Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have a BeagleBone Black that is running Debian Wheezy. I want to be able to SSH into it over the internet as long as it is connected to the Internet. I want to be able to type in an URL and be able to access it or deploy software on it.
Many other posts showed how one has to configure the router to forward the port and such. However, I want to be able to take this Beaglebone anywhere, maybe even at a coffee shop with Wifi, and I can quickly access it from another computer through the Internet.
I am wondering what is the best approach to do this. I have my own domain name (provider is Namecheap.com), and I won't mind actually paying for some web hosting services if the solution requires that.
To sum it up, I want to be able to SSH into a Debian Linux system via a domain name without any configuration with the network hardware. I want to be able to quickly set it up and access it as long as the system has internet access. How can this be done?
You need to use a "dynamic dns service", since (most likely) your home ip address is not static. it changes with time, which is why it makes sense to use a domain name. However you can not use a normal dns service, since that updates far too slowly.
You need to configure that dynamic dns service such that it points to the current public ip address of your home router. Typically that is done by a trigger that submits the new ip address as soon as the internet connection has been established. So this has to be done from within your home network, typically by a feature of your router (if offered). Alternatively you can use some utility installed on your boards system that is able to detect its public ip address and when that changes. There are some such utilities in the standard repositories. You can not simply publish your ip every minute or so. It has to be event driven (on connect), or you will probably be blocked by the dynamic dns service.
Then indeed you have to configure port forwarding on your home router. The rule has to forward all incoming requests to a specific port to your boards port 22. Note: do not use port 22 on the outside, so do not forward port 22 to port 22. This works, but you will see constant brute force hacking attacks against your system. Just use something like 50022 or whatever (on the outside!).
That should be all.
I take from your comment that you also want to be able to take that board wherever you go and just use any connection wherever. Such thing is possible, but much more complex. For certain you do need some additional server you have control over. That server has to play relay and forward your requests to your board which establishes an ssh tunnel between that server and itself as soon as it goes online. So you definitely do need some fixed point somewhere. Such a server is no rocket science. You can rent a virtual one for 3-5 Euros a month these days and do with it whatever you want.
The idea here is that your board contacts that server and establishes an ssh tunnel pointing back to its own port 22. Now you can contact the tunnel which is open at the server and your packages will be forwarded through the tunnel to your board. That works, it is a bit slower than otherwise.
In that case you do not need a dynamic dns service, since such a virtual server typically comes with a fixed ip address. So you can simply resolve your domain to that server of yours.
Question in this case is why to do that. Since you already have a comfortable server at your hand, so what is the board for? The only motivation I can think of is to be able to do illegal downloads or hacking attempts in the foreign environment... Which is not an issue in general. Networks are there to be explored. But you clearly should think thrice when you leave the legal ground. Especially about whom you might cause massive troubles :-)
Oh, you could also combine this approach with using your home router instead of a separate server in the internet. Your board can access your home network using the dynamic dns service, contact some system inside your home network which acts just like the rented server described above.
Taking the additional information from that next comment you gave also this might be worth a try, though I am not sure if that will work. You will have to give it a try:
If everyone meant to access the board is within the same local network, then you might get along without the need for port forwarding. You could try to use one of the mentioned dynamic dns utilities to publish your network internal ip address to the dns service. If they accept and publish that address, then everyone should be able to directly access your board inside the local network (so no via the internet), but by using your domain name. I never tried such thing. I could imagine that dns service providers block such thing. But then again, they might not. So it might be worth a try, since it would be a very simple and elegant solution. Also I am not that sure if all systems will accept such an internal address from a dns authority. As said: you will have to try this.
There certainly are more theoretical possibilities, but those certainly are much more complex. If you stay near your board you certainly can also use things like bluetooth or similar. You could bundle a cheap and broken smartphone and use it as a modem, that way the board can act just like the home router above. Certainly you have the option of a wifi ad-hock network connection, but I doubt that is what you are looking for.
One thing I would definitely not do is use a third party service provider specialized in such things. Something like TeamViewer or similar. I consider these a serious and obvious security thread, despite what they claim themselves. You definitely can never trust a closed source or internet only service, since there is simply no way for you do really check what they do. So do not fall for that apparently simple and comfortable solution!
Related
I do not trust anything, so I want to write my own firewall. I'm not satisfied with the application firewalls in Linux and Windows and the distro firewalls are not adequate for my purposes. I'm frustrated with distro firewalls, most of them like pfSense, OPN Sense, ipfire just seem to give illusion of firewall but all they do is packet filtering. I'm unable to block everything and only allow few websites with it, I have created a rule to block DNS requests, applied that rule and rebooted the firewall distro but it doesn't seem to have any effect. I either have to block everything or allow everything, both of which are undesirable. The sc*mbags seemed to have deliberately made the interface unintuitive to sell service, they claim their firewalls are free but made the interface obtuse, so that they can steal money by selling service.
I'm thinking of writing my own firewall, one of this will be an application which will run on the client system and the other would be standalone distro, both will run together to allow better management. The application on the client will create a special packet signed with the hash of the application, OS, etc and the intermediary firewall distro will check this hash and allow rules and policies to be created based on this hash. Does the TCP/IP protocol allow this?
