I need an algorithm to find if there is a windows domain (AD service) set up in the network I am currently connected to. This should work for any network (a WiFi in McDonald's or a corporate network) meaning I do not know the name of the domain I am looking for (if there is any).
All I have ever found were ways to check for the domain my computer is in. That is not what I want.
I can perform simple queries (DNS, ...) and this algorithm shall work from any operating system (meaning no readings from windows registry).
Any ideas?
Thanks.
To get a DomainConntroller you must get the "domain" of the network first. And this can not be done, as far as I found, just by DNS reqests.
Related
I do not trust anything, so I want to write my own firewall. I'm not satisfied with the application firewalls in Linux and Windows and the distro firewalls are not adequate for my purposes. I'm frustrated with distro firewalls, most of them like pfSense, OPN Sense, ipfire just seem to give illusion of firewall but all they do is packet filtering. I'm unable to block everything and only allow few websites with it, I have created a rule to block DNS requests, applied that rule and rebooted the firewall distro but it doesn't seem to have any effect. I either have to block everything or allow everything, both of which are undesirable. The sc*mbags seemed to have deliberately made the interface unintuitive to sell service, they claim their firewalls are free but made the interface obtuse, so that they can steal money by selling service.
I'm thinking of writing my own firewall, one of this will be an application which will run on the client system and the other would be standalone distro, both will run together to allow better management. The application on the client will create a special packet signed with the hash of the application, OS, etc and the intermediary firewall distro will check this hash and allow rules and policies to be created based on this hash. Does the TCP/IP protocol allow this?
I have searched the net for resources about network API on Linux, and there are three resources about writing my own firewall, two are questions here and one is netfilter. I don't know anything about TCP/IP protocol, so I don't know if I can use the packets made TCP/IP to achieve this or I have to creatively find a way to create a special packet.
Have you seen those apps which explore your local network looking for devices?
Well, I would like to know how they get (mostly) the names of devices!
Does anyone know? Because I am building an application which needs to get (if possible) the hostname of the local devices..
Local network device discovery is often done by a zeroconf implementation (e.g. Apple services typically use Bonjour services to discover local device names).
If you wanted to explore this type of service for use in nodeJS, then maybe have a look at https://github.com/agnat/node_mdns. I've never used it myself but it does seem reasonably popular and stable.
Otherwise just do some research generally around zeroconf/mdns and make a decision based on your needs.
I'm an embedded engineer (not a network guru) building a piece of Linux-based equipment (a portable measurement instrument) that is normally not connected to the Internet, but we need to make it possible for the equipment to "call home" for support, including updates and troubleshooting, in a manner that compromises neither the product's security, nor the customer's network security nor our own company network.
The "call home" capability will be completely controlled by the user, perhaps by pressing a physical button to activate it, after the equipment has been connected to whatever network the customer chooses to use. For prototype and demonstrations systems, this network could be at someone's home or office or even via a phone connection (the equipment will contain only a wired Ethernet port, and the customer would need to provide a wired AP if WiFi access is desired).
Making the connection should require no per-call configuration at the user's end, nor within our box, so I'm thinking we can require the customer to provide DHCP, and not much else. We can also require the customer to first contact us before pressing the "call home" button, so we can have our support interface up only when needed.
When a unit does "call home", it merely makes a connection to a company system, doing nothing else until an engineer (well, me) directly connects to it. Other than the existence of the connection, we should get no (or minimal) information about the network the customer is using. So I'm thinking some kind of SSH connection, but that's as far as I have gotten.
If possible, it should "feel" as if I'm connecting locally, as if the unit were on my desk (perhaps with much more latency, loss, and minimal bandwidth).
But I have no idea whatsoever how to make an SSH connection (if that's the right tool to use for this) as two separate halves: The remote unit "calls" somewhere, presumably on one of our company systems, then that system notifies an engineer (me) that a "call home" has been initiated, then waits for the engineer to connect, forming the other half of the connection.
