Complete and secure DHCP server configuration in Linux

Source: Internet
Author: User

DHCP is a Dynamic Host Configuration Protocol. This protocol is used to automatically provide IP addresses, subnet masks, and routing information to computers. linux dhcp server configuration pdf A Network Administrator usually assigns an IP address range to distribute the IP addresses to clients on the LAN. When devices access this lan, they will request an IP address from the DHCP server. The DHCP server then assigns an IP address to each requested device until all IP addresses in the specified range are allocated. The allocated IP address must be regularly extended. This extension process is called leasing, which ensures that the allocated address can be returned to the server when the client device suddenly disconnects from the network before the IP address is released normally. This document uses RedHat Linux 9.0 as an example to describe how to create a complete and secure DHCP server.

linux ipv6 dhcp client

1. Create a DHCP server configuration file

You can use RedHat Linux 9.0 to install it with its own RPM package. After the installation is complete, the DHCP port supervisor DHCPD configuration file is the DHCPD. conf file in the/etc directory. Create the/etc/DHCPD. conf file manually. /Etc/DHCPD. conf usually includes three parts: parameters, declarations, and option.

linux gui dhcp server

1. parameters (parameter) in the DHCP configuration file: indicates how to execute the task, whether to execute the task, or which network configuration options are sent to the customer. The main contents are shown in table 1.


Parameter Release
Ddns-Update-style Configure the DHCP-DNS interaction update mode.
Default-lease-time Specifies the length of the lease time, in seconds.
Max-lease-time Length of the maximum lease time, in seconds.
Hardware Specify the NIC interface type and MAC address.
Server-name Notify DHCP client server name.
Get-lease-hostnames flag Check the IP address used by the client.
Fixed-address IP Assign a fixed address to the client.
Authritative Reject incorrect IP address requirements.

2. Declarations (Declaration) in the DHCP configuration file: used to describe the network layout and provide the customer's IP address. The main content is shown in table 2:


Shengming Release
Shared-network Used to tell if some sub-networks share the same network.
Subnet Describes whether an IP address belongs to this subnet.
Starting IP address of range, ending IP Address Provides a range of dynamically assigned IP addresses.
Host Name Refer to special hosts.
Group Provide a declaration for a set of parameters.
Allow unknown-clients; deny unknown-Client Whether to dynamically allocate IP addresses to unknown users.
Allow BOOTP; deny BOOTP Whether to respond to the activation query.
Allow booting; deny booting Whether to respond to user queries.
Filename Name of the Start file, which is applied to the diskless workstation.
Next-Server Set the Host Name of the server to be mounted from the boot file and apply it to the diskless workstation.

3. option in the DHCP configuration file: used to configure optional DHCP parameters. All parameters start with the option keyword. The main content includes table 3:linux enable dhcp command line


Item Release
Subnet-Mask Set the subnet mask for the client.
Domain-Name Specify the DNS name for the client.
Domain-Name-servers Specify the IP address of the DNS server for the client.
Host-name Specify the host name for the client.
Routers Set the default gateway for the client.
Broadcast-address Set the broadcast address for the client.
NTP-Server Set the Network Time Server IP address for the client.
Time-offset Set the offset time for the client and Greenwich Mean Time, in seconds.

Note: If the client uses a Windows operating system, do not select the "host-name" option, that is, do not specify the host name for it.

The following is a DHCP configuration file used by the author. This is a class C network. A total of 126 IP addresses can be allocated. The reader can copy and use it. Note that the red part must be modified.


Ddns-Update-style interim;


Ignore client-updates;

 

Subnet 192.168.1.0 netmask 255.255.255.0 {

 

Option routers 192.168.1.254;

Option subnet-mask limit 255.0;

Option broadcast-address 192.168.1.255;

Option domain-name-servers 192.168.1.3;

Option domain-name "www.cao.com"; # DNS name #

Option domain-name-servers 192.168.1.3;

 

Option time-offset-18000;

 

Range dynamic-BOOTP 192.168.1.128 192.168.1.255;

Default-lease-time 21600;

Max-lease-time 43200;

 

Host NS {

Hardware Ethernet 52: 54: AB: 34: 5b: 09; # MAC address of the network interface running DHCP #

Fixed-address 192.168.1.9;

}

}

Ii. Create a customer Lease document

 

To run the DHCP server, you also need a file named DHCPD. leases to keep all the IP addresses that have been distributed. In the RedHat Linux release version, the file is located in the/var/lib/DHCP/directory. If you install isc dhcp through rpm, the directory already exists. The file format of DHCPD. Leases is:linux interfaces dhcp


Leases address {statement}

The content of a typical file is as follows:


Lease 192.168.1.255 {# IP address allocated by the DHCP server #

Starts 1 03:02:26; # lease start lease time #

Ends 1 09:02:26; # lease end lease time #

Binding State active;

Next binding state free;

Hardware Ethernet 00: 00: E8: A0: 25: 86; # client Nic MAC address #

UID "% content % 01% content % 00% content % 00/350/240%/206"; # used to verify the uid id of the Client #

Client-hostname "cjh1"; # client name #

}

 
Note that the lease start lease time and lease end lease time are Greenwich Mean Time (GMT), not local time.

