DHCP服务是网络基础设施的重要组成部分,但也可能成为攻击目标。以下是保护Linux DHCP服务的综合安全措施:
# 对于ISC DHCP服务器
sudo apt update && sudo apt upgrade isc-dhcp-server
# 对于dnsmasq
sudo apt update && sudo apt upgrade dnsmasq
# 设置配置文件权限
sudo chmod 640 /etc/dhcp/dhcpd.conf
sudo chown root:dhcpd /etc/dhcp/dhcpd.conf
# 设置租约文件权限
sudo chmod 640 /var/lib/dhcp/dhcpd.leases
sudo chown dhcpd:dhcpd /var/lib/dhcp/dhcpd.leases
在/etc/default/isc-dhcp-server中指定服务监听的接口:
INTERFACESv4="eth0"
INTERFACESv6=""
# 配置日志记录
sudo nano /etc/dhcp/dhcpd.conf
添加:
log-facility local7;
然后在/etc/rsyslog.conf中添加:
local7.* /var/log/dhcpd.log
ping-check on;
ping-timeout 2;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.100 192.168.1.200;
option routers 192.168.1.1;
option domain-name-servers 8.8.8.8, 8.8.4.4;
}
host important-client {
hardware ethernet 00:1a:2b:3c:4d:5e;
fixed-address 192.168.1.50;
}
这不是DHCP服务器本身的设置,但应在网络交换机上配置:
switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping vlan 10
switch(config)# interface fastEthernet 0/1
switch(config-if)# ip dhcp snooping trust
# 允许DHCP请求
sudo iptables -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# 拒绝其他所有DHCP流量
sudo iptables -A INPUT -p udp --dport 67:68 -j DROP
# 在dhcpd6.conf中
deny unknown-clients;
# 检查异常租约
sudo grep -i "unusual" /var/log/dhcpd.log
# 检查配置更改
sudo aide --check
# 主服务器配置
failover peer "dhcp-failover" {
primary;
address 192.168.1.2;
port 647;
peer address 192.168.1.3;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128;
load balance max seconds 3;
}
# 从服务器配置
failover peer "dhcp-failover" {
secondary;
address 192.168.1.3;
port 647;
peer address 192.168.1.2;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
load balance max seconds 3;
}
# 检查SELinux状态
sudo sestatus
# 如果启用,确保DHCP有正确的上下文
sudo restorecon -Rv /etc/dhcp
sudo restorecon -Rv /var/lib/dhcpd
通过实施这些安全措施,您可以显著提高DHCP服务的安全性,防止常见的攻击如DHCP欺骗、耗尽攻击和中间人攻击。