Objective is to extract the ip address from the 11th column and feed it to whois.
The sourcefile it's first line are the headers so they should be ignored.
then I try to select with awk the 11th column.
Since skipping first line seems to be too hard (for me) right now I left it out for now. Any good suggestion is welcome.
The code so far:
while IFS= read -r p
do
DESTIP=$(awk 'BEGIN{FS=OFS=";"} {print $11}' $p)
echo "$DESTIP; $p"
ORGNAME=$(whois $DESTIP|grep 'OrgName')
COUNTRY=$(whois $DESTIP|grep 'Country')
echo "$p;$ORGNAME;$COUNTRY" >>whois-results.txt
done < working-sorted.csv
The first lines of the sourcefile:
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short fo
r Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest
ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest
to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore
d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist
2020-03-14 13:53:45;20809;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;144.217.92.167;55134;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short f
or Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 144.217.92.167 has made a TCP connection towards the de
stination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we sugges
t to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monito
red network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist
Result for now:
awk: cmd. line:1: fatal: cannot open file `2020-01-19' for reading (No such file or directory)
DESTINATION IP=
Variable P= 2020-01-19 20:42:56;43;3;Remote Administration Tool;::ffff:ac8:c8d0/128;101;00:0c:29:4c:20:37;Vmware;172.16.16.100;54552;52.174.64.84;443;TCP;Connection to blacklisted destination
After adjusting the awk to:
DESTIP=$(awk -v TEST='$p' 'BEGIN{FS=OFS=";"} {print $9;}')
I do get the ip addresses from the correct column, but the are in one list and not line by line, nor passed to the whois commands
Desired output:
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description;OrgName;Country;
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short fo
r Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest
ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest
to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore
d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;SomeName;SomeCountry
For now I'm a bit stuck.
Help would be appriciated.
Consider this approach instead of your shell loop:
$ cat tst.awk
BEGIN {
numFlds = split("OrgName Country",nr2name)
FS=OFS=";"
}
{ delete name2val }
NR == 1 {
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = fldVal = nr2name[fldNr]
name2val[fldName] = fldVal
}
}
NR > 1 {
cmd = "whois \047" $9 "\047"
while ( (cmd | getline line) > 0 ) {
fldName = fldVal = line
sub(/[[:space:]]*:.*/,"",fldName)
sub(/[^:]+:[[:space:]]*/,"",fldVal)
name2val[fldName] = fldVal
}
close(cmd)
}
{
printf "%s%s", $0, OFS
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = nr2name[fldNr]
fldVal = name2val[fldName]
printf "%s%s", fldVal, (fldNr<numFlds ? OFS : ORS)
}
}
.
$ awk -f tst.awk file
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description;OrgName;Country
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short for Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;;
2020-03-14 13:53:45;20809;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;144.217.92.167;55134;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short for Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 144.217.92.167 has made a TCP connection towards the de stination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we sugges t to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monito red network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;OVH Hosting, Inc.;CA
since it gives you exactly the output you wanted, it won't fail when Country, for example, appears in one of the values (your current shell script will fail due to a false match given a company name of "Big Country", for example), and with that you can access any of the values output from whois by just referring to their name. So if you wanted to additionally print the "OrgAbuseEmail" all you have to do is change this:
numFlds = split("OrgName Country",nr2name)
to this:
numFlds = split("OrgName Country OrgAbuseEmail",nr2name)
Alternatively, this avoids spawning a shell once per IP address and so MAY be a bit more efficient than the above:
$ cat tst.sh
#!/bin/env bash
file="$1"
awk 'BEGIN{FS=OFS=";"} {print $9, $0}' "$file" |
while IFS=';' read -r ip all; do
whois "$ip"
printf '%s\n---\n' "$all"
done |
awk '
BEGIN {
numFlds = split("OrgName Country",nr2name)
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = nr2name[fldNr]
name2val[fldName] = fldName
}
FS = OFS = ";"
}
/^[[:alpha:]]+:/ {
fldName = fldVal = $0
sub(/[[:space:]]*:.*/,"",fldName)
sub(/[^:]+:[[:space:]]*/,"",fldVal)
name2val[fldName] = fldVal
}
/^---$/ {
printf "%s%s", prev, OFS
for (fldNr=1; fldNr<=numFlds; fldNr++) {
fldName = nr2name[fldNr]
fldVal = name2val[fldName]
printf "%s%s", fldVal, (fldNr<numFlds ? OFS : ORS)
}
delete name2val
}
{ prev = $0 }
'
.
