Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web-Based DHCP Server Frontends?

Posted by Cliff on from the making-maintenance-easy dept.

Strog writes "We are securing our administrative network and one thing we decided to implement is allowing only known MAC addresses get an address from the DHCP server. The techs aren't very Unix-centric so we would prefer to keep them out of the server directly. A web-based admin tool is what we are looking for. I've used webmin for a while but it likes to give each host a nice little icon which wouldn't be so good once we get all ~750 machines entered. Dixie looks good too but leaves a few too many options for techs to look at. I'm in the process of hacking webmin into what I need but wondered if anyone out there has some good options to offer. What we really need is boxes for hostname, MAC address and apply button and a list of current entries and a delete button." This was recently asked on a mailing list, but so far, no answers have been given. Might someone here have experience with such software that they would like to share?

36 comments

  1. Webmin's DHCP Module by redcliffe · · Score: 1

    I find it excellent for adding lots of static hosts to DHCP.

  2. same problem with DNS updates by martin · · Score: 1

    ie ya don't want the techies doing it, just admin staff doing the details from a change form.

    Most sites I've seen roll their own database for this sort of thing. You get then change management form (signed by the appropriate person) and a non-techie puts in the changes to a little app. The app updates the database and the database updates the DNS/DHCP settings....

    Not very helpful, but there you go..

    1. Re:same problem with DNS updates by Anonymous Coward · · Score: 0

      That's EXACTLY what the poster was asking for!!!!

      You are a genius!!!

  3. Perl by droyad · · Score: 3, Insightful

    Sounds like a job for a good Perl script using CGI

    1. Re:Perl by Anonymous Coward · · Score: 0

      Sounds like a job for a good Perl script using CGI

      Umm, you did read the part about him using Webmin, right?

      As you apparently have ADD, here is the important part from that web page:

      Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5

    2. Re:Perl by Strog · · Score: 1

      You mean like this?

      I realize a good perl script could do this and would write one if that's what it takes. I was asking about solutions others have done.

      It's nice to reuse existing code. You get something that has been tested more thoroughly and had the bugs shaken out(mostly at least). It's nice to see proven error trapping and what does and doesn't work. Why should you go through all the trouble of writing a new program and the downtimes when it needs more debugging when someone has already gone through this and is sharing their results?

      Your comment could as easily said python, php, monkeys with typewriters, etc. but it really wouldn't have added too much to the discussion. What would you do with your perl script, how would you go about structuring it, what kind of error checking? These would be better comments to add.

  4. in Soviet Russia by Anonymous Coward · · Score: 0

    In Soviet Russia, DHCP serves YOU!

  5. webmin doesnt have to show icons by NateSac · · Score: 2, Informative

    I hope this helps you. If you click on the module config button in webmin, the second option from the top is labled;
    Display subnets and hosts as _ Icons _ List
    If you set this option to list, webmin wil not display an icon for each host. Further more, if you have a large number of DHCP clients, you may also want to use groups to help organize some of those clients into smaller lists.

    --
    ::i visited slashdot and all i got was this lousy sig::
    1. Re:webmin doesnt have to show icons by Strog · · Score: 2, Informative

      I submitted this article Friday so I've had some time with webmin this weekend.

      Goto your theme directory and put noicons=1 in the config file (/usr/share/webmin/themename/config in my system). This gives icons in the categories but none in the module itself. This looks like it will scale up to hundreds of entries with ease. I have 150 in my test machine now and you don't have to scroll much yet.

      I'm editing out all the unneeded fields and buttons in the cgi files now. Mostly consists of rem'ing out the print statements in the index.cgi, edit_host.cgi and params-lib.pl files so far. I've got the buttons down to create, save, delete and apply.

      I can't seem to get rid lease time, dynamic DNS and a couple other options without it breaking. It tries to send a null instead of going with the default. It's really in a workable state for us right now but I'd love to get it down to our 2 boxes we want and nothing else.

      It is said that 10% of the project takes 90% of the time. Looks like it is holding up here on this project for me.

