Is it possible to create ip groups in some way? so I can provide træfik with something like this: traefik.frontend.whiteList.sourceRange=MyGroup.
I would love to not worry about which ips I give access to when deploying a new service, but rather just provide a group and know that someone else is in control of managing the list of that group.
You can specify a source range in CIDR notation. To whitelist all local network IPs from 192.168.0.0 to 192.168.255.255, for example:
traefik.frontend.whiteList.sourceRange=192.168.0.0/16
Here's a handy helper for getting the right notation: CIDR Calculator
If you want to whitelist single IPs only, you can use a comma separated list, limiting the range to a single IP address with /32:
traefik.frontend.whiteList.sourceRange=1.2.3.4/32,2.3.4.5/32
Related
I have a list of IP addresses and a specific subnet which are to be allowed access to webapp. I'm able to loop through the IP restrictions using copy function in ARM templates but I'm unable to add the subnet restriction in the same template. Is there a way I can get through this?
According to this documentation you can define the ipAddress property of IpSecurityRestriction as follows:
CIDR notation such as ipv4/mask (leading bit match) e.g. XX.XXX.XXX.XX/32
pure ipv4 address (in this case SubnetMask property is required )
According to what I understand you should be able to achieve your goal with this. But if you want a stricter answer, please provide a sample input and a sample output.
After going through a lot of docs and blogs, I found no way to achieve it using the same ARM template. In my case, I want to add both IP addresses and a subnet while using a copy function(rather call it an ARM foreach loop). So, for adding multiple IP addresses(which are dynamically fetched within the ARM template from an other resource) and a subnet, I've got it resolved by executing the ARM first(this iterates and adds dynamically fetched IPs) and then a simple Az cmd as below which would add a security restriction to the same web app.
Add-AzWebAppAccessRestrictionRule -ResourceGroupName $ResourceGroupName -WebAppName $WebAppName -Name "subnet rule" -Priority 301 -Action Allow -SubnetName $subnetName -VirtualNetworkName $VnetName
That way both are in place :D
Recently, I have been putting a plugin on my Wordpress website to send me notifications about updates and logins.
There is a feature letting me know that people try to login as "Admin" and fail.
The thing is that all the IP addresses look a little bit the same and I have the possibility to block ranges of IP address.
I do not know how to spot patterns in IP addresses and wanted to know if anybody could tell me if there is a safe range to block from these addresses :
62.4.15.127
52.24.167.223
13.59.51.48
54.86.170.240
54.234.166.220
52.206.230.218
52.91.211.57
34.216.71.59
54.209.218.2
52.43.164.197
18.217.58.26
54.191.89.133
54.173.164.232
18.217.57.212
54.245.186.15
35.165.212.204
54.186.111.14
34.205.63.12
52.71.44.114
52.87.237.129
There is no clear pattern in those IP addresses. Some of them are from Amazon Web Services, others from other hosts. You can lookup where an IP address is from using IP lookup tools (google "IP Lookup tools"). One such site currently is: https://www.iplocation.net
As for patterns, you want to learn about IP subnets and IP CIDR notation. The simplest pattern is looking at the third block 1.2.3.4 or number 3, if 1, 2 and 3 are the same, they generally belong to the same subnet class. If number 3 is similar and 1 and 2 are the same, they may belong to the same CIDR block. When 1, 2 and 3 are all different, they belong to separate subnets. Digital Oceans has a site with more details at https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking
I asked a client to send me the ip address of all of their locations so that I could block them from analytics.
Most of them are what I know as normal: 0.00.000.000
but some of them are coming to be kind of like this: 2001:500:f000:100:7000:40d0:3000:400c
They are all going to google and typing "whats my ip address" and sending me the results. Is the second example an ip address I can exclude? do I need to convert it some how?
Those are IPv6 addresses. What you're looking at inside the usual xxx.xxx.xxx.xxx format is IPv4.