$ ./tst.sh file
timestamp (UTC);ID;Threat Level;Category;Exporter IP address;Observation domain ID (ODID);Source MAC;Manufacturer;Source IP;Source Port;Destination IP;Destination Port;Protocol;Description;OrgName;Country
2020-03-14 13:54:10;20810;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;118.25.123.42;49420;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short fo r Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 118.25.123.42 has made a TCP connection towards the dest ination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we suggest to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monitore d network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;;
2020-03-14 13:53:45;20809;5;Ingress Traffic;::ffff:ac8:c8d0/128;101;00:1a:8c:f0:c2:c0;Sophos;144.217.92.167;55134;172.16.16.150;22;TCP;Ingress connection to common SSH port: 100% CertaintyHigh Severity Category: SSH Description: Short f or Secure Shell Description: This connection represents an encrypted channel (SSH), which is commonly used in IT environments to connect to remote machines. Observations: Source IP 144.217.92.167 has made a TCP connection towards the de stination IP 172.16.16.150 (Private) on destination port 22. Advice:We recommend to investigate the following conditions: 1) Verify if it is expected for your network environment to generate SSH connections. If it is expected, we sugges t to disable this category. A network where developers and sysadmins often host their machines is an example of a network where a significant amount of SSH connections is expected. 2) If you are not expecting SSH traffic from the monito red network, it is recommended to investigate the endpoint according to your company security policies. If the destination 172.16.16.150 is trusted, it is recommended to add that SSH destination IP to the whitelist;OVH Hosting, Inc.;CA
I found a workaround. maybe not so nice, but at least working:
(edit: the workaround is now a bit nicer and less "workaround" :)
The code below is adjusted on advice of Cyrus.)
while IFS= read -r p
do
DESTIP=$(echo "$p" | awk 'BEGIN{FS=OFS=";"} {print $9;}')
echo "DESTINATION IP= $DESTIP"
echo "Variable P= $p"
ORGNAME=$(whois $DESTIP|grep 'OrgName')
COUNTRY=$(whois $DESTIP|grep 'Country')
echo "$p;$domain;$ORGNAME;$COUNTRY" >>working-whois.csv
done < working-sorted.csv
Thanks to Cyrus in this by making clear it needs an inputfile.
Related
I have a small BASH backup script that uses Rsync to grab a handful of computers on my LAN. It works very well for static devices using an Ethernet cable - trouble comes in for my even smaller number of Laptop users that have docks. Every once in a while they do not connect to the Dock & Ethernet cable/statically assigned address and end up on the WiFi with a DHCP assigned address. I already have a list of known statically assigned targets in a file that is parsed through to actually backed up. So I keep thinking I should fairly easily be able to create a second file with an nmap scan before each backup run with other code I found - something like:
sudo nmap -n -sP 192.168.2.0/24 | awk '/Nmap scan report for/{printf $5;}/MAC Address:/{print " => "$3;}' | sort
which gives me a list of 192.168.2.101 => B4:FB:E4:FE:C6:6F for all found devices in the LAN. I just removed the | sort and send it to a file > found.devices instead.
So Now I have a list of found devices IP and MAC address - and I'd like to compare the two files and create a new target list with any changed IP addresses found (for those Laptop users that forgot to connect to the Dock and are now using DHCP). But I still want to keep my original targets file clean for the times that they do remember and also continue to get those other devices that are wired all the time while ignoring everything else on the LAN.
