Title: Saint Mary
1ResNetReg AtSaint Marys College
- Saint Marys Belles and Whistles
Steve Hideg Integrated Technologies
Programmer/Analyst Saint Marys College
2NetReg
- DHCP management system
- Southwestern University
- Peter Valian
- Self-service
- http//www.netreg.org/
3NetReg v1.2
- 2 dynamic address pools
- Unregistered (unknown hosts)
- Network/Internet blocked
- Registered (known hosts)
- Network/Internet accessible
4NetReg v1.2Registration
- User redirected to registration web page
- register.cgi
- Gets MAC from dhcpd leases file
- Ensures MAC address is unique
- Creates host declaration, writes to dhcpd.conf
- MAC address known by dhcpd
- dhcpd assigns address in network-enabled pool
5dhcpd.conf (line wrapped)
- host coll4348 hardware ethernet
00010272D70F Mozilla/4.75 en (Win95
U)20020812220942
6Enhancement Types
- New features
- New Functionality for Users Admins
- Internal Changes
- Facilitate other modifications
- Performance/optimization
- No outward changes
7Enhancement Types
- Simple enhancements
- Can be applied to all 1.x versions
- More elaborate enhancements
- Architectural or algorithmic changes
8Simple Enhancements
9File Locking
- Avoid race conditions
- Multiple instances of register.cgi
- Duplicate registrations
- Web admin tools
- Manual editing
10Read/Write Race Condition
time
11File Locking
- Subroutine setdhcpdconfLock
- Checks if semaphore file exists
- When semaphore is gone, creates it
- Subroutine releasedhcpdconfLock
- Deletes semaphore file
12Registration Notification
- Send confirmation e-mail to user
- Subroutine sendConfirmationEmail
- Call after appending to dhcpd.conf.new
- Assumes username_at_saintmarys.edu
- Notifies student of responsibilities for
computer, includes AUP
13E-mail Utility Routine
- Subroutine sendAdminEmail
- Useful for sending notices to admins
- Unauthorized registration attempts
- Error alerts
14Hardware Banning
- Disallow specific MAC Addresses
- Lock out boyfriends laptop
- Infraction enforcement
- File hardware.deny
- Subroutine hardwareBanned
- Watch out ethernet card replaced, MAC address
spoofing
15hardware.deny
- this is a bad person00909619BAD1 I
don't remember why we banned this
one0020E06B9998
16Non-Student Lockout
- Only students may register machines
- Identify student username
- Exception list
- File staff.allow
- IT Staff, faculty, staff, admins, VIPs
- Subroutine usernameAllowed
17General User Lockout
- Lock out any username
- Subroutine usernameAllowed
- File users.deny
18New Student Lockout
- Can register after IT orientation session
- Assures student (and parents!) machine is on
network prior to registration - Incentive to attend orientation
- Empower student to register machine
- File temp.deny
- Subroutine tempBlocked
19tempBlocked (snippet)
- if (-f "./temp.deny") open (BLOCK,
"./temp.deny") or return 0 while(ltBLOCKgt)
chomp only process
lines that aren't comments (comments begin with
) if (_ ! /./)
if(lc(_) eq lc(username))
close BLOCK
username found in the file, this user is
blocked get the error message
from a file see if message file
exists if (-f "./tempblockmessage.
txt")
open BLOCKMSG, "./tempblockmessage.txt" or return
defaultMessage read the
message text and store it in a variable to
return blockMessage ''
while(BLOCKMSG)
chomp
blockMessage . _
close BLOCKMSG
return blockMessage
if (-f "./tempblockmessage.txt")
else
couldn't find the message file,
return default message return
defaultMessage else, if
(-f "./tempblockmessage.txt")
if(lc(_) eq lc(username)) if
(_ ! /./) while(ltBLOCKgt)
close BLOCK
20New Student Lockout
- Enabling
- Delete or rename temp.deny
- manually
- at or cron
21Multiple Host Registration
- Unique hostnames based on username
- Subroutine uniqueHostname
- Checks config file for username, username-2,
username-3, etc. - Returns first unused
22uniqueHostName (line wrapped)
23More Elaborate Enhancements
24dhcpd.conf.newAs Database
- Comment text in host declarations
- netreg 1.2 already does this
- All text after ignored by dhcpd
- namevalue separated by
- Can use split //, and split //, in Perl
25host declaration (line wrapped)
- host evan6770 fixed-address 147.53.136.11
hardware ethernet 00E0B849EEB4
integer34827ownerIDevan6770userAgentMozilla/
4.0 (compatible MSIE 6.0 Windows NT 5.1 YComp
5.0.2.4)creatornetregdate20030507time15561
3 - allowed1
host evan6770 fixed-address 147.53.136.11
hardware ethernet 00E0B849EEB4 integer348
27 ownerIDevan6770 userAgentMozilla/4.0
(compatible MSIE 6.0 Windows NT 5.1 YComp
5.0.2.4) creatornetreg date20030507 time155
613 allowed1
26dhcpd.conf.newAs Database
- Parsing constructing host declarations
- Subroutine parsedhcpdFields
- Subroutine constructHostRecord
27Read dhcpd.conf.newInto Memory
- Entire file in an array (one line per element)
- Hashes store indexes of host records in array
with keys for IP Address, Hostname, MAC Address - Hashes simplify searches and duplicate checks
- Edit dhcpd.conf.new by replacing, deleting, or
inserting elements in array - Write dhcpd.conf.new by writing array
28Read dhcpd.conf.new Into Memory
- Subroutine getHosts read file into array,
populates index hashes - Subroutine writeConf writes array to file
- Caveats
- Scalability (SMC has lt 2000 hosts)
- Index hashes can easily get out of sync
- Subroutine resyncIndexHashes re-populates index
hashes
29getHosts
- sub getHosts get the file handle my
openfile shift my theInt clear
the _at_hosts array in case we're called more than
once in a run hosts -1
hostIndexByInteger -1 hostIndexByHostna
me -1 hostIndexByMAC -1 while
(ltopenfilegt) chomp
push _at_hosts, _ store array indices
of host declarations in some hashes for
easy access to array members (is it
possible to use references instead of indices?)
