• Host Name/IP Address

    From Mortifis@1:103/705 to All on Saturday, August 10, 2019 12:51:31
    So, I was looking at my user list and noticed that there are a lot of Computer (Host Name) entries that match my computers host name as well as a lot of entries that have 127.0.0.1 as the ip address and was wondering how does that occur? I assume 127.0.0.1 is my internal ip address for loopback (localhost) so how does an external connection end up as 127.0.0.1 in the user list?


    My doctor said I have the body of a 25 year old ... and the mind of a 10 :-/

    ---
    Synchronet AlleyCat! BBS - http://alleycat.synchro.net:81
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to Mortifis on Saturday, August 10, 2019 12:29:55
    Re: Host Name/IP Address
    By: Mortifis to All on Sat Aug 10 2019 12:51:31

    So, I was looking at my user list and noticed that there are a lot of Computer (Host Name) entries that match my computers host name as well as a lot of entries that have 127.0.0.1 as the ip address and was wondering how does that occur? I assume 127.0.0.1 is my internal ip address for loopback (localhost) so how does an external connection end up as 127.0.0.1 in the user list?

    fTelnet, most likely.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    Synchronet electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mortifis@1:103/705 to echicken on Saturday, August 10, 2019 13:37:41
    Re: Host Name/IP Address
    By: Mortifis to All on Sat Aug 10 2019 12:51:31

    So, I was looking at my user list and noticed that there are a lot of Computer (Host Name) entries that match my computers host name as well as a lot of entries that have 127.0.0.1 as the ip address and was wondering how does that occur? I assume 127.0.0.1 is my internal ip address for loopback (localhost) so how does an external connection end up as 127.0.0.1 in the user list?

    fTelnet, most likely.

    Interesting, I use fTelnet from my web ui all of the time but it still shows my host name as per external ... I guess there is nothing to be concerned about then? Still odd that user.ip_address would end up being 127.0.0.1; anyway to trap the actual ip address?

    My doctor said I have the body of a 25 year old ... and the mind of a 10 :-/

    ---
    Synchronet AlleyCat! BBS - http://alleycat.synchro.net:81
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to Mortifis on Saturday, August 10, 2019 13:36:49
    Re: Re: Host Name/IP Address
    By: Mortifis to echicken on Sat Aug 10 2019 13:37:41

    Interesting, I use fTelnet from my web ui all of the time but it still shows my host name as per external ... I guess there is nothing to be concerned about then? Still odd that user.ip_address would end up being 127.0.0.1; anyway to trap the actual ip address?

    fTelnet talks to the websocket service, and the websocket service talks to your
    telnet server. Thus as
    far as the telnet server is concerned, connections originate from wherever the websocket service is
    running (typically localhost).

    The address/hostname in your user record is (I think) wherever you last connected from, and can be
    updated by various services (not just ssh/telnet/rlogin). (Mine currently reflects where gmail connected
    from while polling for new mail.)

    So it's nothing to be concerned about, but it does make the user's address in your logs and in their
    record fairly useless in these cases. You'd need to look at your WS service's log to find a
    corresponding entry from when fTelnet connected.

    At one time the websocket service (and maybe ftelnet itself) was responding to the telnet "send location"
    command with the client's real IP address. IIRC this was done so that GeoIP lookups would still work
    with websocket clients. I think it was only done so that KenDB3's weather script would work for these
    users. I'm not sure if this method could be abused in some way to grab the user's real IP address for
    other purposes. Or we could dream up some other method, if it really matters.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    Synchronet electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mortifis@1:103/705 to echicken on Saturday, August 10, 2019 15:02:14
    At one time the websocket service (and maybe ftelnet itself) was responding to the telnet "send location"
    command with the client's real IP address. IIRC this was done so that GeoIP lookups would still work
    with websocket clients. I think it was only done so that KenDB3's weather script would work for these
    users. I'm not sure if this method could be abused in some way to grab the user's real IP address for
    other purposes. Or we could dream up some other method, if it really matters.

    At the end of the day, it doesn't really matter in my case. I am adding to my useful-only-to-me dup_user_check.js comparing host_names, ip addresses, etc ... mostly so I can reduce the likelihood that someone having multiple accounts with those values could use my smtp server as a spam service ... I use to run the telgate door where one could telnet into my board then telnet out to another board, but that was being abused and dangerous so I deleted it!

    Thanks you, EC, as always, very helpful.