found.devices
192.168.2.190 => D4:XB:E4:FE:C6:6F
192.168.2.102 => B4:QB:Y4:FE:C6:6F
192.168.2.200 => B4:FB:P4:ZE:C6:6F
192.168.2.104 => B4:FB:E4:BE:P6:6F
known.targets
192.168.2.101 D4:XB:E4:FE:C6:6F domain source destination
192.168.2.102 B4:QB:Y4:FE:C6:6F domain source destination
192.168.2.103 B4:FB:P4:ZE:C6:6F domain source destination
192.168.2.104 B4:FB:E4:BE:P6:6F domain source destination
Should get a list or a file for the current back run to use of:
192.168.2.190 domain source destination
192.168.2.102 domain source destination
192.168.2.200 domain source destination
192.168.2.104 domain source destination
Currently my bash script just reads the file of known.targets one line at a time:
cat /known.targets | while read ip hostname source destination
do
this mounts and backs up the data I want ...
I really like the current system, and have found it to be very reliable for my simple needs, just need to find some way to get those users that intermittently forget to dock. I expect its series of nested loops, but I cannot get my head to wrap around it - been away from actual coding for too long - Any suggestions would be greatly appreciated. I'd also really like to get rid of the => and just use comma or space separated data but every time I mess with that awk statement - I end up shifting the data and getting an oddly placed CR somewhere I cannot figure it either!
Try this pure Bash code:
declare -A found_mac2ip
while read -r ip _ mac; do
[[ -n $mac ]] && found_mac2ip[$mac]=$ip
done <'found.devices'
while read -r ip mac domain source destination; do
ip=${found_mac2ip[$mac]-$ip}
# ... DO BACKUP FOR $ip ...
done <'known.targets'
It first sets up a Bash associative array mapping found mac address to ip addresses.
It then loops through the known.targets file and for each mac address it uses the ip address from the known.targets file if the mac address is listed in it. Otherwise it uses the ip address read from the known.targets file.
It's also possible to extract the "found" MAC and IP address information by getting it directly from the nmap output instead of from a `found.devices' file. This alternative version of the code does that:
declare -A found_mac2ip
nmap_output=$(sudo nmap -n -sP 192.168.2.0/24)
while IFS=$' \t\n()' read -r f1 f2 f3 f4 f5 _; do
[[ "$f1 $f2 $f3 $f4" == 'Nmap scan report for' ]] && ip=$f5
[[ "$f1 $f2" == 'MAC Address:' ]] && found_mac2ip[$f3]=$ip
done <<<"$nmap_output"
while read -r ip mac domain source destination; do
ip=${found_mac2ip[$mac]-$ip}
# ... DO BACKUP FOR $ip ...
done <'known.targets'
UPDATE: per comment from OP, dropping assumption (and associated code) about keeping an IP address that shows up in found.devices but without a match in known.targets (ie, this cannot happen)
Assumptions:
start with a list of IP/MAC addresses from known.targets
if a MAC address also shows up in found.devices then the IP address from found.devices takes precendence
Adding a standalone entry to both files:
$ cat known.targets
192.168.2.101 D4:XB:E4:FE:C6:6F domain source destination
192.168.2.102 B4:QB:Y4:FE:C6:6F domain source destination
192.168.2.103 B4:FB:P4:ZE:C6:6F domain source destination
192.168.2.104 B4:FB:E4:BE:P6:6F domain source destination
111.111.111.111 AA:BB:CC:DD:EE:FF domain source destination
$ cat found.devices
192.168.2.190 => D4:XB:E4:FE:C6:6F
192.168.2.102 => B4:QB:Y4:FE:C6:6F
192.168.2.200 => B4:FB:P4:ZE:C6:6F
192.168.2.104 => B4:FB:E4:BE:P6:6F
222.222.222.222 => FF:EE:CC:BB:AA:11
One awk idea:
$ cat ip.awk
FNR==NR { ip[$2]=$1; dsd[$2]=$3 FS $4 FS $5; next }
$3 in ip { ip[$3]=$1 }
END { for (mac in ip) print ip[mac],dsd[mac] }
Running against our files:
$ awk -f ip.awk known.targets found.devices
192.168.2.200 domain source destination
192.168.2.190 domain source destination
192.168.2.104 domain source destination
111.111.111.111 domain source destination
192.168.2.102 domain source destination
Feeding this to a while loop:
while read ip hostname source destination
do
echo "${ip} : ${hostname} : ${source} : ${destination}"
done < <(awk -f ip.awk known.targets found.devices)
This generates:
192.168.2.200 : domain : source : destination
192.168.2.190 : domain : source : destination
192.168.2.104 : domain : source : destination
111.111.111.111 : domain : source : destination
192.168.2.102 : domain : source : destination
I have a shell script in which I use host to get the IP of the target site to update ufw and allow outbound traffic to that IP. However, when I make the subsequent wget call to the same base URL, it resolves to a different IP, and thus is blocked by ufw. Just to test, I tried pinging the URL, and it returned a different third IP.
