Okay, so we implement Recaptcha in production. We get errors because it can't reach the IP address it needs to use the service. We open a port for the IP address to reach Google. No problem. We do that and configure that IP address explicitly to work. It works great. Then, the next day, we start getting errors again because Recaptcha is using a different IP address. I can allow requests from that IP address, too, but now I'm unsettled. Where are these addresses coming from? How do I configure this to work reliably?
Recatpcha from Google can use any Google IP address and there are lots of them.
Ran this from Windows:
_netblocks.google.com text =
nslookup -type=TXT _netblocks.google.com
"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
That's all the network Google uses currently. These can change so check them often.
Google suggest allowing port 80 to all IPs outbound, this highly insecure. They recommend going through a proxy server but again that is highly insecure if your web server is an DMZ. Proxy aware trojans do exist. All that need to be done is exploit a vulnerability to execute arbitrary code and you can create reverse connection on port 80 through a proxy server to download the payload. Then it is trivial to escalate privileges and own the box. I don't mean just Windows servers but Linux as well. I've done it in lab environment on security was on. It's really easy to do.
This is the Google website I got this from:
http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha
I wanted to append to this answer with more recent information. The documentation that Chris is pointing to does not include all of the TXT records necessary to dig (thanks Google):
_netblocks2.google.com (IPv6 subnets)
_netblocks3.google.com (Additional IPv4 subnets)
In my particular case, the _netblocks3 entry contained 2 large /19's that made my initial rule ineffective
(I found additional references here: https://support.google.com/a/answer/60764?hl=en)
Perhaps you should be using a hostname rather than IP
Related
I'm currently working on a client project and I get access to files via FTP. Their server is behind a firewall and they're asking me for my IP address, I'm guessing for whitelisting.
Problem is, my IP address is dynamic and it changes quite a lot throughout the day. Is there anyway around this?
Thanks in advance.
The best way to avoid paying for a static IP is to carry on using a dynamic IP address, but use a dynamic DNS provider such as No-IP which you can cause to update every time your IP address changes (routers will often do this for you automatically, or there are Windows / OSX / Linux (such as ddclient) clients). That way, you can just use something like magpie.no-ip.com instead of an IP address and it will always resolve to your public address.
You can find the whole answer here: https://superuser.com/questions/455226/can-you-configure-dynamic-to-be-static-yourself-without-changing-your-isp
i have created new instance in amazon ec2, and assigned the elastic ip for instance. But i need to know how to get ip for name server (ns1.abc.com, ns2,abc.com).
I have installed whm in amazon instance. Only domain cannot point to the correct name server. That is because ip cannot load.
Now, my problem is that how i get new ip. Can i add another two elastic ip in amazon? But i configured two elastic ip for name server in dns zone within whm. The name server is not working. And i cannot open the elastic ip in browser. I am confuse for it. Please anyone help me.
There are lots of things that can go wrong here. I'll try to troubleshoot step by-step:
I'll assume the goal is "You want to type 'whm.foo.com' and see your WHM"
1) Go to your domain registrar and make an entry that points "whm.foo.com" to your EIP. (Depending on what you want, maybe you should setup a "*.foo.com" wildcard for that EIP.
2) Test that step #1 worked by typing "ping whm.foo.com" or "dig whm.foo.com" (one linux/mac, not sure about Windows). This should return your EIP. If not, go back to step 1.
3) Check that WMH is acually running. Read the docs to find what port it's running on. (Usually 2083, or 2082 for insecure access)
On your instance, run "curl -v localhost:2083" (or whatever port. It should return a login screen. If it says "couldn't connect to host", then you have the wrong port or it's not running.
4) run "netstat -na | grep :2083" (or whatever port). It should say "0.0.0.0:*". If it says "127.0.0.1:*", then you need to configure it to allow outside access.
5) Make sure your WHM port is enabled in the AWS firewall. Go to the AWS control panel and find the security group for your box. Make sure that port is allowed. Ideally, you'd only add your personal IP instead of opening it up to the world. (If there is a bug in WHM, people will scan all IPs trying to exploit it. They can't exploit your server if the AWS firewall denies them access.)
6) Now type "https://whm.foo.com:2083" (or whatever port) in your browser. (or http://whm.foo.com:2082 for insecure access). It should work!
i need to know how to get ip for name server (ns1.abc.com, ns2,abc.com).
As rdrey said, you need to go to your DNS provider (most registrars also do DNS) and tell them what boxes should point to your EIP.
That is because ip cannot load.
There is no such thing as "ip cannot load". Either "DNS is giving the wrong IP" or "some IP operations (TCP ports) were blocked by a firewall somewhere".
Now, my problem is that how i get new ip
I don't think that should be your goal. You can easily change EIPs, but it won't fix the problem. Nothing works unless everything in between is set up correctly. The goal should be understanding all the steps in the process and verifying that each step was done correctly.
OK, you have two options here:
Use the DNS servers provided by your Domain Registrar OR
Use AWS Route53 to let Amazon provide DNS services for you.
