Saint Mary - PowerPoint PPT Presentation

1 / 68
About This Presentation
Title:

Saint Mary

Description:

Gets MAC from dhcpd leases file. Ensures MAC address is unique ... userAgent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; YComp 5.0.2.4) creator=netreg ... – PowerPoint PPT presentation

Number of Views:149
Avg rating:3.0/5.0
Slides: 69
Provided by: saint2
Category:
Tags: mary | mozilla | saint

less

Transcript and Presenter's Notes

Title: Saint Mary


1
ResNetReg AtSaint Marys College
  • Saint Marys Belles and Whistles

Steve Hideg Integrated Technologies
Programmer/Analyst Saint Marys College
2
NetReg
  • DHCP management system
  • Southwestern University
  • Peter Valian
  • Self-service
  • http//www.netreg.org/

3
NetReg v1.2
  • 2 dynamic address pools
  • Unregistered (unknown hosts)
  • Network/Internet blocked
  • Registered (known hosts)
  • Network/Internet accessible

4
NetReg v1.2Registration
  • User redirected to registration web page
  • register.cgi
  • Gets MAC from dhcpd leases file
  • Ensures MAC address is unique
  • Creates host declaration, writes to dhcpd.conf
  • MAC address known by dhcpd
  • dhcpd assigns address in network-enabled pool

5
dhcpd.conf (line wrapped)
  • host coll4348 hardware ethernet
    00010272D70F Mozilla/4.75 en (Win95
    U)20020812220942

6
Enhancement Types
  • New features
  • New Functionality for Users Admins
  • Internal Changes
  • Facilitate other modifications
  • Performance/optimization
  • No outward changes

7
Enhancement Types
  • Simple enhancements
  • Can be applied to all 1.x versions
  • More elaborate enhancements
  • Architectural or algorithmic changes

8
Simple Enhancements
9
File Locking
  • Avoid race conditions
  • Multiple instances of register.cgi
  • Duplicate registrations
  • Web admin tools
  • Manual editing

10
Read/Write Race Condition
time
11
File Locking
  • Subroutine setdhcpdconfLock
  • Checks if semaphore file exists
  • When semaphore is gone, creates it
  • Subroutine releasedhcpdconfLock
  • Deletes semaphore file

12
Registration Notification
  • Send confirmation e-mail to user
  • Subroutine sendConfirmationEmail
  • Call after appending to dhcpd.conf.new
  • Assumes username_at_saintmarys.edu
  • Notifies student of responsibilities for
    computer, includes AUP

13
E-mail Utility Routine
  • Subroutine sendAdminEmail
  • Useful for sending notices to admins
  • Unauthorized registration attempts
  • Error alerts

14
Hardware Banning
  • Disallow specific MAC Addresses
  • Lock out boyfriends laptop
  • Infraction enforcement
  • File hardware.deny
  • Subroutine hardwareBanned
  • Watch out ethernet card replaced, MAC address
    spoofing

15
hardware.deny
  • this is a bad person00909619BAD1 I
    don't remember why we banned this
    one0020E06B9998

16
Non-Student Lockout
  • Only students may register machines
  • Identify student username
  • Exception list
  • File staff.allow
  • IT Staff, faculty, staff, admins, VIPs
  • Subroutine usernameAllowed

17
General User Lockout
  • Lock out any username
  • Subroutine usernameAllowed
  • File users.deny

18
New Student Lockout
  • Can register after IT orientation session
  • Assures student (and parents!) machine is on
    network prior to registration
  • Incentive to attend orientation
  • Empower student to register machine
  • File temp.deny
  • Subroutine tempBlocked

19
tempBlocked (snippet)
  • if (-f "./temp.deny") open (BLOCK,
    "./temp.deny") or return 0 while(ltBLOCKgt)
    chomp only process
    lines that aren't comments (comments begin with
    ) if (_ ! /./)
    if(lc(_) eq lc(username))
    close BLOCK
    username found in the file, this user is
    blocked get the error message
    from a file see if message file
    exists if (-f "./tempblockmessage.
    txt")
    open BLOCKMSG, "./tempblockmessage.txt" or return
    defaultMessage read the
    message text and store it in a variable to
    return blockMessage ''
    while(BLOCKMSG)
    chomp
    blockMessage . _
    close BLOCKMSG
    return blockMessage
    if (-f "./tempblockmessage.txt")
    else
    couldn't find the message file,
    return default message return
    defaultMessage else, if
    (-f "./tempblockmessage.txt")
    if(lc(_) eq lc(username)) if
    (_ ! /./) while(ltBLOCKgt)
    close BLOCK

