I want create a new protocol on the TCP/IP protocol.
I want that this protocol allow or not allow sending a file on the network's computers.
For example if a computer try to send a file 'a.exe' to another computer, my protocol can alarm to user on 2nd computer and if user perform then copy is true.
how i can create protocol?
best regards
A new protocol won't help, they could just use another protocol, e.g. FTP, or rename the file to something innocuous. What you want to do is implement a firewall.
Related
Every time I purchase an IoT device (smart lock, bell, plug, etc.), there usually is also a way to use it by going to http://192.168.1.x but there NEVER seems to be a way to communicate it using HTTPS securely. Is this a big problem for HTTPS? Is there a solution for this? I don't want someone on my network to look at what I am sending to my device over http but I can't use https either. What can I do?
I know that TLS certificates require a hostname to verify the authenticity but these IoT devices only tell me to open the control panel using http and local IP. Does that mean all my communication with my smart device is in plain text and open for everyone to read?
Does that mean all my communication with my smart device is in plain text ...
If it is plain HTTP then yes.
... and open for everyone to read?
If everybody can read the communication inside your local network then yes. Fortunately in most local networks this is not the case. For example if you have your own WLAN which is properly secured with WPA2 and a strong password then only the ones which know this password can access the local network - but these would be able to sniff the traffic to the IoT device then.
... but there NEVER seems to be a way to communicate it using HTTPS securely.
This depends on the actual device, i.e. some might offer HTTPS but many still don't. If this is a problem for you since your network is open to potential attackers then you better put these devices in a separate network where only you have access to.
I'm writing a client/server program which needs to create a secure network pipe between two machines, identifying them both using certificates. The SSH protocol seems like a perfect match for this - its built-in security, support for authenticating both sides, and maturity being big plusses. It can also multiplex connections by using one open connection to connect many generic ports.
The idea is to create an always-on connection (these programs have a dedicated line between the client and server), and to open a port whenever I need one. Can the SSH protocol be used this way? How would I go about incorporating libssh into my programs to support that?
You can do that using libssh. You create a ssh session and for each port you can open a channel for port forwarding. See
http://api.libssh.org/stable/libssh_tutor_forwarding.html
You can even try out this kind functionality with OpenSSH's -M/ControlMaster function.
Both libssh and libssh2 support this functionality.
A little nit: SSH doesn't use certificates, it uses private/public keys.
Suppose that I have a server and the clients are connected to the server. The server is accessible through a public ip.
I would like to "forward" the connection so that the clients would be directly connected to each other withouth the server in the middle.
I do not know if this is possible at all and I myself couldn't find a way to do it.
Other assumptions:
neither client has a public IP, both clients are behind a NAT
there can be more connections initiated if necessary
I am looking for a strictly software solution, without the need to reconfigure router, open ports, etc. etc.
The reason I would like to achieve this is to reduce the load on server. Once a two clients are associated together there is no real need (except technical one) to continue using the server as a, sort of, proxy. Direct client connection would also reduce the latency of the connection.
Take a look at http://en.wikipedia.org/wiki/UDP_hole_punching. If neither machine has a public IP, and you can't open ports, and you don't want all data to pass through the server, this is probably the only other potential option. If this wouldn't work for you, you're likely stuck with all data going through the server. If you can set up port forwarding, that would make for a better solution, then just use the server to exchange IP and port information (as it exists at the time the connection is established).
A short answer is: it is not possible.
One of the main problems is that router do not know where to redirect the request from the server (or other client). Just a case : You have a router which has multiple devices(computer, cell phone...) behind it. It gets a request and do not know, who wants to get the request.
There is a workaround for that but it is not reliable (Does not work always.) Some Companies use it if it is possible, but they have always an alternative to that (like communication over server) if it fails. It is called nat punching. More details here: http://en.wikipedia.org/wiki/TCP_hole_punching
I do not know for which reason do you need. If you need it for client server connection you can use something like long polling, call back....
Otherwise you need to set the router, or take the route over the server.
You can do two things one is hole punching http://en.wikipedia.org/wiki/TCP_hole_punching
so this will allow you to respond to your client who are behind NAT (you can configure your client to send their private ip and port number used by NAT to reply to them).