Option 1:
You bought your domain name from a registrar, like one of these: http://lifehacker.com/5683682/five-best-domain-name-registrars
Most, if not all, registrars run a free DNS service for their customers. You should be able to log into some kind of management console and set your domain's DNS zone entries to point at your AWS EIP. (I am using gandi.net and used to use godaddy. You simply leave the DNS Servers as they are and set your AWS EIP as the 'A' record.)
Option 2:
Go to https://console.aws.amazon.com/route53/home and follow instructions. I haven't read up on Route53's pricing, so this option might not be free.
---- EDIT:
Some more help:
The site you've linked to (http://www.intodns.com/xantec.com.sg) states that you've used your EIP (54.251.169.7) as the nameserver for the domain. You don't want that. You're running a cPanel installation, NOT a DNS nameserver.
Put 54.251.169.7 as your site's A record. (Sometimes called the www field.) Remove it from the NS fields and put ns3.thesimpledns.com & ns4.thesimpledns.com into those.
I often visit various sites and like to do so anonymously from behind a proxy. However, it seems as if some websites are still able to detect my real IP address. I know this because they use the IP address to attempt to geolocate me for services.
How did they actually get my real IP Address if I am using a proxy?
How can I truly hide myself?
Most proxies you'll find online are so-called 'transparant proxies'. This means they identify themselves as proxy and even give your real IP-address to the site.
These proxies are commonly used to load pages on the proxy-server instead of your PC.
IP proxies won't protect you at all, to be honest.
What you need are VPN's (Virtual Private Networks) a.k.a. Network Tunnel.
VPN's allow you to do everything online via an external PC inside that network. You'll get that PC's IP and all loading etc happens on that PC.
Not all VPN's are undetected. If you always want to browse the web anonymously, you'll need to find some HQ VPN's (barely for free) and you'll need to change VPN frequently.
Try searching on HideMyAss, SecurityKISS, ... or maybe even the TOR-network
I've received a few messages from users of my site that they can not access it from home.
They can access the server from the IP, but not by the domain name.
I think it has something to do with the way my DNS is configured. I setup my own DNS server about 4 years ago on my server, which I probably should not have done, and I'm not sure if everything is configured correctly. There are plenty of people who can access the site without any problems, but some users get 'server can not be found'.
Server Details: Windows 2003 co-located server at a small local hosting company.
Are there good tools or sites that can test and provide configuration recommendations? How do I test this problem when it works fine for me and so many other users? What type of questions should I ask users that can't access the site?
Can I provide / point to another DNS server that can be used if the first server isn't working?
Thanks!
Nevertheless here some pointers:
Questions that you can ask the users:
Run the following command: nslookup test.company.com. The result should be the IP they could access by IP. If it's a wrong IP or no IP, then this hostname A / CNAME record isn't propagated correctly to the outside world.
It could be a ipv4/v6 problem. Maybe the DNS resolves to a ipv6 IP by AAAA record and your ISP (or any provider inbetween) doesn't support ipv6 correctly yet. Under windows, you can ping -6 or ping -4 to see if it resolves to anything at all.
Possible workaround:
Tell your users to hardcode the IP of your server into their HOSTS file...
DNS problems are usually lying at the companies infrastructure though (e.g. not propagating the DNS notifications correctly, wrong DNS servers at your registrar, wrong DNS configuration on your DNS server...)
There's an excellent on-line resource to verify your DNS settings: intoDNS.com
If you think the problem is in your DNS server and you don't need it this way anyway, you can just turn your DNS to any DNS hosting - see my biased list. Setup your DNS records from scratch with any DNS provider and tell your domain registrar to use that provider nameservers. Often registrars themselves provide DNS servers as well.
As for questions to ask users, Khoi explained everything.
Can I use google -- specifically i am thinking of the google ajax api -- to enumerate a list of host names of websites that are hosted on a particular IP address.
Note
Yes, I know that other mechanisms, such as MSN search and obviously DNS services can be used, but I am specificially looking for whether a google solution exists.
AFAIK Google doesn't give out the IP addresses in its search results (unless the URL is only accessible from IP address rather than a host name).
I know you only want Google solutions, but have you tried My IP Neighbors? You put in a URL or IP and it gives you the sites also hosted on the IP.
Not sure you can do with google ajax api; however I think that the best solution would be more oriented towards a sysadmin job (thus ask serverfault..), mainly:
find which nameserver is authoritative for such website
find out which other domains using that nameserver as authoritative
simply because websites hosted on the same server are often served by the same DNS.
On a side note, since a DNS can be authoritative for other domains (not hosted on that IP), you might want to double-check that list and do a lookup on all domains, filtering out those that are hosted on a different server.
This leaves open the question of load balancing, tho: what if a domain is hosted on more than one server?
The answer is left as an exercise to the reader. :)
I searched through Google's forums for SEO Q&A and technical Q&A. The issue of whether Google captures IP addresses is not directly addressed. However, there is at least one answer which suggests Google doesn't care about IP addresses (see squibble's second response.)