To avoid false positive, how can we create a whitelist of IP or Range of IP. I tried to create a IP whitelist by using resolving IP of the whitelist domain. Do you guys have any idea?
The question is not completely clear to me. I don't understand exactly why you need a whitelist IP but as far as I know it's better to have a block/black list IP rather than a white list.
it might be the case the IP address w.x.y.z is clean today and somehow someone hack the server tomorrow and serve malicious content. So the IP is not clean anymore!
Having a daily IP blocklist is better since there are lots of services out there which serve such lists (for different types of abuse like spam, malware and phishing) and you can use them on a daily basis.
If you have access to an enterprise firewall/proxy logs or PCAP data, you can extract the traffic from that environment, do DNS resolution to get the IPs, sort the output from most most hits to lowest, then grab the top N ones as they would probably be commonly used hosts like Google, YouTube, Facebook etc.
The problem with this approach is that reputation is fleeting: I've seen malware on Google Drive, Dropbox, Discord, Onedrive, Pastebin and also Github. Reputation is only as good as the hosting company is to remove malware from their sites. Some are fast to take down malware after reports, some are not.
You can also use statistical ranking data like Alexa to resolve FQDNs into IPs, just be aware that ranking does not equate to morality/acceptable use policy as there are plenty of torrent and porn sites listed on Alexa that you may not want to allow to fly under the radar on your corporate network.
I am having an issue understanding the problem of why my site will load on some networks, but not others.
I am getting "ERR_NAME_NOT_RESOLVED" on Chrome in the following environments:
1) Office Network - This made me believe that it was a firewall issue
2) Open WiFi Network at a Coffee Shop - This made me believe that it was not a firewall issue
I am able to access the site without any issues from my home network and also when turning my phone into a hotspot.
I did some digging and was hopeful that adding an IPv6 record to my DNS would have resolved the issue(Maybe those networks were pulling from IPv6) but that also did not resolve the issue.
I ended up running a test on MXToolBox.com and received these warnings back.
MXToolBox Response
I do not have any email setup with this domain so I am not concerned about the email record errors, but the one I can't figure out is the top one with Category: DNS and the message of "DNS Record not found". The "More Info" link says "We did not find a DNS record at the location specified. You should check with DNS provider to ensure the record has been published and there are no typos."
I have an A record pointing to the correct IP(As I am able to access it from my home and cell phone networks). I added an AAAA record for IPv6(Though not sure I fully understand why it's necessary). My A record has been added for several weeks now, so it's not a propagation issue and my AAAA record was added a few days ago with a SOA of 10 minutes, so do not believe it to be a propagation issue either.
I have opened this question because I'm not even sure how to google this any further as everything returned back is typically client side(Clear your cache/cookies) and not what my issue is.
My VPS is hosted by Linode.
Thanks in advance for any advice/help.
We are in a business where we need to block visitors from certain areas or countries. We want to show 403 error page when visitors comes from that certain areas.
Now what we can do is, on every request, get the visitors IP address and get the country name for that IP using any third-party services like Telize or ipapi.co and if it from that country, stop and show the error page.
But the problem is, it will check for all others visitors and if we do a curl on every request, it will definitely slow down our website.
Is there any way we can get the country name from IP address without using any third-party service or curl request or anything that will not slow down our website?
We are using PHP & Symfony 3 framework on a VPS, and speed and performance are very important for us, in case it helps you.
At this moment we want to block visitors from Cameroon, is there any range of IP is assigned for Cameroon?
You can use the Maxmind GeoIP library for php.
The idea is that you download a database (which is just a file) containing geographical information for all the IPs in the world. Since the database is on your server, and you call it using the library, it won't slow down your server. Actually, getting the country code from an IP is so fast the performance impact will be negligible.
The database is updated regularly, so you can periodically re-download it to stay up-to-date. You can get details about the downloadable databases here.
You may generate the htaccess deny file for Cameroon IP ranges at https://www.ip2location.com/free/visitor-blocker, and block them at htaccess level, which will be much faster.
I'm in the process of making a new ASP.NET MVC and I'm just curious if I need to choose a SMTP provider carefully. I'm thinking of launching on Azure or Amazon and possibly using one of their SMTP solutions. But if I don't go cloud, I'm wondering how much of an issue SMTP load is?
Is it not an issue at all? I.E if I have say 10 emails going out every minute, do I need a SMTP server with a certain capacity, queuing e.t.c?
Thanks
10 emails per min (or even 100 per min) is likely a non-issue for a run of the mill SMTP server to handle.
However, there are good reasons for going with a SMTP forwarding solution. (I've used the dyndns SMTP relay solution to great effect).
Essentially, your concern will be deliverability. Its quite easy to slap together an email server that can reach 80% of your targets....it gets a bit more complicated to get a 99.9999% solution for deliveries.
There are lots of little things: Has the originating IP been blacklisted on any of the RBL sites, do you have proper reverse DNS setup on that IP, are you virus / phish scanning all your outgoing emails (failure to do so may land your IP on a blacklist, which is then tedious to clear).
In short, the $10 a month (or whatever) is a bargain when facing the nitty gritty hassles of managing your own server.
If you have on the order of 10 emails per minute, load will be a non-issue.
Deliverability may be a larger concern. If you run your own SMTP server from the Amazon cloud, you may find that the AWS IP ranges are used by some recipient servers as a negative factor when calculating the spam probability.
Whatever solution you select should provide a stable IP address ideally just for your traffic. If others send spammy emails from the same IP address, it will affect your sender reputation as well.