The connection need not identify the remote system (make, model, serial number, version, etc.): I'd do that manually after logging in securely.
If needed, I can create a new system on our end (Linux, BSD, Windows, whatever, physical or VM) that can be dedicated to just this function. I can get at least one static port mapped out to our corporate WAN, if needed (but something I'd prefer to avoid, if possible).
Ideally, I'd also like for there to be minimal information in the equipment itself, so that possession of the equipment by an adversary (or competitor) could not compromise customer or company networks, other units, nor the call-home technique itself. From what little I know, I'd guess a hostname or IP address, a port number, and a key would be needed, but less would be better!
I'd also like the system to require manual intervention at both ends, with minimal automation that can be buggy or be compromised. Once we implement and test the initial system, automation could be added as our experience with it, and confidence in it, grows.
That's about as far as my thinking has taken me. Beyond this, I'm pretty much clueless. Am I on the right track? What pieces am I missing? Is this already a popular thing to do, and I simply don't know what it is called? How simple and stupid can this capability be made for a couple of prototype systems?
EDIT: If it wasn't obvious already, please assume I'm a networking idiot who can be trusted only to follow an explicit recipe, and not much more. KISS applies!
Disclaimer: as long as no "real" answer is there I just provide my more or less theoretical thoughts with hope it helps.
Without reading in detail, I found http://www.vdomck.org/2005/11/reversing-ssh-connection.html to reverse a ssh-connection. If that is easy to follow (it should be easy, just ssh -R basically, see also http://www.brandonhutchinson.com/ssh_tunnelling.html) it means your remote device could connect to your network (and "Pete" is your Partner at the customer). The problem is that initiating a ssh-connection without user/password requires a authentication- private key on that device (so in non-friendly hands).
You could place a dumb ssh-server with no private data and no special access and even the password you could set just for that single connection (and tell your partner "Pete" via phone), let your phantasie play a bit to get a static half "ImGenious$%" and a dynamic half "1243" so you can give a short easy dynamic half over phone.
Then from that dumb ssh-server you can connect to your device as in the article.
I would suggest the call home functionality uses SSH to connect to your office. This requires your customer's network provides DHCP, Internet access and DNS capability. It also requires them to allow outbound connections on port 22. The latter is possibly an issue for some security minded customers who want to prevent unknown egress of data.
You will need a certificate for your SSH server so the certificate is valid for the domain name you choose. You will also need to make sure the SSH client on the server is configured to accept the signature of your server.
It sounds like the number of devices you will be maintaining is relatively low. For this reason, I would suggest generating unique public/private key pairs for each device. You can then load the public key into your server so logins are accepted via keys only.
If a device is compromised or stolen, you can delete the appropriate key from your server. The device will not be able to login again. The private key on the device only has value because you have decided to accept the associated public key on login. Remove this and it has no value. The added benefit is that you can identify a device by the key it has used to login (e.g. you can associate each key with a different user). You can then tie up the login with the information about the device/customer that you store on your systems.
If you use reverse SSH you can have the device connect in. Once you're ready, you can use the reverse part to connect through the tunnel that the device and your server have already setup to perform the maintenance.
I develop software running laptops from various companies. The employees are allowed to bring these laptops home or on holidays. I want to be able to reliably detect whether the laptops are in the office or not. The laptops are connected to the company network via some kind of VPN (though various solutions are used), so I cannot say that if they can access internet, they are in the office. To make this question even more interesting, please notice that a company might have multiple locations.
Edit: I need to detect this on the laptop.
Speculation: One thing you could look at are the IP addresses allocated to the machine. If you run a VPN then at home then there is probably one IP for the Internet connection and one for the VPN.
I think the answer from Rob is close but maybe you should take into account the gateway used by the NIC.
And if you have time enough a tracert to a known server in your office.
That will give you the route and the intermediate NIC's between the laptop and the known server.
You only have to make sure in that case that on the office location the route to the VPN concentrator is different but that should be possible with a clever dns/dhcp setup.
