Topic: restriction of access

[sal1504]

is there a way to restrict access to smeserver 7.4 by a computers mac address?

sal1504

[CharlieBrady]

is there a way to restrict access to smeserver 7.4 by a computers mac address?

No.

[sal1504]

Charliebrady

so what would be the best way to restrict one particular machine from accessing the smeserver without disconnecting it from the network?

Sal

[Stefano]

sal1504:
please explain your problem/need, not your solution, thank you

[janet]

sal1504

best way to restrict one particular machine from accessing the smeserver

What type of access are you trying to restrict ?

If it is web access, then use dansguardian & filter on IP.
Also configure IP address based on mac in hostnames and addresses panel

[sal1504]

we have a fairly straight forward network with a smeserver 7.4 for mail, web, groupoffice and a windows 2008 server for sql database and user folders. everyone needs to access the 2008 server. we have one employee (contractor) who thinks he is the company IT expert and is constantly trying to access the smeserver with various hacks. we are trying to keep this particular computer off the server. as long as he is on his computer we can not take action. but if he goes to another persons computer then we can take legal action and i think the best way to stop him is to deny his computer access to the smeserver. since i do not have control of the windows server it is not of concern. because of company requlations i can't go into to many more details. i can tell you that employees are contractors and provide their own computers.

Sal

[Stefano]

is constantly trying to access the smeserver with various hacks.

please define hacks.. as long he doens't know root/admin password I think he can not do anything

we are trying to keep this particular computer off the server. as long as he is on his computer we can not take action. but if he goes to another persons computer then we can take legal action and i think the best way to stop him is to deny his computer access to the smeserver. since i do not have control of the windows server it is not of concern. because of company requlations i can't go into to many more details. i can tell you that employees are contractors and provide their own computers.

Sal

well, I would send everybody a mail saying that any kind of access to resources will be logged and monitored..

I would add also that even if they use their own pc, they are using them at YOUR "home", so they must stay at YOUR rules.. don't forget it

[arne]

Hello !

Actually it should be possible to filter out a PC on mac address without doing any "ugly and unauthorized things" with the firewall arrangement.

If one looks in the SME server wiki under Firewall: http://wiki.contribs.org/Firewall

There is a rubric: Block incoming IP address

This should be possible to give a small "adjustment", so it will filter out on MAC adresses in stead of source ip's:

Custom templates

Block incoming MAC address

I want to block All traffic from some mac-addresses to my server.
Create a custom template and list the mac's

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
pico -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyRiffRaff
/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
/sbin/iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:09 -j DROP

expand and restart

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/etc/init.d/masq restart


Exept for the Wiki I also used this web page as a reference. http://www.cyberciti.biz/tips/iptables-mac-address-filtering.html

I can not test it just now. Could you please  leave a comment if it should work or not work ?

[Stefano]

if it works, please report in the wiki , thank you

[sal1504]

works great and the guy has already tried to breach the server from another machine. He has no idea the trouble he is in.

Thanks for all the help.

Sal