I have searched the net for resources about network API on Linux, and there are three resources about writing my own firewall, two are questions here and one is netfilter. I don't know anything about TCP/IP protocol, so I don't know if I can use the packets made TCP/IP to achieve this or I have to creatively find a way to create a special packet.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
This is part of an ongoing issue that I am having with my internet provider (CenturyLink) but the issue exists for other users on other providers.
Essentially when hitting a website (for instance: http://tsa.gov) I receive an error that appears to be generated by a security provider protecting that website (based on my research perhaps Akamai?: https://community.akamai.com/thread/4465-ip-reputation-clean-up, could also be CloudFlare or something like that?)
Per the above my current assumption is that someone was using the public IP Address that is now assigned to my network by my ISP (CenturyLink) for dubious purposes. Perhaps another customer was hacked and their devices were utilized in a DDOS attack, or they were web-scraping, or spamming, or all of the above.
I get the above error on perhaps 20% of all websites with ALL devices when connected through my local wifi connection.
Primarily I am adding this question so that anyone who runs into the problem in the future is more likely to move through the process quickly than I was.
Some details pertaining to trouble shooting
Resetting Router Does Nothing
The first thing your ISP will tell you is to reset the router and wait a few minutes. CenturyLink uses DHCP so my router SHOULD obtain a new address which SHOULD fix the issue if that IP Address is blocked. If you haven't done this yet do this first.
My router DOES NOT obtain a new IP Address and instead re-acquires the old IP.
For me Hard Resetting / Factory Resetting the router ALSO had no effect.
Future People: You can check your IP address by typing "What's my IP Address" into google.
If you run into this issue you should check your IP (using the google trick above) every time you restart your router and keep a log of all IP Addresses that have been assigned to you along with the time delay that you waited in between turning off / turning on your router.
CenturyLink DOES NOT have a log of the IP Addresses that your account has been assigned, in order to tell whether you are getting a new IP Address YOU will need to keep a log of IPs. By logging this information yourself you can 'prove' to them that you are incorrectly receiving the same IP Address after power cycling your router.
Multiple Device Operating Systems
My devices are each of the following: MacOS (Macs), Android Phone + Tablet, iOS Phones, Windows PC. Every device exhibits the same behavior, therefore it is incredibly unlikely to be a virus issue (it's hard for one virus to effect many different devices on many different OSes). Also unlikely because...
Different Connections Work Fine
Each of those same devices works perfect when connecting to the same websites through a different internet connection. Ie. I can use a wifi hotspot with my phone through my computer, or connect directly from my tablet etc with no problem so long as I am not using my local CenturyLink DSL connection.
I will update or add an answer as soon as I have one.
So after a LONG time on the phone the collaborative team of CenturyLink techs and I decided the best option was to get a new modem / router of a different brand / model number from the one I currently have.
Here's some more information for future users trouble-shooting a similar issue.
Sites that are Un-Reachable are Up and Live for Everyone else
This will get asked A LOT. The sites you are trying to reach ARE Reachable from other devices on other networks, or the same devices on other networks.
It is NOT a virus
The key to explaining this one away (it will also get asked a lot) is mentioning the many different devices / operating systems that all have the same problem, and that each of those devices works properly when connected to a Non-CenturyLink network.
Q: What are the Odds that a group of hackers developed a virus that infects every known opperating system and targets only 20% off websites ONLY when hosted on CenturyLink?
A: Zero.
".... but I can Ping the site from your Router"
You will probably get that once or twice. This doesn't matter since the servers are actually returning a response. The problem is that the response IS NOT the website, the server responding to the ping is the same server delivering the "Access Denied" message.
Since the server is responding, and you are able to connect, Ping works fine even though the server isn't returning the page you requested.
Firmware Update Doesn't Help Acquire a new IP Address
Even after updating the firmware on our router we were still unable to acquire a new IP Address from DHCP. I assume there is a way that CenturyLink could take that IP Address out of the pool, but my guess is they have MANY IPs that are blacklisted by Akamai among others so they just rely on the dynamic nature of DHCP assigned IPs to solve this problem for them when it occurs.
Of course that doesn't work if your router for whatever reason is not Dynamically assigned an IP Address as it should be.
New Router? That will be $22 Shipping
Yeah... nah. They will ask you to pay $22 shipping on the new router to replace the one that you just spent all of this time trying to help them fix.
If you went through as much BS as I did to get the thing working don't stand for that, respectfully let them know that you don't think that is fair. My rep was able to waive that fee.
Ok, been hosting a few games servers on my home computer, and am now also setting up a personal ftp server.
I am sharing my ip-adress with some friends and family with intetions of using this server, but when one of my friends threatened "hacking" my computer (I know he doesn't possess any such skills). It got me thinking.
If I do not reveal my ip address to strangers (or even if I do), are there any security threats.
Also at what scale are these threats. Will an every day programmer be able to cause damage while I host this server?
P.S. I am using xlight ftp software to host this server.
Your friends are not the ones you have to concern about.
Your ip , like everyone else, will be scanned in several ports several times per minute.