20
New Student Lockout
  • Enabling
  • Delete or rename temp.deny
  • manually
  • at or cron

21
Multiple Host Registration
  • Unique hostnames based on username
  • Subroutine uniqueHostname
  • Checks config file for username, username-2,
    username-3, etc.
  • Returns first unused

22
uniqueHostName (line wrapped)
23
More Elaborate Enhancements
24
dhcpd.conf.newAs Database
  • Comment text in host declarations
  • netreg 1.2 already does this
  • All text after ignored by dhcpd
  • namevalue separated by
  • Can use split //, and split //, in Perl

25
host declaration (line wrapped)
  • host evan6770 fixed-address 147.53.136.11
    hardware ethernet 00E0B849EEB4
    integer34827ownerIDevan6770userAgentMozilla/
    4.0 (compatible MSIE 6.0 Windows NT 5.1 YComp
    5.0.2.4)creatornetregdate20030507time15561
    3
  • allowed1

host evan6770 fixed-address 147.53.136.11
hardware ethernet 00E0B849EEB4 integer348
27 ownerIDevan6770 userAgentMozilla/4.0
(compatible MSIE 6.0 Windows NT 5.1 YComp
5.0.2.4) creatornetreg date20030507 time155
613 allowed1
26
dhcpd.conf.newAs Database
  • Parsing constructing host declarations
  • Subroutine parsedhcpdFields
  • Subroutine constructHostRecord

27
Read dhcpd.conf.newInto Memory
  • Entire file in an array (one line per element)
  • Hashes store indexes of host records in array
    with keys for IP Address, Hostname, MAC Address
  • Hashes simplify searches and duplicate checks
  • Edit dhcpd.conf.new by replacing, deleting, or
    inserting elements in array
  • Write dhcpd.conf.new by writing array

28
Read dhcpd.conf.new Into Memory
  • Subroutine getHosts read file into array,
    populates index hashes
  • Subroutine writeConf writes array to file
  • Caveats
  • Scalability (SMC has lt 2000 hosts)
  • Index hashes can easily get out of sync
  • Subroutine resyncIndexHashes re-populates index
    hashes

29
getHosts
  • sub getHosts get the file handle my
    openfile shift my theInt clear
    the _at_hosts array in case we're called more than
    once in a run hosts -1
    hostIndexByInteger -1 hostIndexByHostna
    me -1 hostIndexByMAC -1 while
    (ltopenfilegt) chomp
    push _at_hosts, _ store array indices
    of host declarations in some hashes for
    easy access to array members (is it
    possible to use references instead of indices?)
    if(_ /host /i)
    /integer(\d)/
    hostIndexByInteger1 hosts
    /host (\S) / hostIndexByHostname
    1 hosts /ethernet (.17)/
    hostIndexByMACuc(1) hosts
    while (ltopenfilegt)
    sub getHosts

30
writeConf
  • sub writeConf my openfile shiftforeach
    line (_at_hosts) print openfile
    "line\n"

31
Assigning Fixed Addresses
  • Hostnames based on username
  • khausman, khausman-2, etc.
  • Hostname used for DNS
  • Host declaration line
  • fixed-address declaration
  • Uniqueness Hostname, IP address, MAC address

32
Assigning Fixed Addresses
  • 6 contiguous subnets
  • 147.53.131.1 - 147.53.136.255
  • No geographic restrictions Plug into any ResNet
    jack
  • Restricted addresses (in each subnet)
  • 0 (network), 250 (gateway), 255 (broadcast),
    251-254 (reserved)
  • Subroutine addressAllowed

33
Assigning Fixed Addresses
  • Easy to iterate through addresses
  • Integer address representation
  • Increment in loops
  • Store integer in host declaration
  • Address/Integer conversion utilities
  • Subroutine IPToInteger
  • Subroutine integerToIP

