering or changing; simply changing one configuration file can set up hosts with different IPs or netmasks instead of changing each host individually.

The dhcpd package is available for most Linux distributions, so it's usually a simple urpmi or apt-get away. Once it is installed, the configuration file to edit is /etc/dhcpd.conf. If you also use BIND for DNS, you can link both dhcpd and named (name service daemon) together to provide "linked" DNS and DHCP information for truly transparent network host management. However, in this example, we'll assume that dhcpd is running alone, without corresponding with named.

An example /etc/dhcpd.conf follows:

ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
    authoritative;
    option routers 192.168.0.1;
    option broadcast-address 192.168.0.255;
    option subnet-mask 255.255.255.0;

    option domain-name "mydomain.local";
    option domain-name-servers 192.168.0.2;

    range dynamic-bootp 192.168.0.200 192.168.0.254;
    default-lease-time 21600;
    max-lease-time 43200;

    host server1 {
        hardware ethernet 00:0c:ea:50:dc:fe;
        fixed-address 192.168.0.40;
    }
    host dns {
        hardware ethernet 00:26:cb:c5:37:9f;
        fixed-address 192.168.0.2;
    }
}

This is a fairly simple configuration. What we configure here is a subnet statement, where the configuration indicates we are authoritative for the 192.168.0.0 subnet, with a netmask of 255.255.255.0. In a nutshell, this means you can have a single dhcpd server handling address requests for different networks if the need is there.

In this network, you can see the default options that will be passed to all DHCP clients to which an address will be given: the gateway is 192.168.0.1; the broadcast address is 192.168.0.255; and the subnet mask is 255.255.255.0. The domain for this network is mydomain.local and the DNS server IP address to provide to clients is 192.168.0.2 (assume for a moment this is simply a caching DNS server).

Next, options for the DHCP clients are provided: addresses in the range of 192.168.0.200 to 192.168.0.254 are available, which means that 55 DHCP clients may be obtaining IPs at a time. The default lease time for IPs provided is 21600 seconds, or 6 hours. The maximum lease time for an IP address is 12 hours.

Finally, the host statements allow for the configuration of single hosts, which is where the use of DHCP for servers that require a static IP is exceptionally useful. With the above, the host server1 is provided the static IP address of 192.168.0.40; the determination of the host server1 is the noted MAC, or hardware ethernet, address. If this host ever changes hardware, be it the full system or a new network card, this will need to be updated to reflect the new MAC address for that system.

A second static IP declaration is made for the host dns.

Once /etc/dhcpd.conf is configured and saved, exit the text editor and start the dhcpd server (usually "service dhcpd start"). Also make sure that any other DHCP servers on the network -- such as any that may be enabled on a firewall or router -- are disabled.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

4 comments
catseverywhere
catseverywhere

Great tip. I'd never seen a DHCP server that pairs IP to MAC except for the one on the SmoothWall firewall... ...which is, in my opinion, a necessity on any LAN. I set up pseudo-"static" IPs with smoothwall everywhere I've set one up. A smoothie can give you an extra layer of security on networks with a wireless access point. To wit: There is, like any router, a range of addresses you can set to limit what the server can hand out. If you leave this blank, smoothwall will not hand out any addresses, at least randomly. Then I set every known MAC to receive an explicit IP from DHCP. The way the smoothie works, even though you've specified "provide no IPs," this only applies to any with an unknown MAC. It will still hand out numbers based on any known MAC requesting an address, despite the other restriction. For example, one of my clients has a wireless node on their network. The 5 authorized laptops that use wifi are set to get a number per their MAC from the smoothwall. But if someone attempts to obtain an IP clandestinely they will be unsuccessful. They'll see the SSID, but the smoothwall will not give them an IP. If you have occasional guests that need wireless or even wired access, you can either set them up with a custom IP (the smart way) or set the random range to one, two or more available IPs. (so you need to monitor) SmoothWall has a GPL "express" version. As good as this one is, I'd imagine their commercial product must be the most secure firewall to be had anywhere. www.smoothwall.org

Photogenic Memory
Photogenic Memory

I'm not an expert on it; but what your talkiing about is making the smoothwall firewall provide MAC address filtering, correct? If so; can't wirless hackers try MAC spoofing to get by and get some Internet access? How do you configure smoothwall to compensate for it?

pdtpatrick
pdtpatrick

The mac filtering is a great tool to use to protect your environment. You asked if someone can just spoof their mac address and hack it. Well the way mac filtering works it, all those mac addresses associated with the AP will be in a database and inorder to hack the AP, you need to duplicate that exact same MAC address. I mean using tools like Airmon-ng will tell you what MACs are associated with the SSID but the theory behind this technology is not to prevent hacking but rather to add another layer of security for your network. So imagine having a firewall + WPA Encryption and then a MAC filter. Its a whole lot difficult than someone who just had WEP on their network right? You can never say you are 100% safe because afterall, technology improves everyday and its only a matter of time before someone bypasses your security :)

Photogenic Memory
Photogenic Memory

I guess implementing more than just one type of security measure is always better than nothing at all ( unless you like it like that, LOL ). It's really a shame wireless has such a weak point compared to wired. However, wired has it's issues too like weak passwords, old exploitable-injectable applications and buffer overruns, etc. Thanks for the response. I'm gonna try out that smoothwall though. What would be cool is to port it a home wired/wireless router. Just imagine how versatile and powerful a dedicated Smoothwall at home could be withoutv the luggage of a pc? It gets me exited! Hahahaha! I'm such a geek=8^0.

Editor's Picks