Other thing you can do is to make a peer-to-peer network as done by skype and make one of the client as relay network and keep track of active relay's and update them periodically. (see http://en.wikipedia.org/wiki/Skype_protocol )
So now your server has to just act as proxy and as an admin which kind of manage all connection but least amount of info pass through it.
I hope this help.
Some home routers support upnp and can be instructed to open a certain port and forward it to a certain client on the LAN.
You can use upnpc on GNU/Linux to open ports on the router. It also has a library to do it from C code (but it's not very well documented).
However this method might not work on all home devices, so in that case see the other answers.
I have two my own applications on C++ and Java: server and client. It both in one LAN and can transfer data via specified port. I want to make it possible, that client can find IP of server. But how to?
Enumeration of all possible IP with address mask - bad idea, it will take a lot of time. May be exists some way, where I can send broadcast to lan from client and receive it in server? Or another way... I can't find information about this, but I think that is possible, because I see it in MyPhoneExplorer on android, for example.
Why not using UDP broadcast?
the client can UDP broadcast "I am at x.x.x.x", and the server can answer (in UDP) to the client, "I am at y.y.y.y".
maybe you can use the Broadcast Address to find your server.
We meet a testing scenario which needs to tamper with source IP address of a Http request to simulate clients coming from different countries. Do you know any tool help on this?
Last but not least, our web site is built with ASP.NET.
Thanks.
In a test environment it usually isn't difficult. First read this SO question about virtual network interfaces.
If the server and client are on the same machine, all you have to do is figure out how to get your client software to bind to your virtual interface.
wget for instance has the --bind-address option to specify which local address to bind to. Web browsers are a bit more difficult to do this with; you may need to just run it in a VM.
If your server and client are on the same LAN, you just need to configure your router with some static routes to your client machine. In this case you probably don't need a virtual network interface, just set a static IP for your client machine; as long as the gateway is set up correctly it should be able to send packets to the server, and as long as the route is set up correctly the replies should find their way back to the client.
If the client and server are separated by an internet, it's rather more difficult. One option is to set up a network tunnel endpoint on the server and tunnel it to the client machine, which "knows" that it has the virtual network interface.
As noted in answers to the ServerFault question "Are IP addresses trivial to forge", you cannot easily forge source addresses in a protocol that required two way communication (e.g. TCP). Note that this "two way communication" is required at the packet level. You cannot just say "no problem, I want to send requests and ignore HTTP responses." To establish a TCP session, you need to receive data. Your best bet is to use a proxy server.
I am unsure if the IP standard allows for this, but if you are working in a Lab environment, where you don't need internet connectivity during the test, I can see it working under following circumstances:
Basically, I would set the server's network interface to use netmask 0.0.0.0 and flush the rest of the routing table.
Then you could configure a client machine to take on any IP address as long as you use netmask 0.0.0.0. And two-way communication should be possible.
Server[1.2.3.4/0] <---> Client[x.x.x.x/0]
But please bear with me. I haven't tested this, so I could be wrong :-)
If you have access to your infrastructure, you can add an interface off the router and then place a static route on the router to that network.
Server-----Router----Internet
/
Test_PC----/
Alternatively you can look into PBR (Policy Based Routing) and on the routers you can flag source packets and change the source on the fly, so your server will think they are coming from where you'd like them to come from.
Server-------------Router_with_PBR-------------Internet----- PC
SCR:4.2.2.2 Change SCR:6.6.6.6 to 4.2.2.2 6.6.6.6
But you have to ask yourself why do you want to see when packets come from different countries. Some countries have massive proxy servers that filter access ( "Great Firewall of China"), so the above tests will not prove much.
Your best bet then is using proxy servers or if your looking for a long term solution then setup a server (virtual is great for this) and use RDP for testing. I'm sure you can rent a virtual server somewhere for a month or two.
That's not possible. Because when you forge the ip address, the response is never going to come back, which is required for http.
The best way is to use proxies. See also this question on serverfault.
If you change your source IP address, that means no traffic from your web server will be able to reach back to the client.
You might be able to use some kind of proxy and/or address translation filter to do the remapping while still allowing two-way communication.