34
Assigning Fixed Addresses
Basic Process
  • get_host_info
  • Check for duplicate MAC address
  • Subroutine MACExists
  • append_host_entry
  • Get unused IP address
  • Subroutine findUnusedAddress
  • Get new unique hostname
  • Subroutine uniqueHostname

35
findUnusedAddress
  • sub findUnusedAddress my thisHost
    "" for(my ik_integer_start
    iltk_integer_end i) search through the
    search range see if this
    address is not in dhcpd.conf, and see if its is
    allowed or not if (addressAllowed(i))
    this integer i is in
    allowed range, see if it's in dhcpd.conf
    if there is no registered or virus-disabled
    host with this integer, we consider
    it available for use. This preserves the IP
    addresses of infected machines so
    they can be re-instated if(!defined
    hostIndexByIntegeri) return
    i
    if(ik_integer_end) return
    0

36
uniqueHostname
  • sub uniqueHostname first (only) argument
    is the specified hostname my y shift
    if we don't find this host name, it must be
    unique, so return itif(!defined(hostIndexByHostn
    amey)) return yelse find
    a unique host name my extension 2 my
    newHostname y . '-' . extension while
    (defined(hostIndexByHostnamenewHostname))
    hostname with current extension
    exists increment extension and try
    again extension newHostname
    y . '-' . extension while
    loop exited with a unique hostname return
    newHostname else, if(!defined(hostIndex
    ByHostnamey)) uniqueHostname

37
append_host_entry
  • sub append_host_entry pick a new IP address
    for this client if(my newInteger
    findUnusedAddress())
    unused IP address has been found find a new
    hostname newHostName uniqueHostname(FORM'u
    ser') convert new integer to an IP
    address newIP "147.53." .
    integerToIP(newInteger) construct a
    host entry (note that date stamp is created
    in the subroutine my hostentry
    constructHostrecord(newHostName,
    newIP,
    gMACaddress,
    newInteger,
    FORM'user',

    ENV'HTTP_USER_AGENT',
    "netreg",
    allowed) append a host
    entry print CONF "hostentry\n" close
    CONF releasedhcpdconfLock()
    send an email message to the user
    sendConfirmationEmail() . . .

38
Virus Blocking
  • Block a machine from Internet, campus network
    services
  • Redirect browsers to Virus Warning page
  • E-mail notification to user
  • Optional e-mail to RCCs

39
Virus Blocking
  • Use known hosts dynamic address pool
  • Blocked address range
  • Distinct from unregistered range
  • Remove fixed-address portion of host declaration

40
Virus Blocking
  • Blocking
  • Identify IP address of infected machine
  • viruswarn.cgi
  • Remove fixed-address from host declaration
  • IP address preserved in integer field
  • Unblocking
  • virusenable.cgi
  • Re-insert fixed-address in host declaration

41
Virus Blocking
  • Redirect web clients based on IP address
  • IP in unknown pool registration page
  • IP in known pool virus warning page
  • otherwise index2.html
  • redirect.pl, redirect403.pl, redirect404.pl

42
index.html
  • ltHTMLgtltHEADgt ltTITLEgtlt/TITLEgt
    ltMETA NAME"generator" CONTENT"BBEdit 5.1"gt
    ltMETA HTTP-EQUIV"REFRESH" CONTENT"0
    URL/cgi-bin/redirect.pl"gtlt/HEADgtltBODYgtlt/BODYgt
    lt/HTMLgt

httpd.conf
43
redirect.pl
  • use CGI 'standard'if (remote_addr()/147\.53
    \.199\./) my (a,b,c,d) split /\./
    , remote_addr() if ((dgt230)
    (dlt249)) print
    redirect("/viruswarn/") else
    print redirect("/register/")
    else print redirect("/index2.htm
    l")

44
redirect403.pl
  • use CGI 'standard'if (remote_addr()/147\.53
    \.199\./) my (a,b,c,d) split /\./
    , remote_addr() if ((dgt230) (dlt249))
    print redirect("/viruswarn/")
    else print
    redirect("/register/") else
    theURL url() sw
    server_software() sp server_port()
    sn server_name() print header(-statusgt403
    , -typegt'text/html') print
    start_html(-titlegt'404 Forbidden') print
    "ltH1gtForbiddenlt/H1gt\n" print "ltPgtYou are not
    allowed to access URL \"theURL\" on this
    server.lt/Pgt\n" print "ltHRgt\n" print
    "ltIgtsw at sn Port splt/Igt\n" print
    end_html()

