How do I get someone off my network?

[RedSC]

I noticed today at work that I have an unauthorized computer on my network. It's in the MSHome workgroup instead of our usual workgroup and is called Mobile, so apparently somebody has brought something in and just plugged it in to our network. I tried net sending a message to it, but apparently that is turned off. I deleted it's DHCP lease twice, and now apparently it has a static IP address, because I can ping it, but it isn't showing up with the other DHCP computers.

Sorry for the newb question, but I'm trying to learn. How so I kick it off permanently, or at least contact it so I can find out who it is?

 

[spidey07]

shut down the switch port.

look at the routers arp table and find the mac address. then locate that mac address in your switches. eventually trace it down to the port, from there shut it down/disable it.

 

[Diaonic]

You could make an exception on your DHCP server to give that particular mac address a static IP. Than block the static ip in your firewall.

Probably not ideal and it wouldn't stop local traffic.

Spidey's solution is ideal but that requires you to have managed switches. Not everyone has those.

 

[imported_JFG]

is this a wireless network?

 

[RedSC]

No, it's hardwired.

 

[deftech]

Unplug his port at the patch panel/hub/switch...all done

Or go find him and kick his ass...)

 

[spidey07]

what kind of switches are you using?

 

[skyking]

With an unmanaged switch<s>, it is laborious.
How big is the network? you said workgroup, so I hope it is less than 25 machines or so. If that is the case, I'd go find and document each device and run, if you have not already. In an unmanaged situation, I log MAC addys, description, location, and current IP's of machines on a text file. it comes in handy later on if you do get managed switches. You'll walk up to this device soon enough.
It will be good to have a map of things anyway.

 

[casper114]

I personally use my router to filter all mac addresses except for the ones that I know I want on my network. That works for wireless and hard wired.

 

[RedSC]

The network has around 150 machines on it, with HP Procurve 4000 switches and a Cisco 1751 router. Forgive my ignorance if I confuse what I say- two months ago I was a programmer, and had never touched a network. Most of the machines are local, but we have around 20 in remote locations connected over frame relay or VPN. I think it is in this location because of the IP range it is in, but the we've got computers spread out pretty far- we're a manufacturing company. I would assume I have managed switches, but don't know enough about it to say for sure. I think I can fix the problem using Diaonic's advice, but it's taking me a while between other fires to get it figured out.

Thanks for all the advice.

 

[spidey07]

Do you have telnet access to the routers and switches?

If so, on the router type "how ip arp x.x.x.x" where the Xs are the IP address.

write it down.

Then go to the switch closet to the router and type "show mac cccc.cccc.cccc" where the Cs are the mac address. That should give you the port the mac is on...if that port goes to another switch and not a host (found out by "show mac PORT#", if it has more than one MAC it is connected to another switch, then repeat this process until you find it.

Or if you have HPs management application you may be able to track down the MAC with that.

 

[RedSC]

I got into the router and got the MAC, but I'm having trouble getting into the switches.

I don't have HP's management app, but I'll look on the old IT Supervisor's machine and see if he had it.

 

[Genx87]

Couldnt you simply block the static IP and wait for somebody to complain?

 

[RedSC]

Yes, I just don't know how to do that.

 

[Genx87]

oh hehe.

Try to telnet into the switches, they are managed right? If that doesnt work it should have a serial connection you can connect to.

 

[RedSC]

I had only tried telnetting into the first switch, and got nothing. I just tried the second, and got in. I'm looking around now.

 

[jamesbond007]

http://freshmeat.net/projects/ip-sentinel/

He'll never ever get his @$$ on the network if you pull this on him. It's great for having fun at LANs and causing a lot of ruckus.

A friend of mine accidentally sent the signal to an entire lab of computers and everyone was complaining instantly. He logged off and left the room after closing the program.

 

[Tazanator]

gee just get the MAC address and drop everything to that mac/IP ... that will stop him at router for internal ... find the port he plugged into and use a BOFH ethernet killer (plug that ethernet into the power feed lines) no more problems...

 

[imported_moeru]

find the user, club him\her over the head like a baby seal. Take home said box for personal use. Problem Solved.