if(_ /host /i)
/integer(\d)/
hostIndexByInteger1 hosts
/host (\S) / hostIndexByHostname
1 hosts /ethernet (.17)/
hostIndexByMACuc(1) hosts
while (ltopenfilegt)
sub getHosts
30writeConf
- sub writeConf my openfile shiftforeach
line (_at_hosts) print openfile
"line\n"
31Assigning Fixed Addresses
- Hostnames based on username
- khausman, khausman-2, etc.
- Hostname used for DNS
- Host declaration line
- fixed-address declaration
- Uniqueness Hostname, IP address, MAC address
32Assigning Fixed Addresses
- 6 contiguous subnets
- 147.53.131.1 - 147.53.136.255
- No geographic restrictions Plug into any ResNet
jack - Restricted addresses (in each subnet)
- 0 (network), 250 (gateway), 255 (broadcast),
251-254 (reserved) - Subroutine addressAllowed
33Assigning Fixed Addresses
- Easy to iterate through addresses
- Integer address representation
- Increment in loops
- Store integer in host declaration
- Address/Integer conversion utilities
- Subroutine IPToInteger
- Subroutine integerToIP
34Assigning Fixed Addresses
Basic Process
- get_host_info
- Check for duplicate MAC address
- Subroutine MACExists
- append_host_entry
- Get unused IP address
- Subroutine findUnusedAddress
- Get new unique hostname
- Subroutine uniqueHostname
35findUnusedAddress
- sub findUnusedAddress my thisHost
"" for(my ik_integer_start
iltk_integer_end i) search through the
search range see if this
address is not in dhcpd.conf, and see if its is
allowed or not if (addressAllowed(i))
this integer i is in
allowed range, see if it's in dhcpd.conf
if there is no registered or virus-disabled
host with this integer, we consider
it available for use. This preserves the IP
addresses of infected machines so
they can be re-instated if(!defined
hostIndexByIntegeri) return
i
if(ik_integer_end) return
0
36uniqueHostname
- sub uniqueHostname first (only) argument
is the specified hostname my y shift
if we don't find this host name, it must be
unique, so return itif(!defined(hostIndexByHostn
amey)) return yelse find
a unique host name my extension 2 my
newHostname y . '-' . extension while
(defined(hostIndexByHostnamenewHostname))
hostname with current extension
exists increment extension and try
again extension newHostname
y . '-' . extension while
loop exited with a unique hostname return
newHostname else, if(!defined(hostIndex
ByHostnamey)) uniqueHostname
37append_host_entry
- sub append_host_entry pick a new IP address
for this client if(my newInteger
findUnusedAddress())
unused IP address has been found find a new
hostname newHostName uniqueHostname(FORM'u
ser') convert new integer to an IP
address newIP "147.53." .
integerToIP(newInteger) construct a
host entry (note that date stamp is created
in the subroutine my hostentry
constructHostrecord(newHostName,
newIP,
gMACaddress,
newInteger,
FORM'user',
ENV'HTTP_USER_AGENT',
"netreg",
allowed) append a host
entry print CONF "hostentry\n" close
CONF releasedhcpdconfLock()
send an email message to the user
sendConfirmationEmail() . . .