  6. FYI... by m0rph3us0 · · Score: 2

    I'm assuming this is for some kind of security measure. Have you implimented something like proxy arp so that people can't just listen for arp requests and have a list of valid MACs for use at a later time? It is rather easy to change your MAC on most network cards, especially the popular Realtek 8139s

    1. Re:FYI... by Strog · · Score: 1

      Thanks for the heads up. I'm completely aware that MAC spoofing is easy.

      This is just one piece to the puzzle. The problem is most of the puzzle pieces are in other people's hands. :-P

  7. re: DHCP thing by rob_ert · · Score: 1

    "What we really need is boxes for hostname, MAC address and apply button and a list of current entries and a delete button... "

    This just sounds like the dhcp manager (/usr/sadm/admin/bin/dhcpmgr) which ships with Solaris 8/9...but it's a java application and not web based (well ssh X tunneling, exporting Display and xhost + is sort of web based isn't it?? ;-) .With this thing I'm doing exactly the stuff at home (on a lesser scale of course), which you intend to do at your work....

  8. An icon? is that all? by tongue · · Score: 2

    if all that's preventing webmin from serving the purpose you need is an icon for each client, then for pete's sake, modify the source or replace the icon with a 1 pixel jpg or something. that's the whole point of open-source right?

    1. Re:An icon? is that all? by Strog · · Score: 1

      That's part of it and I have that figured out(read my reply up a few posts). I'm removing the rest of the options and buttons that I don't want now. Webmin's code is pretty nice for hacking. You gotta love open source.

      I was really looking for other solutions that might be a better starting point. I also would like to hear from others that have already done it and what snags they might have run into.

  9. NameSurfer by Anonymous Coward · · Score: 0


    NameSurfer is a web interface for DNS and DHCP.
    It's commercial and not exactly cheap, though.

    1. Re:NameSurfer by Strog · · Score: 1

      It looks good but can you lock down what the users so they can do to very specific things?

      How not cheap is it? few hundred, couple thousand or more?

      The website doesn't seem to give too much info.

  10. Coding by JohnFluxx · · Score: 2

    Have we gotten to the stage where regular sysadmins can't code these days?

    If you can't do it, go to a secondary school and get someone to write the program for you.

    1. Re:Coding by Strog · · Score: 1

      You seemed to miss the point here. I said I was already in the process of hacking webmin. (RTFA?)

      I was looking for other people's experience to draw from. I want to know if someone has done it before and the good, bad, otherwise they ran into as it scales up. One of the best things about the internet and open source is the wealth of resources and collaboration that is possible.

      It's shame we have people locked in the basement whining about stuff instead of giving real input. Ask Slashdot could be a valuable resource. Sure there's a lot of dumb questions being asked e.g."I bought my first computer last week. How do I migrate a 6,000 computer datacenter without any downtime?". The "Ask Google", "code it yourself", "why can't you code?" and "Perl/PHP/GPL/BSD/Linux/OSX wars" comments really don't add anything productive to what could be a good sharing of ideas and experiences.

      Perhaps you were just trolling?

    2. Re:Coding by Rick+the+Red · · Score: 2

      Perhaps you're asking the wrong group. Did you try comp.unix.admin?

      --
      If all this should have a reason, we would be the last to know.
    3. Re:Coding by JohnFluxx · · Score: 2

      Surely I could say almost exactly the same thing - ask slashdot should be for useful questions, not "Has anyone written a 10 line long program to do what i want".

    4. Re:Coding by Anonymous Coward · · Score: 0

      What useful questions do you have in mind?

      I wouldn't trust any of the code posted here even if it was just 10 lines. They either insert rogue code to be funny or it is fugly and non-functional.

      If you put something more interesting to discuss then there are other problems. Most of the posters don't have a clue to what you are talking about. A good chunk don't seem to be able to even read it correctly so they couldn't discuss the topic if they knew anything about it.

    5. Re:Coding by Strog · · Score: 1

      You could have a point there. If this isn't a useful question then why are you reading it and posting with +1 bonus?

      If questions on administering a server in an enterprise enviroment isn't useful then what is?
      I thought the really useful ones ended up on the front page.

