Title: ISC DHCP server security in Linux

KBTAG: kben10000030
URL: http://www.securityportal.com/lskb/10000000/kben10000030.html
Date created: 14/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: ISC DHCP server
Keywords: Servers/DHCP, System/DHCP

Summary:

DHCPD is something all network admins should use. It allows you to serve information to clients regarding their network settings/etc, typically meaning that the only client setup needed for networking is leaving the defaults and turning the machine on. It also allows you to reconfigure client machines easily (say move from using 10.0.1.0 to 10.0.2.0, or a new set of DNS servers). In the long run (and short run even) DHCP will save you enormous amounts of work, money and stress. I run it at home with only 8 client machines and have found life to be much easier. DHCPD is maintained by the ISC and is at: http://www.isc.org/dhcp.html.

More information:

The DHCPD server(s) should only be used as a DHCP server, locked up somewhere (when you rely on DHCP for your network and the DHCP server(s) fails your network is in serious trouble), allowed to do it's job quietly. If you need to span subnets (i.e., you have multiple Ethernet segments, and not all have a DHCP server physically connected to it) use a DHCP relay (NT has one built in, the DHCP software for Linux has this capability, etc.). There are also several known problems with NT and DHCP, NT RAS has a rather nasty habit of sucking up IP addresses like crazy (I have seen an NT server grab 64 and keep them indefinitely), because it is trying to reserve IP's for the clients that will be dialing in/etc This may not seem like a real problem but it can (and has) lead to resource starvation (specifically the pool of IP addresses can be exhausted). Either turn NT's RAS off or put it on it’s own subnet, the MAC address it sends to the DHCP server is very strange (and spells out RAS in the first few bytes) and is not easy to map out.

DHCPD should definitely be firewalled from external hosts as there is no reason an external host should be querying your DHCP server for IP’s/etc, in addition to this making it available to the outside world could result in an attacker starving the DHCP server of addresses assuming you use a dynamic pool(s) of addresses, you could be out of luck for your internal network, and learning about the structure of your internal network. DHCP runs on port 67, udp because the amounts of data involved are small and a fast response is critical.

The most common DHCP server is the ISC (Internet Software Consortium) DHCP server (the same people that do Bind). It cannot be easily run as a non root user, so chrooting it is highly recommended). To chroot it simply create a /chroot/dhcpd/ directory (or similar) and populate it with the needed libraries. Logging is a pain but simply use the "-d" command line and pipe the output of the DHCPD server through "tee" or a similar program. Please see the knowledge base article on chroot'ing software, kben100000031.

Downloads:

Most Linux distributions ship with the ISC DHCP server, you can get the source at: ftp://ftp.isc.org/isc/dhcp/.