I am getting a netflow traffic feed, I need to identify the application associated with the IP.
Is there any kind of global database that I can use map the global IP with the application it is used to serve?
Ex: IP A for Amazon Prime
IP B for Amazon WebService
IP C for Amazon Shopping
All IP A,B and C are owned by Amazon.
There is no public DB that has that info in that I am aware of. AS number gets you close, but not the detail on which exact service it is contacting. There maybe a way to build a list based on additional netflow intel, like proto or port. If you do discover a more detailed list or wanted to create one manually or part automated, you could create a TrafficGroup for group of IP's you have id'd. Here is the view I get on my home network with Amazon ASN filter
enter image description here
Related
We have a client that has data in Snowflake, but also limits IP connectivity to the data warehouse. If we are going to use the default Azure Data Factory Snowflake connector, what IP's do we have to give the client to whitelist? Is it the entire range from the datacenter location? I understand we may be able to run the ADF in a separate vnet, but don't want to add that to the deployment.
If you are using SHIR for connectivity then you can whitelist your SHIR machine IP address.
In case if you would want to use a custom Azure Intergration Runtime specific to a region then you need to whiltelist the complete Azure IR IP range of that region.
In case if you are using default Azure IR then you will have to whitelist the complete Azure IR IP range.
You can get an IP range list of service tags from the service tags IP range download link. For example, if the Azure region is AustraliaEast, you can get an IP range list from DataFactory.AustraliaEast. For more info please refer here - Azure Integration Runtime IP addresses: Specific regions
Unfortunately, we have to interface with a third-party service which instead of implementing authentication, relies on the request IP to determine if a client is authorized or not.
This is problematic because nodes are started and destroyed by Kubernetes and each time the external IP changes. Is there a way to make sure the external IP is chosen among a fixed set of IPs? That way we could communicate those IPs to the third party and they would be authorized to perform requests. I only found a way to fix the service IP, but that does not change at all the single nodes' IPs.
To be clear, we are using Google's Kubernetes Engine, so a custom solution for that environment would work too.
Yes, it's possible by using KubeIP.
You can create a pool of shareable IP addresses, and use KubeIP to automatically attach IP address from the pool to the Kubernetes node.
IP addresses can be created by:
opening Google Cloud Dashboard
going VPC Network -> External IP addresses
clicking on "Reserve Static Address" and following the wizard (on the Network Service Tier, I think it needs to be a "Premium", for this to work).
The easiest way to have a single static IP for GKE nodes or the entire cluster is to use a NAT.
You can either use a custom NAT solution or use Google Cloud NAT with a private cluster
I want to set custom port tcp to login cms for example wordpress.
¿This is possible?
(but set normal port 80 to entire site)
For example in cpanel whm, there have different ports 2086 not ssl and 2087 ssl
With tool like ipset (iptables in linux) can I block entire contry according to range ip and port, for example can I just allow my country to request specified port.
Another better method is use layer 2 firewall like google compute engine and block ranges of ips relation to specified port.
Sorry for this question maybe is not good.
Again:
¿Can I do this in a cms like wordpress?
Note: I know about Deny all in .htaccess.
I know about set just ssl to wp-admin.
I know i can change to rute wp-admin another alias name.
You can develop a simple bash script to download ip addresses for a particular country (represented as a zone) from ipdeny.com. The bash command would be something like:
wget -qNP [dir] http://www.ipdeny.com/ipblocks/data/countries/XX.zone
Where [dir] is the directory you wish to store the zone file containing the list of ip addresses for the country; and XX is the two character country zone code.
You can then read the ip addresses into an ipset using the strategy described at:https://www.hueyise.com/index.php/linux-dynamic-ip-address-blocking... however, this strategy applies specifically to dynamically blocking malicious ip addresses (e.g., hackers) that are discovered during operations and blocking them immediately.
I successfully implement a tailored version of this strategy to automatically download ip addresses for certain countries once per day, and then read the ip addresses into an ipset defined for blocking inbound/outbound accesses by these countries.
I am logging every user's IP when they access the company's page.
There are two ways to access the page from inside the local network:
http://company/webpage
and
https://webpage.company.com
What bugs me is that even when the users use the https global IP, their accesses are still recorded on database with their IP as 10.50.1.12 or 10.50.1.100.
Does that means that the browser or something else is redirecting the https://webpage.company.com to company/webpage? Or does that mean that I'm using a flawed method to log the users IP?
Another way to ask my question (just to make sure I'm being clear): if I'm accessing my Internet web page from inside the LAN network, am I effectively going outside my network and then back? If not, where am I going wrong with my logging?
Code used to log user's IP:
user.LastIP = HttpContext.Current.Request.UserHostAddress;
I'm curious about this because I want to make sure the users inside the company will access the page using exclusively the LAN Network. The goal is to save bandwidth usage, which is scarce.
Edit:
Pinging the https://webpage.company.com from inside the LAN network will result in a reply from a global IP address like 194.xxx.xxx.xxx. So I'm clearly getting the user's IP wrongly. What would be the ideal way of retrieving the IP from the page accessing entity?
Access to http://company/webpage will result in a DNS lookup of the host name "company". To resolve this, DNS will need a fully qualified domain name (fqdn), so it will add a top level domain (according to the configured search list in the client). In this example, it seems fair to assume that the fqdn will be "company.com". This, in turn, may very well resolve to the same IP address as the "webpage.company.com". You can check this by using dns lookup utilities like 'nslookup' and 'dig', or simply by using 'ping company' and 'ping webpage.company.com'.
The users IP addresses you mention, 10.50.1.12 and 10.50.1.100, seems to be the local IP addresses of the client hosts. I base this assumption on the fact that these IP addresses come from the RFC-1918 address range which is used for internal addresses. My guess is that these are the correct IP addresses, and that your logging works fine.
The users IP address you will log from accessing 'http://company/webpage' and 'https://webpage.company.com' should in most cases be the same. You can see it this way: it doesn't matter what the target URL is, traffic is still coming from the same host, the same IP address.
In any case, you most probably don't need to worry about any traffic leaving your local network.
I'm thinking of a way to find the public IP of router at home, remotely.
For example if I'm in university and I need to connect to a machine in my home network. How can I get the public IP to connect to it?
To get the IP from that machine I can use something like this website - http://api.exip.org/?call=ip
But how can I send it to myself remotely?
One of the ideas is to write some sort of script that will check my email address for incoming messages. So when I need to know the IP, I just send some email to myself with specific text (or subject). When script will find that specific text, it will send the IP to the same email.
Another idea it to write a script that will upload a new file to the server (for example DropBox) every time the public IP is changed.
Or I can combine those two and email new IP every time it changes (not that often, but still it’s a spam).
What other solutions there can be, and how can I implement them (or the one that I have)?
I have Linux/Unix and Windows machines which I can use. I have no problem in writing code in different languages or looking in to any possible approach.
most of home router have dynamic DNS facility , you will find it in your router configuration as DDNS and configuration page you will find list of supported DDNS service ,most popular DDNS service is dyndns.org you have to subscribe there and they will give you tow free subdomain like example.dyndns.org , and after configuring that on your router you can easily from any where ping example.dyndns.org to know your router IP