      Perhaps the following?
      Jobs for Moonlighting Geeks?
      Inexpensive Alternatives for ICANN Disputes?
      Secure Digital vs. Multimedia Cards
      Kick-Starting a Software Export Business?
      What Protections Exist for Parody Sites?
      Is CRT Burn-In Still a Problem?

  11. Two major problems by TheSHAD0W · · Score: 3, Insightful

    I see two major problems with your authentication scheme.

    First off, you have a catch-22 in the assignment system. You don't want to give a DHCP address to a system without its being authenticated, but your system won't be able to hit the net and get to the administrative machine to BE authenticated. Aside from manually typing in the MAC address on the main server, which I think someone would find annoying. I suppose you could DHCP unrecognized machines to an intranet address that's null-routed except for that admin machine, which would ask for a password, sniff the MAC address, and then add it to the DHCP system.

    But there's an even larger flaw with your scheme, which is that there's nothing keeping users from turning off DHCP and choosing an unassigned IP, letting anyone with a little know-how hijack your connection without going through your authentication and possibly cause conflicts on your network. DHCP is MEANT to be easy; add complications and you've ruined the whole point of having it.

    If you want to have a secure network, you're going to have to use a whole different system, such as using a protocol like PPPoE (unencrypted) or PPTP (encrypted) to log in to a central station and then have that machine handle routing, etc. From an ease-of-use standpoint, this would be a lot simpler, both for end users and your inexpert managers; they add a name and password to the list, and each user needs his name and password to log in. If someone changes hardware, no problem.

    1. Re:Two major problems by Strog · · Score: 1

      Agreed. This is out of my hands as far as what we are going to do with the admin network. I'm really just a guest in this network although a respected one. The board makes technology decisions when they aren't qualified to understand the consequenses. We have all the other red tape, budget, politics, etc. too. Did I mentition that this is a college?

      We have an automated inventory system that we can get a list of authorized MAC addresses parsed into the list. The web interface would be for add, change and deletes. The individual tech responsible for their campus would be entering that and would only be a handful on a regular basis. Large purchases would be a pain though.:-(

      The other issues are going to be handled in hardware solutions or so I'm told. Yes, fixed IPs need to be watched out for. I'd love to run IPSec on critical systems but it's not my call.

    2. Re:Two major problems by TheSHAD0W · · Score: 2

      > Did I mentition that this is a college?

      Then your answer is clear. Push for the board to look at the solutions other colleges have used, tell them that the others have already solved all the problems they're about to face, and they should adopt a complete package instead of trying to roll their own. Kerberos would do really well, and it'd be free.

    3. Re:Two major problems by Strog · · Score: 1

      While the answer should be clear, it doesn't seem to be.

      Kerberos would complement what we are doing here quite well and will likely be the next part to the puzzle that is our network. It wouldn't necessarily replace everything else.

      One problem is the database on a Tru64 box. It is maintained by the software vendor that doesn't support deviations from the normal way they do things. They are more concerned about things that aren't security related and security isn't even close to what it should be. The clients connect to it using telnet protocol (real secure there) using a proprietary client. Perhaps we can use stunnel or some other method of tunneling, etc. to externally secure the traffic but that might take more time and money than they are willing to provide.

      The MIS dept tries to work around these issues with management of switches, routers, etc. and access lists and other methods to try to limit the issues. Yes the MAC addresses could be worked around but it is a step in the right direction. I appreciate the input, keep it coming.

    4. Re:Two major problems by akb · · Score: 2

      Use vlans then to make unathenticated stuff go to a web form, the web server then talks to your network management software to put the MAC on the whitelist.

  12. NetReg by bongoras · · Score: 2, Informative

    NetReg is an automated system that requires an unknown DHCP client to register their hardware before gaining full network access. Through a simple web interface, the client is prompted for their user identification. Powerful scripts then retrieve the client's network fingerprint and store it along with the user's information in a database. The database provides administrators with real-time information for troubleshooting and auditing their networks. The entire system was developed utilizing unmodified, open-source servers and in-house developed CGI programs.

    http://www.netreg.org

  13. Re: DHCP thing by chris_martin · · Score: 1

    I've found that it's a bit slow and unstable though. When you get a lot of domains and hosts it's a bit slow. I have 40 remote sites each with many hundres of machines (some with over a thousand) and displaying that many hosts, it gets a bit pokey, even on the console, and scrolling is slow too. I also got a bad taste in my mouth when one of the domain files got messed up a bit (server updated the lease time and it messed something up) and if I clicked on it it would hang the app, I had to delete the file and recreate it. Then Sun patched everything and changed the file format and broke it for me. I switched to ISC's dhcp server. No front end for me though, just vi, but I don't have to edit the file ever now that it's set up. I really liked the sun app though, it got my machines up and running very quickly. I haven't used the newer versions (I stopped using it about 8 months ago) though, and not in Sol9.

