I have a web service that will provide data to another web application. My problem is deriving from security concern. I don't want the web service to work if the IP of machine that the service is working on is different from the ip I want. For example If somebody copies the web service to his pc, it should not work because the ip address have changed. Moroveri mac address can also be an alternative for me.
Copying a web service is not possible unless you have the source code or the binaries.
If the web service provides data to another web app, simply put a firewall rule that blocks connections from any other IP different from the one you want.
If you were to restrict access by IP address, you would need to change your security configuration every time the IP address changes. For instance, if a second network adapter is added to the server, or if the server is moved to a different network segment.
Also, how will you debug the web service on different machines? Or how would you have a QA environment, which will naturally have a different IP address than in the production environment?
Related
Followed this tutorial to setup two ec2 instances: 12 . Creation of two EC2 instances and how to establish ping communication - YouTube
The only difference is I used a linux image.
I setup a simple python http server on a machine (on port 8000). But I cannot access this from my other machine; whenever I curl, the program kind of waits. (It might eventually timeout but I wasn't patient enough to witness that).
However, the workaround, I figured, was that you have to add a port rule via the security group. I do not like this option since it means that that port (for the machine that hosts the web server) can be accessed via the internet.
I was looking for an experience similar to what people usually have at home with their routers; machines connected to the same home router can reach out to other machines on any port (provided the destination machine has some service hosted on that port).
What is the solution to achieve something like this when working with ec2?
The instance is open to the internet because you are allowing access from '0.0.0.0/0' (anywhere) in the inbound rule of the security group.
If you want to the communication to be allowed only between the instances and not from the public internet. You can achieve that by assigning the same security group to both the instances and modifying the inbound rule in the security group to allow all traffic or ICMP traffic sourced from security group itself.
You can read more about it here:
AWS Reference
Im building out an Azure hosted website, but it needs to reach into our home office to connect to some internally hosted web services. Our firewall is setup to only allow traffic over certain IP's, so we're looking to determine what IP range we need to allow access to.
Currently I'm still using the MSDN "Free" Azure subscription, so I don't know what options may be limited, but is there a way I can determine what source IP, subnet, whatever my Azure hosted site will attempt to call my web services from?
Thanks!
Be careful opening your firewall to the entire Azure datacenter IP ranges. Anybody can host anything in Azure, including malicious software, so if you open your firewall to the entire Azure IP range you may as well just open to 0.0.0.0-255.255.255.255 because in effect you are getting the same security.
A better option is to deploy your service and just whitelist that one IP address. That IP address is guaranteed to remain the same until you delete your service. With the ability to do in-place upgrades and VIP swaps there should be no reason why you would need to delete your hosted service and lose your IP address. If you ever do run into a scenario where you need to delete/redeploy you can always update your firewall at that time.
It sounds like this is what you're looking for:
Windows Azure Datacenter IP Ranges
I am running a website on localhost:portnumber on visual studio 2005, and want to allow another person to connect to it from another PC. Is this possible?
You can try following this article and see if it works
http://www.pluralsight-training.net/community/blogs/jimw/archive/2009/09/03/accessing-the-visual-studio-asp-net-development-server-from-iphone.aspx
Possible, yes.
You will need an ip address that is accessible from that other machine.
Your firewall will need to allow the appropriate port to be open (typically 80).
If you want them to use a DNS name, that DNS name must be pointed to your IP. And, again, it must be externally accessible.
Now, if the client is NOT on your local network, then the IP will have to be a public one that is routed to your machine. Depending on where you are (corporate, etc) there may be other firewalls in place to prevent this. In this case contact your local network admin.
Yes its possible for only for testing purposes first you need to install IIS and get dynamic DNS to allow user to connect to your computer (Using your Dynamic IP) Check No-IP , dyndns point this dynamic host to your IIS website, Bindings settings
Yes, it is possible. You need to do two things:
1) Open that "portnumber" for incoming connections through your windows firewall (and any other firewall you may be running).
2) Set up your router to allow incoming connections on that "portnumber" and route those connections to your local computer's IP Address.
That should do it. Be aware that doing this opens up your computer to be hacked if you are not careful.
I published a web application to one of app servers. Now, if I am connected within my company network (no login require), I can access the web site no problem. Now, if I am connected from outside of the network over VPN, I can't access the website (Getting page not found appears). Do I need to configure IIS on the app server for allowing the connection over VPN?
Thanks for your time.
It sounds like you do not have your firewall/router configured correctly to allow traffic from external sources. When your connected via VPN it is like you are connected to the internal network. Without the VPN you need to make sure it is routed correctly and visible through your firewall. Can you ping the IP that you are trying to get to?
Do you get DNS resolution when you connect over the VPN? If you are trying to hit an internal machine name address, you might try changing to the IP address of the machine.
We have written a client-server programme. Programme is running fine when we run both client and server on the same machine on different terminals by calling gethostbyname(127.0.0.1). We have to communicate between different machine. So my question is, how to determine the IP of the other machine (server's), and how to find out the IP of one's own machine. Is it simply chosen as something we wish? How to get hostname of the server and one's own machine?
Thanks
It's not clear what platform you are operating on but for Unix/Linux you can discover the IP addresses assigned to the interfaces on your system with the ifconfig command (you may need to be root to get to this, it's often found in the sbin folder), on Windows ipconfig will get you the same information.
Ideally you'd have domain name resolution set up on your network and would have a 'name' for the server, i.e. server.mydomain.com then you could use gethostbyname("server.mydomain.com"). For more information on domain name services (dns) you could do worse than start here: http://en.wikipedia.org/wiki/Domain_name_system
You cannot get the IP of the other machine in some magical way; you either have to know it or develop some sort of broadcast protocol in your network app, where the server or clients broadcasts their IP.
Getting your own IP depends on your platform and what language you use.
If this is a client/server environment, so the client is going to need to know the server address.
If you are using gethostbyname, then the name resolution systems that are actually supported (DNS, NIS, etc.) will vary by OS and system configuration.
The most common configuration is to use DNS. In this case, it is worth noting that the server cannot easily discovery its own name on the network (or name itself). This is because the naming service that the client will use is external to the server. The server has a local idea of what its hostname and it's resolver's default domain, but they are not necessarily the FQDN that DNS externally maps to the server's IP addresses.