We're blocking all outbound traffic by default in ufw, and only enable what we need to go out, so I need the script to update the correct IP so I can wget the content. The IP in each instance (host vs wget) is consistently the same, but they return different values with respect to each other, so I don't think it's simply a DNS issue. How do I get a consistent IP to update the firewall with, so that the subsequent wget request performs successfully? I disabled the firewall as a test, and was able to download from the URL successfully, so the issue is definitely in getting a consistent IP to point to.
HOSTNAME=<name of site to resolve>
LOGFILE=<logfile path>
Current_IP=$(host $HOSTNAME | head -n 1 | cut -d " " -f 4)
#this echoes the correct value
echo $Current_IP
if [ ! -f $LOGFILE ]; then
/usr/sbin/ufw allow out from any to $Current_IP
echo $Current_IP > $LOGFILE
echo New IP address found and logged >> ./download.log
else
Old_IP=$(cat $LOGFILE)
if [ "$Current_IP" = "$Old_IP" ] ; then
echo IP address has not changed >> ./download.log
else
/usr/sbin/ufw delete allow out from any to $Old_IP
/usr/sbin/ufw allow out from any to $Current_IP
echo $Current_IP > $LOGFILE
echo IP Address was updated in ufw >> ./download.log
fi
fi
After that updates the firewall, a subsequent wget to HOSTNAME attempts to go out to a different IP than was just updated.
Turns out the difference was "www.". When I was resolving host I was not using www, and when I was using wget I was using www, and thus they resolved to different IPs for this particular site.
I have setup openvpn client on a asus router, it is running padavan firmware, which is similar to tomato and other.
The VPN client works, but I would like to limits it's use to one or 2 ips on my LAN (i.e. AppleTV) and all other clients bypass the VPN connection.
The padavan vpn client has a custom script that is executed with the interface goes up and down on tun0 which is the interface.
I have attempted to route the IP address of the client that I want to use, but it does not prevent access via all of the other clients:
#!/bin/sh
### Custom user script
### Called after internal VPN client connected/disconnected to remote VPN server
### $1 - action (up/down)
### $IFNAME - tunnel interface name (e.g. ppp5 or tun0)
### $IPLOCAL - tunnel local IP address
### $IPREMOTE - tunnel remote IP address
### $DNS1 - peer DNS1
### $DNS2 - peer DNS2
# private LAN subnet behind a remote server (example)
peer_lan="192.168.0.130"
peer_msk="255.255.255.253"
### example: add static route to private LAN subnet behind a remote server
func_ipup()
{
# route add -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
# route add -net $peer_lan gw $IPREMOTE dev $IFNAME
route add default dev tun0 table 200
rule add from 192.168.0.130 table 200
return 0
}
func_ipdown()
{
# route del -net $peer_lan netmask $peer_msk gw $IPREMOTE dev $IFNAME
return 0
}
logger -t vpnc-script "$IFNAME $1"
case "$1" in
up)
func_ipup
;;
down)
func_ipdown
;;
esac
I realise that this is very specific to the padavan firmware, but I think that the commands that are executed when it goes up should be universal, and my routing skills are very limited !
Maybe I need to block / allow using ip tables instead?
Any suggestions or help gratefully appreciated !
I am using LFTP to transfer files from a server, which unfortunately does not recognize the PORT command. I do not have control over the server (do not know in detail what server is) and I have to use the active mode.
