Peter Surda wrote:
Alfred Vahau wrote:
Thanks for the reply. This is the practice at present. We block off one IP and another pops up.
At times, quite a few of them appear. We suspect that some of these guys are disgruntled ex-employees
who have unauthorized access or are accessing the network with the help of other staff.
Aha, so you suspect malicious intent and not only accidental behaviour. In that case you shouldn't expect that some other internal information found on the problematic computers is valid either.
We have not dismissed malicious intent. However, the chances of it happening is quite remote. Rather the fight is against network abuse.
In line with the core objectives of our institution, there are sites which are defined as unproductive. It is the access to these sites for which
strange ip addresses spring up, some of which are within our IP range, for which the logs do not provide very much information on the
identify of the user.
However, there is a possibility if you want to find the computer by IP, if you use manageable switches. As you know which IPs are improper, you can also find the corresponding MAC address passively from the router's ARP table (or actively by arping), and the switches will be able to tell you on which port this MAC is plugged. Then you can e.g. shutdown the port or follow the cable to the physical computer location.
Thanks for this pointer. This option looks viable and will pursue this.
alfred,
Yours sincerely Peter Surda
alfred,
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
-- Perl is my reason for following the Sun;
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