    --
    -- Chris Martin, System Administrator
  14. Dont bother by photon317 · · Score: 2


    DHCP "security" by only giving addresses to known mac addresses doesn't buy you anything. Anyone can still plug in and grab an address statically anyways. The only way to enforce this would be a manual static arp table in every machine (including the router) and disable true arp, and at that point you may as well stop using DHCP too. Even then you still have to take other measures to make it really work.

    Just run plain old wide-open DHCP, and implement network policy where it belongs - at the L3 devices like firewalls, L3 switches, routers - and in user AAA, be it windows domain logon, LDAP, or what have you.

    --
    11*43+456^2
  15. Use your switches by Tull · · Score: 1

    Our local network only allows authorised MAC addresses to connect, but using the switches rather than a DHCP server. The switches we use only allow x changes before locking out the port, so for most "admin" machines x is set to 1, so only the machine connected at the time the switch is setup/reset is allowed to connect.

    There are exceptions to this for development machines etc. so we can swap boxes around etc.

  16. Re:NetReg Advertisment? by Anonymous Coward · · Score: 0

    I'm sorry, but either you copied that stuff from their ads, or you get some benefit from people using that program. Let's look at a few of the reasons I think this is the case.

    #1: "a simple web interface"
    Why not just 'a web interface' ?? Is it really *that* simple? I use web interfaces fairly often, and I don't know anyone that describes them as 'simple' even when they are amazingly simple.

    #2:"Powerful scripts"
    What is so powerful about them? How many Watts or power do these scripts have? Are they a lot better than weak scripts?

    #3:"network fingerprint"
    No such thing. If you can send data over the net once, you can replicate it. A fingerprint is unique. This probably is referring to the MAC layer address, which is easily changed/copied. 'network fingerprint' sounds like market-speak.
    #4: (no quote, just the 'database' stuff)
    If it's stored in a RDBMS, we all know what we can do with it and what we can use the information for. It almost sounds like you are trying to get us to buy a database system here.

    All in all, your whole post could be more concise, and less 'buzz'-ridden with a little effort.
    P.S. None of my comments have anything to do with the product itself, which may or may not be exactly what the Ask Slashdot question was looking for.

  17. Re:NetReg Advertisment? by bongoras · · Score: 1

    wow, you sure smacked me down. Yes, the post was pasted from their website. No, I don't get any rewards from getting people to use their product. Yes, you need to get a life.

  18. Geez, why even use DHCP? by argel · · Score: 2

    You might as well static the IP addresses and shut the DHCP server down.

    --

    -- Argel
    1. Re:Geez, why even use DHCP? by drsmithy · · Score: 1
      It allows you to have the 500 new lab machines be delivered and then just plugged in, netbooted and run through specific installs/reimaging dependant on IP just by having some poor PFY type in 500 MAC addresses.

      It allows you to base automated system modifications for lab machines on IP address.

      It allows, in a lab situation where configs can't be modified, an easy way to identify which machines was doing what without having to get into more complicated campus-wide monitoring of things like MAC addresses.

      There are a whole swathe of useful things using DHCP but still tying specific machines to specific addresses allows. Having said that, security is not really on of them.

  19. not secure by austad · · Score: 2

    This doesn't accomplish much, as a user can just manually assign an ip. Why not turn on port security on your switches and only allow certain MAC addresses on certain ports. Obviously, I don't know what kind of switches you are using, but since most of the world seems to be using Cisco, that's probably what you have and those will do it just fine.

    --
    Need Free Juniper/NetScreen Support? JuniperForum