This is the command line as:
lftp -e 'debug 10;set ftp:passive-mode off; set ftp:auto-passive-mode no; ls; bye;' -u user,password ftp://ftp.site.com
This is the debug output:
<--- 200 Using default language en_US
---> OPTS UTF8 ON
<--- 200 UTF8 set to on
---> OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
<--- 200 OPTS MLST modify;perm;size;type;UNIX.group;UNIX.mode;UNIX.owner;
---> USER xxxxx
<--- 331 Password required for xxxxx
---> PASS xxxxxx
<--- 230 User xxxxx logged in
---> PBSZ 0
<--- 200 PBSZ 0 successful
---> PROT P
<--- 200 Protection set to Private
---> PORT 172,16,133,11,146,168
<--- 500 Illegal PORT command
---> LIST
---> ABOR
---- Closing aborted data socket
---- Chiusura del socket di controllo
It seems that LFTP renounces to connect to data socket because the remote server does not support the PORT command. Is there a way to convince LFTP can still connect to port 20? By FTP manual obviously no problem.
The issue, I think, is not that the FTP server doesn't support the PORT command (it does), but rather, it doesn't like the IP address/port that your FTP client is sending in the PORT command.
PORT 172,16,133,11,146,168
...tells the server to connect to address 172.16.133.11, port 37544*. The interesting part here is the IP address: it's an RFC 1918 address (i.e. it's a private network address). That, in turn, suggests that your FTP client is in a LAN somewhere, and is connecting to an FTP server using a public IP address.
That remote FTP server cannot connect to a private network address; by definition, RFC 1918 address are not publicly routable.
Thus it very well could be that the FTP server is trying to make a connection to the address/port given in your PORT command, fails, thus that is why the FTP server fails the command, saying:
500 Illegal PORT command
To make a PORT command work with that FTP server, you would need to discover the public IP address that that server can connect to, to reach your client machine. Let's say that this address is 1.2.3.4. Then you would need to tell lftp to use that address in its PORT command, using the ftp:port-ipv4 option.
Chances are, though, that public IP address is the address of a NAT/router/firewall, and that that NAT/router/firewall will not allow connections, from the outside world to a high numbered port (e.g. 37544), to be routed to a machine within the LAN. This is one of the issues with active FTP data transfers, i.e. FTP data transfers which use the PORT (or EPRT) commands: they are not considered "firewall-friendly".
Hope this helps!
* - why 146,168 translates to port 37544?
According to FTP's RFC959 those parameters are:
(...) 16-bit TCP port address. This address information is broken into
8-bit fields and the value of each field is transmitted as a decimal
number (in character string representation).
146 dec = 10010010 bin = A
168 dec = 10101000 bin = B
A B
10010010 10101000 bin = 37544 dec
I'm in the process of maintaining a Ruby on Rails app and am looking for an easy way to find the hostname or IP address of the box I'm on (since it's a VM and new instances may have different hostnames or IP addresses). Is there a quick and easy way to do this in Ruby on Rails?
Edit: The answer below is correct but the clarification Craig provided is useful (see also provided link in answer):
The [below] code does NOT make a
connection or send any packets (to
64.233.187.99 which is google). Since UDP is a stateless protocol connect()
merely makes a system call which
figures out how to route the packets
based on the address and what
interface (and therefore IP address)
it should bind to. addr() returns an
array containing the family (AF_INET),
local port, and local address (which
is what we want) of the socket.
Hostname
A simple way to just get the hostname in Ruby is:
require 'socket'
hostname = Socket.gethostname
The catch is that this relies on the host knowing its own name because it uses either the gethostname or uname system call, so it will not work for the original problem.
Functionally this is identical to the hostname answer, without invoking an external program. The hostname may or may not be fully qualified, depending on the machine's configuration.