    My doctor said I have the body of a 25 year old ... and the mind of a 10 :-/

    ---
    Synchronet AlleyCat! BBS - http://alleycat.synchro.net:81
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mortifis@1:103/705 to echicken on Saturday, August 10, 2019 15:31:52

    So it's nothing to be concerned about, but it does make the user's address in your logs and in their
    record fairly useless in these cases. You'd need to look at your WS service's log to find a
    corresponding entry from when fTelnet connected.


    I cannot find a WS log in data/logs and I combed through a bunch of logs but cannot find any mention of fTelnet. Could you point to where the WS log entry may be? Even if I found the entry my JS skills are limited so I'd have to exec(a php script) to preg_match it LOL

    Thanks for the help.


    My doctor said I have the body of a 25 year old ... and the mind of a 10 :-/

    ---
    Synchronet AlleyCat! BBS - http://alleycat.synchro.net:81
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to Mortifis on Saturday, August 10, 2019 16:42:25
    Re: Re: Host Name/IP Address
    By: Mortifis to echicken on Sat Aug 10 2019 15:31:52

    I cannot find a WS log in data/logs and I combed through a bunch of logs but cannot find any mention of fTelnet. Could you point to where the WS log entry may be? Even if I found the entry my JS skills are limited so I'd have to exec(a php script) to preg_match it LOL

    It would be in your 'services' log. If on Windows, that's in the Services tab along with Web and FTP in
    the Synchronet Control Panel (no idear what's what if you're running it headless / as NT services). On
    Linux, it'd presumably go to syslog with everything else.

    ---
    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    Synchronet electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rampage@1:103/705 to Mortifis on Saturday, August 10, 2019 15:34:41
    Re: Host Name/IP Address
    By: Mortifis to All on Sat Aug 10 2019 12:51:31

    So, I was looking at my user list and noticed that there are a lot of
    Computer (Host Name) entries that match my computers host name as well as a lot
    of entries that have 127.0.0.1 as the ip address and was wondering how
    does that occur? I assume 127.0.0.1 is my internal ip address for loopback
    (localhost) so how does an external connection end up as 127.0.0.1 in the user list?

    one way is if the client has control over their DNS... they can return any IP address they want to a doman name lookup... some spammers/hackers return 127.0.0.1...

    i first saw this when i was running Apache web server... i wasn't logging the IP numbers... only the domain names... when i ran a script that did reverse lookups, it ran into these and kept telling me it was my system... that's when i switched to logging IPs instead of domain names... then it was very easy to see what they were doing...

    not sure if this is what you are describing or not but it is the closest thing i can think of that may explain it...


    )\/(ark

    ---
    Synchronet The SouthEast Star Mail HUB - SESTAR
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mortifis@1:103/705 to echicken on Saturday, August 10, 2019 19:08:26
    Re: Re: Host Name/IP Address
    By: Mortifis to echicken on Sat Aug 10 2019 15:31:52

    I cannot find a WS log in data/logs and I combed through a bunch of logs but cannot find any mention of fTelnet. Could you point to where the WS log entry may be? Even if I found the entry my JS skills are limited so I'd have to exec(a php script) to preg_match it LOL

    It would be in your 'services' log. If on Windows, that's in the Services tab along with Web and FTP in
    the Synchronet Control Panel (no idear what's what if you're running it headless / as NT services).

    Oh, okay, thought WS might log to a file, the Services Tab doesn't seem to log to a file anywhere that a script might read from at leisure

    My doctor said I have the body of a 25 year old ... and the mind of a 10 :-/

    ---
    Synchronet AlleyCat! BBS - http://alleycat.synchro.net:81
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Mortifis@1:103/705 to Rampage on Saturday, August 10, 2019 19:16:59

    one way is if the client has control over their DNS... they can return any IP address they want to a doman name lookup... some spammers/hackers return 127.0.0.1...

    i first saw this when i was running Apache web server... i wasn't logging the IP numbers... only the domain names... when i ran a script that did reverse lookups, it ran into these and kept telling me it was my system... that's when i switched to logging IPs instead of domain names... then it was very easy to see what they were doing...

    not sure if this is what you are describing or not but it is the closest thing i can think of that may explain it...

    No, not exactly what I was describing. EC pointed out how the socket calls work; just gonna write a pre/post connect script for the web ui to trap the original IP in a file for use in a utility I have.

    Thanks, brah


    My doctor said I have the body of a 25 year old ... and the mind of a 10 :-/

    ---
    Synchronet AlleyCat! BBS - http://alleycat.synchro.net:81
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)