When the DHCP server is run for the first time, DHCPD. Leases is an empty file and does not need to be created manually. If isc dhcp is not installed through rpm, or DHCPD has been installed, you should try to determine where the DHCPD writes its lease file and ensure that the file exists. You can also create an empty file manually:


# Touch/var/lib/DHCP/DHCPD. Leases

 
Iii. Start and check the DHCP server

Run the following command to start the DHCP server:


# Service DHCPD start

 
Run the ps command to check the DHCPD process:

# Ps-Ef | grep DHCPD
Root 2402 1 0? 00:00:00/usr/sbin/DHCPD
Root 2764 2725 0 00:00:00 pts/2 grep DHCPD

 
Use the port used to check the running of DHCPD:

# Netstat-nutap | grep DHCPD
UDP 0 0 0.0.0.0: 67 0.0.0.0: * 2402/DHCPD

4. Configure the DHCP Client

Generally, the network manager Selects to manually configure DHCP clients and needs to modify the/etc/sysconfig/network file to enable the networking; modify the configuration file of each network device in the/etc/sysconfig/network-scripts directory. In this directory, each device has an ifcfg-eth? Configuration file, Eth? Is the name of the network device. Such as eth0. If you want to enable networking during boot, the networking variable must be set to yes. Except here, the/etc/sysconfig/network file should contain the following lines:


Networking = Yes
Device = eth0
Bootproto = DHCP
Onboot = Yes

V. troubleshooting of common DHCP configuration errors

 

It is usually easy to configure a DHCP server. However, here are some tips to help you avoid problems. For the server, ensure that the NIC works properly and has the broadcast function. For the client, make sure that the NIC of the client works properly. Finally, consider the network topology and whether the broadcast messages sent from the client to the DHCP server are blocked. In addition, if the DHCPD process is not started, you can view the Syslog message file to determine what went wrong. This message file is usually/var/log/messages.

Typical Faults:

1. the DHCP server configuration is complete and there is no syntax error. However, the client in the network cannot obtain the IP address.

Generally, the Linux DHCP server cannot receive request packets from DHCP clients with 255.255.255. Generally, the NIC of the Linux DHCP server is not configured with the multicast function. To enable the DHCPD (DHCP daemon) to communicate with the DHCP client normally, the DHCPD must send packets to the IP address 255.255.255.255, however, in some Linux systems, the 255.255.255.255 IP address is used as the IP address of the subdomain (local subnet) broadcast in the listening area. Therefore, you need to add 255.255.255.255 to the route table to activate the multicast function;

Run the following command:


Route add-host route 255.255.255 Dev eth0

If an error message is reported: commandid 255.255: unkown host

Modify/etc/hosts to add a line:

255.255.255.255 DHCP

2. The DHCP Client is incompatible with the DHCP server.

Because many versions of Linux have been found, DHCP client programs and DHCP servers are different in different versions. Linux provides four DHCP client programs: pump, dhclient, dhcpxd, and dhcpcd. Understanding the server and client programs of different Linux releases is necessary for troubleshooting common errors. I have encountered incompatibility between SuSE Linux 9.1 DHCP server and Mandrake Linux 9.0 client. In this case, you must change the client program. The method is to stop the network service of the client, uninstall the original program, and install compatible programs on the server. Appendix: DHCP clients used for major Linux distributions.


Release Version Default DHCP Client Optional DHCP Client DHCP Client Startup Script Add a configuration file
Red Hat Linux 9.0 Dhclient None /Sbin/IFUP

/Etc/sysconfig/Network

/Etc/sysconfig/network-scripts/ifcfg-eth0

Debian Linux 3.0. Dhclient None /Sbin/IFUP

/Etc/Network/interfaces

/Etc/dhclient. conf

Mandrake Linux 9.1 Dhclient Dhcpcd, dhcpxd, pump /Sbin/IFUP

/Etc/sysconfig/Network

/Etc/sysconfig/network-scripts/ifcfg-eth0

// Etc/dhclient-eth0.conf

SuSE Linux 9.1 Dhcpcd Dhclient /Sbin/IFUP-DHCP

/Etc/sysconfig/Network/DHCP

/Etc/sysconfig/Network/ifcfg-eth0

Vi. Security of DHCP servers

 