You might try a more specific question on serverfault.com
This cannot be done reliably, because branch offices can be setup up the same as a home network. And from experience, I'm not saying "almost the same as a home network". I mean literally the same, with non-clued managers buying network equipment from the cheapest local shop, and running copies of Windows XP HOME.
Need a basic direction in the following project.
There is a linux based controller doing some industrial control stuff.
The box is equipped with cellular modem and is capable to get online through cellular carrier. Cellular communication is used because controller is mostly installed where no cables or short range radio is available. Places where sun don't normally shine :)
The task is to allow internet clients to connect directly to the box for some basic control/monitoring stuff. The problem is connectivity - how clients will discover the box? - I'd like to have the box act as a server (if possible). Assuming that cellular carrier allows the box to get online doesn't necessarily mean that the box will get public IP so that anyone would be able to get connected. To my understanding the cellular network acts as a gateway from those who are working inside of it, and reaching someone in that network from outside isn't possible. Am I wrong? We are looking for a generic solution, not a solution around particular cellular provider. The controller is installed in different countries, we need to find the standard way to "webify" it.
The software (and hardware) in the box is ours, we can basically do anything, but I am looking for the right way to do it in order to avoid surprises with different providers later. BTW, the solution doesn't necessarily have to be technical, may be it's possible to buy a permanent IP's per box, or setup VPNs.. Which way should I dig to? What questions to ask?
Your ideas are welcome!
Your summary of the problem is basically correct. I've implemented several systems that do this, and the odds of success are good.
The way you tackle this will depend on the number of remote units you expect a single user to interact with. If each user will handle only one or two devices, it's plausible to implement the web server on the remote device. If each user handles many devices, consider centralising as much administration as possible. I've implemented this using Zenoss for data logging, and a custom control server.
If the web server sits on the remote device, you can either buy a SIM with a static IP, or use a proxy server. I recommend setting up a proxy server unless the number of devices is very small.
There are three options for SIMs:
Static IP with an address on the public Internet will be expensive, and negotiating the deal with each provider in each country will be irksome. No proxy server is required.
Private APN SIMs will give you the option of a static address, but in a private address range. Negotiation with the mobile network is still required, and you will require a proxy server to sit between the public Internet and the private address range,
Standard data SIMs will connect to the Internet through NAT. You can use these to host your service by opening a VPN connection (we used openvpn) to your server. You can now reach the devices directly by connecting to the same VPN, or through a proxy server.
If you use openvpn, here are some more tips:
Give each unit a public serial number, and a private key. Store these in the firmware of the unit, and in a central database. Put the public serial number on the outside of the unit. You can use an openvpn login script to ensure that a particular unit always appears at the correct IP address, which keeps the proxy configuration static.
You can control openvpn's bandwidth usage by adjusting its keepalive behaviour, and how often it renegotiates. Measure and tune this before a large deployment.
The NAT timeouts in the mobile networks are generally between 5 and 15 minutes. The device must send a packet to the server often enough to keep NAT alive.
Cheap SIM deals may be web only with limited ports.
Other tips:
GPRS modem firmware can (rarely) crash internally. If your hardware supports it, provide software with the ability to power cycle the modem.
Test your box in areas with poor coverage in your own country before you send out international shipments.
This is a typical problem with "mobile agent" appearing in different places or using different providers (in this case just one provider, but it's almost the same). Usually it's solved using some kind of home agent - a server that the mobile connects to and gives details about how to reach it or if it can't be reached directly then the home agent acts as a proxy.
Client always contact the home agent first and then if it is possible they contact the mobile or if it's not they use the server as a proxy.
In some cases dynamic dns might be sufficient in other you need real proxy/ façade.
There's a good book: Andrew S. Tanenbaum & Maarten van Steen :"Distributed Systems: Principles and Paradigms"
You can ask cellular provider to give you a SIM card with internet access and fixed IP address. Then you can host any server you like. Do not forget that you are dealing with limited bandwidth.