Internet is full of bots, launching petitions, looking for holes to exploit and systems to
dig in.
Just be sure to be behind a firewall, nat only desired services ports, and try not to use a conventional one. Install an additional software firewall if possible.
I would also recommend you to use a SFTP server. (Based on SSH and encryped). Standard FTP traffic is raw and can be easily sniffed.
I develop software running laptops from various companies. The employees are allowed to bring these laptops home or on holidays. I want to be able to reliably detect whether the laptops are in the office or not. The laptops are connected to the company network via some kind of VPN (though various solutions are used), so I cannot say that if they can access internet, they are in the office. To make this question even more interesting, please notice that a company might have multiple locations.
Edit: I need to detect this on the laptop.
Speculation: One thing you could look at are the IP addresses allocated to the machine. If you run a VPN then at home then there is probably one IP for the Internet connection and one for the VPN.
I think the answer from Rob is close but maybe you should take into account the gateway used by the NIC.
And if you have time enough a tracert to a known server in your office.
That will give you the route and the intermediate NIC's between the laptop and the known server.
You only have to make sure in that case that on the office location the route to the VPN concentrator is different but that should be possible with a clever dns/dhcp setup.
You might try a more specific question on serverfault.com
This cannot be done reliably, because branch offices can be setup up the same as a home network. And from experience, I'm not saying "almost the same as a home network". I mean literally the same, with non-clued managers buying network equipment from the cheapest local shop, and running copies of Windows XP HOME.
Need a basic direction in the following project.
There is a linux based controller doing some industrial control stuff.
The box is equipped with cellular modem and is capable to get online through cellular carrier. Cellular communication is used because controller is mostly installed where no cables or short range radio is available. Places where sun don't normally shine :)
The task is to allow internet clients to connect directly to the box for some basic control/monitoring stuff. The problem is connectivity - how clients will discover the box? - I'd like to have the box act as a server (if possible). Assuming that cellular carrier allows the box to get online doesn't necessarily mean that the box will get public IP so that anyone would be able to get connected. To my understanding the cellular network acts as a gateway from those who are working inside of it, and reaching someone in that network from outside isn't possible. Am I wrong? We are looking for a generic solution, not a solution around particular cellular provider. The controller is installed in different countries, we need to find the standard way to "webify" it.
The software (and hardware) in the box is ours, we can basically do anything, but I am looking for the right way to do it in order to avoid surprises with different providers later. BTW, the solution doesn't necessarily have to be technical, may be it's possible to buy a permanent IP's per box, or setup VPNs.. Which way should I dig to? What questions to ask?
Your ideas are welcome!
Your summary of the problem is basically correct. I've implemented several systems that do this, and the odds of success are good.
The way you tackle this will depend on the number of remote units you expect a single user to interact with. If each user will handle only one or two devices, it's plausible to implement the web server on the remote device. If each user handles many devices, consider centralising as much administration as possible. I've implemented this using Zenoss for data logging, and a custom control server.
If the web server sits on the remote device, you can either buy a SIM with a static IP, or use a proxy server. I recommend setting up a proxy server unless the number of devices is very small.
There are three options for SIMs:
Static IP with an address on the public Internet will be expensive, and negotiating the deal with each provider in each country will be irksome. No proxy server is required.
Private APN SIMs will give you the option of a static address, but in a private address range. Negotiation with the mobile network is still required, and you will require a proxy server to sit between the public Internet and the private address range,
Standard data SIMs will connect to the Internet through NAT. You can use these to host your service by opening a VPN connection (we used openvpn) to your server. You can now reach the devices directly by connecting to the same VPN, or through a proxy server.
If you use openvpn, here are some more tips:
Give each unit a public serial number, and a private key. Store these in the firmware of the unit, and in a central database. Put the public serial number on the outside of the unit. You can use an openvpn login script to ensure that a particular unit always appears at the correct IP address, which keeps the proxy configuration static.
You can control openvpn's bandwidth usage by adjusting its keepalive behaviour, and how often it renegotiates. Measure and tune this before a large deployment.
The NAT timeouts in the mobile networks are generally between 5 and 15 minutes. The device must send a packet to the server often enough to keep NAT alive.
Cheap SIM deals may be web only with limited ports.
Other tips:
GPRS modem firmware can (rarely) crash internally. If your hardware supports it, provide software with the ability to power cycle the modem.
Test your box in areas with poor coverage in your own country before you send out international shipments.
This is a typical problem with "mobile agent" appearing in different places or using different providers (in this case just one provider, but it's almost the same). Usually it's solved using some kind of home agent - a server that the mobile connects to and gives details about how to reach it or if it can't be reached directly then the home agent acts as a proxy.
Client always contact the home agent first and then if it is possible they contact the mobile or if it's not they use the server as a proxy.
In some cases dynamic dns might be sufficient in other you need real proxy/ façade.
There's a good book: Andrew S. Tanenbaum & Maarten van Steen :"Distributed Systems: Principles and Paradigms"
You can ask cellular provider to give you a SIM card with internet access and fixed IP address. Then you can host any server you like. Do not forget that you are dealing with limited bandwidth.