  1. Start the DHCP server on the specified network interface

If your Linux system connects to more than one network interface, but you only want the DHCP server to start one of them, you can configure the DHCP server to start only on that device. In/etc/sysconfig/DHCPD, add the interface name to the dhcpdargs list:


Dhcpdargs = eth0

Or use the following command:


Echo "dhcpdargs = eth0">/etc/sysconfig/DHCPD

 
In this way, firewall machines with two NICs are more secure: One Nic can be configured as a DHCP client to retrieve IP addresses from the Internet; another Nic can be used as a DHCP server for the internal network after the firewall. Only specify the network adapter connected to the internal network to make the system more secure, because the user cannot connect to its daemon process through the Internet.

  2. Run the DHCP server in prison

The so-called "prison" refers to the use of the chroot mechanism to change the root directory that can be seen when a software is running, that is, to limit the running of a software in a specified directory, ensure that the software can only act on the files in the directory and Its subdirectories, so as to ensure the security of the entire server. In this way, even if it is damaged or intruded, the loss will be small.

One problem with chroot software is that all programs, configuration files, and library files required for running the software must be installed in the chroot directory in advance, this directory is usually called chroot jail (chroot ""). If you want to run DHCPD in "prison", you can't see the real directory in the file system. Therefore, you need to create a directory in advance and copy the DHCPD to it. At the same time, DHCPD requires several library files. You can use the LDD (library dependency display) command to display a shared library that is required by an executable program.


LDD DHCPD

 

Libc. so.6 =>

/Lib/tls/libc. so.6 (0x42000000)

 

/Lib/ld-linux.so.2

=>/Lib/ld-linux.so.2 (0x40000000)
Style = 'font-family: '>

This means you also need to create the lib directory in "prison" and copy the library files to it. It is very troublesome to manually complete this task. In this case, you can use the jail software package to help simplify the chroot "prison" establishment process.

  (1) Compilation and installation of jail Software

Jail official website is: http://www.jmcresearch.com/, the latest version: 1.9a.


# Wget http://www.jmcresearch.com/stati... Il/jail_1.9a.tar.gz
# Tar xzvf jail.tar.gz; CD jail/src
# Make; make install

 
  (2) Use jail to create a prison

The jail package provides several Perl scripts as its core commands, including mkjailenv, addjailuser, and addjailsw.

Mkjailenv: Create the chroot "prison" directory and copy the basic software environment from the real file system. Addjailsw: Copies binary executable files and other related files (including library files, auxiliary files, and Device Files) from the real file system to this "prison. Addjailuser: Create a New chroot "prison" user.

First stop the current DHCPD service, and then create the chroot directory:


#/Sbin/service DHCPD start
# Mkjailenv/chroot/
Mkjailenv

A component of jail (version 1.9 for Linux)

Http://www.gsyc.inf.uc3m.es /~ Assman/jail/

Juan M. Casillas

 

Making chrooted environment into/chroot

Doing preinstall ()

Doing special_devices ()

Doing gen_template_password ()

Doing postinstall ()

Done.

 
The following example shows how to add a DHCPD program to "prison:

# Addjailsw/chroot/-P/usr/sbin/DHCPD
Addjailsw

A component of jail (version 1.9 for Linux)

Http://www.gsyc.inf.uc3m.es /~ Assman/jail/

Juan M. Casillas

 

Guessing DHCPD ARGs (0)

Warning: File/chroot // lib/tls/libc. so.6 exists. overwritting it

Warning: File/chroot // lib/ld-linux.so.2 exists. overwritting it

.........
Done.

 
Do not care about the warning information, because jail will call LDD to check the library files used by DHCPD. Almost all binary executable files based on the shared library need the above library files. Next, copy the related DHCPD files to "prison:

# Mkdir-P/chroot/DHCP/etc
# Cp/etc/DHCPD. CONF/chroot/DHCP/etc/
# Mkdir-P/chroot/DHCP/var/State/DHCP
# Touch/chroot/DHCP/var/State/DHCP. Leases

Restart DHCPD:


[Root @ www root] #/chroot/usr/sbin/DHCPD

 
Run the ps command to check the DHCPD process:

# Ps-Ef | grep DHCPD
Root 2402 1 0? 00:00:00/chroot/usr/sbin/DHCPD
Root 2764 2725 0 00:00:00 pts/2 grep DHCPD

 
Note that the process name has changed. Check the port running the DHCPD:

# Netstat-nutap | grep DHCPD
UDP 0 0 0.0.0.0: 67 0.0.0.0: * 2402/DHCPD

 
The port number has not changed. Now DHCPD has been successfully run in "prison. So far, a complete and secure DHCP server is complete.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.