38Virus Blocking
- Block a machine from Internet, campus network
services - Redirect browsers to Virus Warning page
- E-mail notification to user
- Optional e-mail to RCCs
39Virus Blocking
- Use known hosts dynamic address pool
- Blocked address range
- Distinct from unregistered range
- Remove fixed-address portion of host declaration
40Virus Blocking
- Blocking
- Identify IP address of infected machine
- viruswarn.cgi
- Remove fixed-address from host declaration
- IP address preserved in integer field
- Unblocking
- virusenable.cgi
- Re-insert fixed-address in host declaration
41Virus Blocking
- Redirect web clients based on IP address
- IP in unknown pool registration page
- IP in known pool virus warning page
- otherwise index2.html
- redirect.pl, redirect403.pl, redirect404.pl
42index.html
- ltHTMLgtltHEADgt ltTITLEgtlt/TITLEgt
ltMETA NAME"generator" CONTENT"BBEdit 5.1"gt
ltMETA HTTP-EQUIV"REFRESH" CONTENT"0
URL/cgi-bin/redirect.pl"gtlt/HEADgtltBODYgtlt/BODYgt
lt/HTMLgt
httpd.conf
43redirect.pl
- use CGI 'standard'if (remote_addr()/147\.53
\.199\./) my (a,b,c,d) split /\./
, remote_addr() if ((dgt230)
(dlt249)) print
redirect("/viruswarn/") else
print redirect("/register/")
else print redirect("/index2.htm
l")
44redirect403.pl
- use CGI 'standard'if (remote_addr()/147\.53
\.199\./) my (a,b,c,d) split /\./
, remote_addr() if ((dgt230) (dlt249))
print redirect("/viruswarn/")
else print
redirect("/register/") else
theURL url() sw
server_software() sp server_port()
sn server_name() print header(-statusgt403
, -typegt'text/html') print
start_html(-titlegt'404 Forbidden') print
"ltH1gtForbiddenlt/H1gt\n" print "ltPgtYou are not
allowed to access URL \"theURL\" on this
server.lt/Pgt\n" print "ltHRgt\n" print
"ltIgtsw at sn Port splt/Igt\n" print
end_html()
45redirect404.pl
- use CGI 'standard'if (remote_addr()/147\.53
\.199\./) my (a,b,c,d) split /\./
, remote_addr() if ((dgt230) (dlt249))
print redirect("/viruswarn/")
else print
redirect("/register/") else
theURL url() sw
server_software() sp server_port()
sn server_name() print header(-statusgt404
, -typegt'text/html') print
start_html(-titlegt'404 Not Found') print
"ltH1gtNot Foundlt/H1gt\n" print "ltPgtSorry, the
requested URL was not found on this
server.lt/Pgt\n" print "ltHRgt\n" print
"ltIgtsw at sn Port splt/Igt\n" print
end_html()
46(No Transcript)
47(No Transcript)
48(No Transcript)
49Virus Blocking
- Subroutine constructVirusHost
- Host declaration with no fixed-address
- Subroutine notifyUser
- Subroutine notifyrccs
50Virus Blocking
- DHCP compliance required
- Lease time considerations
- Disabling/enabling not in effect until next
client lease renewal
51Virus Blocking
- Dynamic Address scenario
- Assign fixed address to disable infected machine
- Add fixed-address parameter in host declaration
- Use leases file to identify MAC address
52Generalized Blocking
- Add field to dhcpd.conf.new to indicate reason
for blocking Virus, RIAA, Others - Separate web page for each reason
- Redirect script enhancement
- Check dhcpd.conf.new for value of reason field
- Redirect to appropriate warning web page
53Registration Limits Replacement
- Limit number of registrations per user
- Default for students one
- Must request additional from IT
- Give user option to replace registration
- Address reuse
- Force old machine to re-register
54Registration Limits Replacement
- Subroutine registration_check
- Finds existing registrations for owner
- Displays page with registration info
- Calls replaceRegistration or append_host_entry
- Subroutine replaceRegistration
- Replaces one host record with new registration
- Deletes any others marked for deletion
55(No Transcript)
56(No Transcript)
57registration_check (snippet)
- if ((!defined(FORM'mode')) or
(lc(FORM'mode') ne 'replace'))
We're here for moderegister find all
registrations by this user array _at_hosts
populated by subroutine initialize() hash
hostsByInteger populated by subroutine
initialize() my username FORM'user'
foreach my hostLine (_at_hosts) if
(hostLine /ownerIDusername/i)
this is a host record where the owner
matches the specified username save it
in our array push _at_ownedHosts,
hostLine foreach my hostLine
(_at_hosts) if we found no registered
hosts, let this user register normally
if(ownedHosts lt 0 )
append_host_entry() print_success()
probably redundant... exit
else have at least one
registration, so we can read the allowed field
if there is none, we stick with the
default assigned earlier in this routine
if(ownedHosts0 /allowed(\d)/i)
allowed 1
58Registration Limits Replacement
Caveats
- Must have at least 1 registration to change
allowed parameter - User-centric data stored in machine-centric
database - Changing allowed parameter editing records of
all machines registered by this user
59Web Admin Interface
- Search edit dhcpd.conf.new
- Student data from Banner Oracle database
- Registration Statistics (periodically generated)
60(No Transcript)
61(No Transcript)
62(No Transcript)
63(No Transcript)
64(No Transcript)
65(No Transcript)
66(No Transcript)
67(No Transcript)
68Tips
- Know your network
- Know your customer (partnering)
- Issues faced
- Streamlining/Automating processes
- Brainstorm!
- Go to lunch
- Comment your code
- Do a presentation!
69Future
- Generalized Blocking
- Checkboxes in AUP on registration page
- LDAP
- Authentication
- Allowed registrations field
- Speed?
- Database back-end
- Java?
70Recommended Reading
http//www.netreg.org/
71Questions
- Steve Hideg
- hideg_at_saintmarys.edu
- http//www.saintmarys.edu/hideg/netreg
72(No Transcript)