These two formats of addressing are entirely incompatible with one another. They cannot be "converted", however when dealing with application layer systems they should/usually work in almost the exact same way. i.e. if you were to ban an IPv6 address, it would work in the same way as banning an IPv4.
There's a plethora of documentation available online about IPv6, and it's probably a bit out of scope for this site, so I hope that helps you figure it all out! Even if it is just a single piece of your puzzle :)
Is it possible for someone to track a dynamic IP address, if so what would it take and how would it manifest?
Would the person doing so be able to log every change in your ip range and eventually end up with the whole set of ip's you are able to have?
Is it possible to make my dynamic ip change in a different pattern, say in a more extreme way, making it harder for someone to trace it as described above? Is it possible to encrypt it somehow, and also all other information such as hardware MAC's / Inet MAC etc. everything.
The answer is yes and no.
In most cases only your service provider (and law enforcement) will have a log of all IPs you had and start/end times of each lease. You basically can't do anything to prevent this because they need to be able to identify you as their customer with a valid contract. This is usually done via MAC address of CPE equipment you get from service provider or by some login credentials (for PPPoE for example). There is no such thing as encrypting the IP and changing your MAC address would not prevent service provider from identifying you. For someone else there is no reliable way to track you. The closest thing they can find is the scope (or scopes) from which dynamic IP addresses are issued.
At the other hand, when you mix the technology and psychology, every one of us leaves the unique fingerprint when browsing the web. If you examine the combination of software someone uses, their traffic patterns (amount of traffic, sites they visit, activity during the day), their behavior and style of writing, etc, you can not just link them to some IP address but make a distinction between different users behind the same IP address. Anyway collecting this data is really hard which makes it improbable, especially if we are talking about ordinary internet users.
I am trying to find the proper way of accomplishing the following.
I would like to provide 2Gb/s access for clients accessing a fileserver guest vm on a ESXi server, which itself access the datastore over iSCSI. Therefore the ESXi server need 2Gbps connection to the NAS. I would also like to provide 2Gbps directly on the NAS.
Looks like there are three technology which can help. Link aggregation (802.3ad, LAG, Trunk), Multi Path IO (MPIO), and iSCSI Multiple connection per session (MC/S).
However each have their own purpose and drawbacks, Aggregation provide 2Gbps total but a single connection (I think it's based on source/dest MAC address) can only get 1Gbps, which is useless (I think for iSCSI for example which is a single stream), MPIO seem a good option for iSCSI as it balance any traffic on two connection however it seem to require 2 IPs on the Source and 2 IPs on the DEST, I am unsure about MCs.
Here is what I would like to archive, however I am not sure of the technology to employ on each NIC pair of 1Gbps.
I also think this design is flawed because doing link aggregation between the NAS and the switch would prevent me from using MPIO on the ESX as it also require 2 IP on the nas and I think link aggregation will give me a single IP.
Maybe using MCs instead of MPIO would work?
Here a diagram:
If you want to achieve 2Gbps to a VM in ESX it is possible using MPIO & iSCSI but as you say you will need two adapters on the ESX host and two on the NAS. The drawback is that your NAS will need to support multiple connections from the same initiator, not all of them do. The path policy will need to be set to round-robin so you can use Active-Active connections. In order to get ESX to use both paths # over 50% each you will need to adjust the round robin balancing mode to switch paths every 1 IOPS instead of 1000. You can do this by SSHing to the host and using esxcli (if you need full instructions on how to do that I can provide them).
After this you should be able to run IOMeter on a VM and see the data rate # over 1Gbps, maybe 150MB/s for 1500 MTU and if you are using jumbo frames, then you will get around 200MB/s.
On another note (which might prove useful to your setups in the future), it is possible to achieve 2Gbps with two adapters on the source and bonded adapter on the NAS (so 2 → 1) when using the MPIO iSCSI Initiator that comes with Server 2008. This initiator works slightly different to VMWare and doesn't require your NAS to support many connections from one initiator — from what I can tell it spawns multiple initiators instead of sessions.