IP Address
Since ruby 1.9, you can also use the Socket library to get a list of local addresses. ip_address_list returns an array of AddrInfo objects. How you choose from it will depend on what you want to do and how many interfaces you have, but here's an example which simply selects the first non-loopback IPV4 IP address as a string:
require 'socket'
ip_address = Socket.ip_address_list.find { |ai| ai.ipv4? && !ai.ipv4_loopback? }.ip_address
From coderrr.wordpress.com:
require 'socket'
def local_ip
orig, Socket.do_not_reverse_lookup = Socket.do_not_reverse_lookup, true # turn off reverse DNS resolution temporarily
UDPSocket.open do |s|
s.connect '64.233.187.99', 1
s.addr.last
end
ensure
Socket.do_not_reverse_lookup = orig
end
# irb:0> local_ip
# => "192.168.0.127"
Try this:
host = `hostname`.strip # Get the hostname from the shell and removing trailing \n
puts host # Output the hostname
A server typically has more than one interface, at least one private and one public.
Since all the answers here deal with this simple scenario, a cleaner way is to ask Socket for the current ip_address_list() as in:
require 'socket'
def my_first_private_ipv4
Socket.ip_address_list.detect{|intf| intf.ipv4_private?}
end
def my_first_public_ipv4
Socket.ip_address_list.detect{|intf| intf.ipv4? and !intf.ipv4_loopback? and !intf.ipv4_multicast? and !intf.ipv4_private?}
end
Both return an Addrinfo object, so if you need a string you can use the ip_address() method, as in:
ip= my_first_public_ipv4.ip_address unless my_first_public_ipv4.nil?
You can easily work out the more suitable solution to your case changing the Addrinfo methods used to filter the required interface address.
Simplest is host_with_port in controller.rb
host_port= request.host_with_port
This IP address used here is Google's, but you can use any accessible IP.
require "socket"
local_ip = UDPSocket.open {|s| s.connect("64.233.187.99", 1); s.addr.last}
Similar to the answer using hostname, using the external uname command on UNIX/LINUX:
hostname = `uname -n`.chomp.sub(/\..*/,'') # stripping off "\n" and the network name if present
for the IP addresses in use (your machine could have multiple network interfaces),
you could use something like this:
# on a Mac:
ip_addresses = `ifconfig | grep 'inet ' | grep -v 127.0.0.1 | cut -d' ' -f 2`.split
=> ['10.2.21.122','10.8.122.12']
# on Linux:
ip_addresses = `ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d':' -f 2 | cut -d' ' -f 1`.split
=> ['10.2.21.122','10.8.122.12']
The accepted answer works but you have to create a socket for every request and it does not work if the server is on a local network and/or not connected to the internet. The below, I believe will always work since it is parsing the request header.
request.env["SERVER_ADDR"]
Put the highlighted part in backticks:
`dig #{request.host} +short`.strip # dig gives a newline at the end
Or just request.host if you don't care whether it's an IP or not.
You will likely find yourself having multiple IP addresses on each machine (127.0.0.1, 192.168.0.1, etc). If you are using *NIX as your OS, I'd suggest using hostname, and then running a DNS look up on that. You should be able to use /etc/hosts to define the local hostname to resolve to the IP address for that machine. There is similar functionality on Windows, but I haven't used it since Windows 95 was the bleeding edge.
The other option would be to hit a lookup service like WhatIsMyIp.com. These guys will kick back your real-world IP address to you. This is also something that you can easily setup with a Perl script on a local server if you prefer. I believe 3 lines or so of code to output the remote IP from %ENV should cover you.
io = IO.popen('hostname')
hostname = io.readlines
io = IO.popen('ifconfig')
ifconfig = io.readlines
ip = ifconfig[11].scan(/\ \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\ /)
The couple of answers with require 'socket' look good. The ones with request.blah_blah_blah
assume that you are using Rails.
IO should be available all the time. The only problem with this script would be that if ifconfig is output in a different manor on your systems, then you would get different results for the IP. The hostname look up should be solid as Sears.
try: Request.remote_ip
remote_ip()
Determine originating IP address. REMOTE_ADDR is the standard but will
fail if the user is behind a proxy. HTTP_CLIENT_IP and/or
HTTP_X_FORWARDED_FOR are set by proxies so check for these if
REMOTE_ADDR is a proxy. HTTP_X_FORWARDED_FOR may be a comma- delimited
list in the case of multiple chained proxies; the last address which
is not trusted is the originating IP.
Update:
Oops, sorry I misread the documentation.