By Kurt Seifried Rev 0.1
Securing specific services - DHCPD (S07.C06)
DHCPD is something all network admins should use. It allows you to serve information to clients regarding their network settings/etc, typically meaning that the only client setup needed for networking is leaving the defaults and turning the machine on. It also allows you to reconfigure client machines (say move from using 10.0.1.0 to 10.0.2.0). In the long run (and short run) DHCP will save you enormous amounts of work, money and stress. I run it at home with only 8 client machines and have found life to be better even for a LAN this small.
Problems with DHCPD and RedHat 'out of the box':
I also highly recomend you run DHCPD version 2.X, it's got a lot of new features, and is easier to setup and work with IMHO. The absoulute latest version(s) of this tend to be a bit neurotic however, be warned it is beta software. Definately firewall DHCPD off from the Internet. DHCP traffic should only be on local segments, possibly forwarded to DHCP server on another segment, but the only DHCP traffic you would see coming over the Internet would probably be an attack/DOS (they might reserve all your IP's, thus leaving your real clients high and dry). If you are forwarding DHCP traffic over the Internet, DON'T. This is a really bad idea for a variety of reasons (primarily performance / reliability, but security as well).
To run DHCPD chrooted click here for my article on it. I also recomend the DHCPD server be only a DHCP server, locked up somewhere, allowed to do it's job quietly, if you need to span subnets (ie you have 4 ethernet segments, only one of which has a dhcp server) use a dhcp relay (NT has one built in, the DHCP server has one, etc). There are also several known problems with NT and DHCP, NT RAS has a rather nasty habit of sucking up IP addresses like crazy (I have seen an NT server grab 64 and keep them indefinately), because it is trying to reserve IP's for the clients that will be dialing in/etc. Either turn NT's RAS off, or put it on it's own subnet.
Securing Finger | Back to Section 7
Contact Kurt Seifried, All rights reserved Kurt Seifried 1998, content and information may not be reposted physically or electronically without the express permission of the author, this includes but is not limited to www mirror sites, email, usenet news, etc.