I have not used services such as Amazon's Simple Email Service or SendGrid (we manage SMTP servers and our sender reputation directly, with the help of Return Path), but would expect that they likely do a good job of maintaining the sender reputation of their clients.
Here is my situation. I am part of a project creating a P2P charity website, where users connect and can give money to one another. Because of the nature of the site, we know scammers are going to be rampant. We have several preventative measure ideas, and one idea that came up was tying an IP address to the user's account. The reason for this would be to be able to detect when someone from the same IP address creates several accounts.
Would this be reliable? Why, or why not? I have been googling and found many conflicting ideas on the subject. Thanks for any help you can give.
No, it is not reliable. Because:
Residential customers who aren't specifically paying for a static IP address will often see their addresses change frequently. I'm on AT&T DSL and I see my IP address change roughly twice per month on average
People legitimately sharing an internet connection, whether they're using different workstations in the same office with a T1 line, or they're all connected to the same Wi-fi hotspot at Starbucks, will all have the same IP address.
Related to the above, people who are mobile, such as people who use laptops to connect to Wi-fi at coffee shops, airports, hotels, etc, will have a different IP address for each location they visit.
Even people who stay in one place with a static IP address can spoof your system by using a proxy server or a proxy tool like Tor. This makes IP restrictions trivial to bypass.
No.
Many connections are behind NAT (One public gateway IP address for many people), or use DHCP (frequently changed IP addresses).
An IP address is one of the worst ways of identifying a user.
There is a dicussion board I am part of that bans sock puppets ( that is, multiple accounts by the same user ). They have no means of automatically detecting them, becasue there is no means of definitively identifying them. IP addresses are captured, because they can be used to help identify sock puppets, but I know that the process of identifying these is laborious, manual, and error-prone.
This is only undertaken when there is suspicion that someone is using sock puppets for malicious or disruptive purposes. In your case, there is no real answer other than careful and manual monitoring of usage habits, using the information that you gather about users to attempt to identify suspicious habits. But you also have to accept that 80% of sock puppets will go undetected, and do what you can to warn other users of the possibility.
Your bigger issue, incidentally, may be Munchausen by Internet which we were also caught by.
No, not least because:
IP Addresses can change over time, thanks to DHCP leases expiring.
People access websites from many different locations including home, work, coffee shops, etc.
When behind a NAT firewall or a proxy server, many people can share the same IP address.
Will you have many people registering who are entitled to receive money? I'd suggest a manual verification process using real people if at all possible. If nothing else, you can claim to be exercising due diligence if there's a human involved.
No: for example, any company proxy will only have one external IP address, so everyone registering from within the network will appear to have the same IP address.
Recent legal case perhaps worth reading up on : http://yro.slashdot.org/story/11/05/03/2020205/An-IP-Address-Does-Not-Point-To-a-Person-Judge-Rules
Totally unreliable...
Somebody on dial-up will have a different IP address every time they "dial-up".
DSL users will have a different IP address every time they reset or reconnect their account unless they pay for a static IP.
Many users on a particular LAN will be sharing one public IP address.
A particular user can login from home, work, public hotspot and have a different IP from each location.
I do development for an ASP service, and we have recently went through a required 3rd party security audit to obtain status allowing us to host data for a certain government agency. So if I may share some of the information I gleaned turning the trainings, perhaps it would help.
First, IP addresses can be used to assist in what you are trying to accomplish, but they are definately not good by themselves. An example would be the wireless at McDonalds. Everyone at McDonalds is connected to the same wireless and are using the same public IP address through a NAT, which translates from a local address (i.e. 192.168.0.xxx) to a public address for all computers located behind it. The NAT keeps entries so it knows what traffic is allowed to come back into the network, and which computer it is going to.
We found that a good security measure is to use an encrypted session key that is included with all GET/POST submits. That session key contains a GUID which is a lookup to the current session. So even if someone breaks your session encryption, they still need to guess at a GUID in order to find a valid session. On top of that, by tracking IP addresses, if it changes suddenly, we can immediately invalidate the session (we also have whitelisting in case someone is load balancing multiple internet lines, which can cause the IP to change frequently). A cookie can also be used in place of the IP address tracking, as two people behind the same NAT can potentially hijack each other if they can find a way to steal the other person's session key.
Encrypted cookies are also a good way to enforce security. But make sure you are using a framework that is tried and tested, as they have already closed the known vulnerabilities for you. Believe it or not, our security company told us that .NET has emerged as one of the top secure frameworks that they know of. I almost fell out of my chair when I heard that.
Personally I don't think it'll be reliable.
The main reason will be for those using a shared IP. That includes most users connecting from inside a business and home users connecting through the same WIFI hub.
It's more than likely for multiple users to be coming to your site with the same IP address.
Adding to that the fact that IP addresses change over time and you're already losing track of your users.
It's also worth remembering that oftentimes multiple users will be using the same physical computer. Are you wanting to have only one member of a household able to signup etc?
It could be somewhat useful as part of a defense-in-depth approach, but I wouldn't call it "reliable".
If you want to identify users, you can use a cookie. One solution uses a combination of cookies, local storage, flash, and other state information that can be stored in a browser: http://samy.pl/evercookie/
Nothing is 100% reliable. These cookies can be erased by a determined user, or in some browsers with one click. Ultimately, in many countries outside of the USA, a user has the right not to be tracked.
As an alternative for the future: New IntelĀ® Business Processors Deliver Leading Security, Manageability and Performance
As long as the connection between the browser and the CPU isn't interviened which I believe there is more risk of with a browser than a desktop application.