45
redirect404.pl
  • use CGI 'standard'if (remote_addr()/147\.53
    \.199\./) my (a,b,c,d) split /\./
    , remote_addr() if ((dgt230) (dlt249))
    print redirect("/viruswarn/")
    else print
    redirect("/register/") else
    theURL url() sw
    server_software() sp server_port()
    sn server_name() print header(-statusgt404
    , -typegt'text/html') print
    start_html(-titlegt'404 Not Found') print
    "ltH1gtNot Foundlt/H1gt\n" print "ltPgtSorry, the
    requested URL was not found on this
    server.lt/Pgt\n" print "ltHRgt\n" print
    "ltIgtsw at sn Port splt/Igt\n" print
    end_html()

46
(No Transcript)
47
(No Transcript)
48
(No Transcript)
49
Virus Blocking
  • Subroutine constructVirusHost
  • Host declaration with no fixed-address
  • Subroutine notifyUser
  • Subroutine notifyrccs

50
Virus Blocking
  • DHCP compliance required
  • Lease time considerations
  • Disabling/enabling not in effect until next
    client lease renewal

51
Virus Blocking
  • Dynamic Address scenario
  • Assign fixed address to disable infected machine
  • Add fixed-address parameter in host declaration
  • Use leases file to identify MAC address

52
Generalized Blocking
  • Add field to dhcpd.conf.new to indicate reason
    for blocking Virus, RIAA, Others
  • Separate web page for each reason
  • Redirect script enhancement
  • Check dhcpd.conf.new for value of reason field
  • Redirect to appropriate warning web page

53
Registration Limits Replacement
  • Limit number of registrations per user
  • Default for students one
  • Must request additional from IT
  • Give user option to replace registration
  • Address reuse
  • Force old machine to re-register

54
Registration Limits Replacement
  • Subroutine registration_check
  • Finds existing registrations for owner
  • Displays page with registration info
  • Calls replaceRegistration or append_host_entry
  • Subroutine replaceRegistration
  • Replaces one host record with new registration
  • Deletes any others marked for deletion

55
(No Transcript)
56
(No Transcript)
57
registration_check (snippet)
  • if ((!defined(FORM'mode')) or
    (lc(FORM'mode') ne 'replace'))
    We're here for moderegister find all
    registrations by this user array _at_hosts
    populated by subroutine initialize() hash
    hostsByInteger populated by subroutine
    initialize() my username FORM'user'
    foreach my hostLine (_at_hosts) if
    (hostLine /ownerIDusername/i)
    this is a host record where the owner
    matches the specified username save it
    in our array push _at_ownedHosts,
    hostLine foreach my hostLine
    (_at_hosts) if we found no registered
    hosts, let this user register normally
    if(ownedHosts lt 0 )
    append_host_entry() print_success()
    probably redundant... exit
    else have at least one
    registration, so we can read the allowed field
    if there is none, we stick with the
    default assigned earlier in this routine
    if(ownedHosts0 /allowed(\d)/i)
    allowed 1

58
Registration Limits Replacement
Caveats
  • Must have at least 1 registration to change
    allowed parameter
  • User-centric data stored in machine-centric
    database
  • Changing allowed parameter editing records of
    all machines registered by this user

59
Web Admin Interface
  • Search edit dhcpd.conf.new
  • Student data from Banner Oracle database
  • Registration Statistics (periodically generated)

60
(No Transcript)
61
(No Transcript)
62
(No Transcript)
63
(No Transcript)
64
(No Transcript)
65
(No Transcript)
66
(No Transcript)
67
(No Transcript)
68
Tips
  • Know your network
  • Know your customer (partnering)
  • Issues faced
  • Streamlining/Automating processes
  • Brainstorm!
  • Go to lunch
  • Comment your code
  • Do a presentation!

69
Future
  • Generalized Blocking
  • Checkboxes in AUP on registration page
  • LDAP
  • Authentication
  • Allowed registrations field
  • Speed?
  • Database back-end
  • Java?

70
Recommended Reading
http//www.netreg.org/
71
Questions
  • Steve Hideg
  • hideg_at_saintmarys.edu
  • http//www.saintmarys.edu/hideg/netreg

72
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com