Add GeoIP location to nameservers
| Message ID | 5686B34E.7010602@web.de |
|---|---|
| State | Dropped |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.tremer.info [172.28.1.200]) by septima.ipfire.org (Postfix) with ESMTP id 2AA6660D7D for <patchwork@ipfire.org>; Fri, 1 Jan 2016 18:11:48 +0100 (CET) Received: from hedwig.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id E623B1BE8; Fri, 1 Jan 2016 18:11:47 +0100 (CET) Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=212.227.15.14; helo=mout.web.de; envelope-from=itsuperhack@web.de; receiver=development@lists.ipfire.org Received: from mout.web.de (mout.web.de [212.227.15.14]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 23D35D59 for <development@lists.ipfire.org>; Fri, 1 Jan 2016 18:11:45 +0100 (CET) Received: from 127.0.0.1 ([50.7.178.98]) by smtp.web.de (mrweb002) with ESMTPSA (Nemesis) id 0MddbY-1acDKG3FPg-00POjZ for <development@lists.ipfire.org>; Fri, 01 Jan 2016 18:11:45 +0100 To: IPFire Development <development@lists.ipfire.org> From: IT Superhack <itsuperhack@web.de> Subject: [PATCH] Add GeoIP location to nameservers Message-ID: <5686B34E.7010602@web.de> Date: Fri, 1 Jan 2016 18:11:42 +0100 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="nK13UCnSuXVKrutA86ScIr7ICTgQRRvCg" X-Provags-ID: V03:K0:aGJcIrbUOcGhuCrOT23IAvqGjrQFpY4ZxGn9c/DDhMZ2UE69gin FJ0fdriOmv0hPjScx0CyWD+IKB3UA3OQuzsui6Q6tXRIrDsPmLmK8J6siimOjEvQYTqDoZN OtUKpRITCSMAB4Pw5DqPh7VMXAQjlLa9vRWGe25FLG2iTjbeTScstJ1OTVwU42Ldfbk1ceS zLiJWe5a1sFae4B3nRfDQ== X-UI-Out-Filterresults: notjunk:1; V01:K0:U3tt+elwuPs=:CA716LAuwA0WuM1rdGWWvv IiH76wDF+pN0L84MLtI7v6sesWNLYJeJHbwZLT0plyyZfGwMAPyVc4cYqEygW+R5T5FoKVoNI S/gOpICBfeRpjrRYdUJ6INjx8FKmhtNdqPuoBO6oOPDXgH/Kv+E6TBWCDmiI235U43F+7yU+H slV/3rnQn5HqGkSe6Bc3Vmv0Favx5YtUCROzx/cZi94M8P/juYrGo7yip02EJhBkT8CNgE/T4 kMGGcDv4J1m9gDUiT2t7TYvTnZiVee7vLzn2M2bK7jwjnCrVy1iIxoqeb5+xbL8ZCWZVUiNjJ UIhUbaRVVvilPvUrXzAlqO6gTSVHpNGQogi1u+BWuEFelZwLQwBNsuyqM15cB5lJsfwUVmlXV FYphQlirs6hHe4993NGwCsy5aG9MpVs4JlsRpMth+ndRvKye5Ud93H80PDu1ol+aV4B0CdKjQ crK28+BP69m6fLpVtYzsAL+6gtygg8crK283YFmhpPdHKc7P511cIem2cXzegWYqfw95+dydq bnVoizPgdjvX3t+3xrSVZOldE9t/gmzdp+a2c/snO//PhHRtNmBXkZYAaG6hgIfKrle0DYnx6 POYpX/uGtvfX1tKw5ez9kclHevG2df85jwQa3vNVruBQqQ/1bk9tFM668mMWpyQYMqB1PBE9H Pt+Q3pB0JRLT9NksaKFFrrU4Z4UOE/YtVYwXZ5jMS/sijj3LEYV/xMpk7rrBL7ajVis8z8DDf CO01VGYngDRCHJpd85wuhCuXbOVgat8g3aYQ5AF8/WSz0N8UF5m8mcqh6EztoXsIUtsZICQXZ Bd+IlfM X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
IT Superhack
Jan. 2, 2016, 4:11 a.m. UTC
Add the GeoIP location flag to the nameservers entry on
netexternal.cgi. The appropriate flag is shown between
ip address and dnssec status.
Signed-off-by: Timmothy Wilson <itsuperhack@web.de>
---
Comments
Hi, Tested. Works. Thanks! ;-) One suggestion: If you change line ~156 in 'netexternal.cgi' from: ... <td>$nameserver</td> ... to ... <td align="center">$nameserver</td> ... it looks even better... (see Attachment) Jm2C! Best, Matthias On 01.01.2016 18:11, IT Superhack wrote: > Add the GeoIP location flag to the nameservers entry on > netexternal.cgi. The appropriate flag is shown between > ip address and dnssec status. > > Signed-off-by: Timmothy Wilson <itsuperhack@web.de> > --- > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi > index 299612d..757785e 100644 > --- a/html/cgi-bin/netexternal.cgi > +++ b/html/cgi-bin/netexternal.cgi > @@ -19,6 +19,7 @@ > # # > ############################################################################### > > +use Geo::IP::PurePerl; > use strict; > > # enable only the following on debugging purpose > @@ -28,6 +29,7 @@ use strict; > require '/var/ipfire/general-functions.pl'; > require "${General::swroot}/lang.pl"; > require "${General::swroot}/header.pl"; > +require "${General::swroot}/geoip-functions.pl"; > require "${General::swroot}/graphs.pl"; > > my %color = (); > @@ -99,6 +101,9 @@ if ( $querry[0] ne~ ""){ > <strong>$Lang::tr{'nameserver'}</strong> > </th> > <th align="center"> > + <strong>$Lang::tr{'location'}</strong> > + </th> > + <th align="center"> > <strong>$Lang::tr{'status'}</strong> > </th> > </tr> > @@ -138,10 +143,20 @@ END > } > > my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'}; > + > + # geoip lookup > + my $geoaddr = Geo::IP::PurePerl->new(); > + my $ccode = $geoaddr->country_code_by_name($nameserver); > + my $fcode = lc($ccode); > + # Get flag icon for of the country. > + my $flag_icon = &GeoIP::get_flag_icon($ccode); > > print <<END; > <tr bgcolor="$table_colour"> > <td>$nameserver</td> > + <td align="center"> > + <a href='/cgi-bin/country.cgi#$fcode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode'></a> > + </td> > <td bgcolor="$bgcolour" align="center"> > <font color="$colour"><strong>$message</strong></font> > </td> > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > index 2bca854..836d12f 100644 > --- a/langs/de/cgi-bin/de.pl > +++ b/langs/de/cgi-bin/de.pl > @@ -1429,6 +1429,7 @@ > 'local vpn hostname/ip' => 'Lokaler VPN Hostname/IP', > 'localkey' => 'Localkey', > 'localkeyfile' => 'Localkeyfile', > +'location' => 'Standort', > 'log' => 'Protokoll', > 'log enabled' => 'Log aktiviert', > 'log level' => 'Log Level', > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > index 4c52392..51a6241 100644 > --- a/langs/en/cgi-bin/en.pl > +++ b/langs/en/cgi-bin/en.pl > @@ -1459,6 +1459,7 @@ > 'local vpn hostname/ip' => 'Local VPN Hostname/IP', > 'localkey' => 'Localkey', > 'localkeyfile' => 'Localkeyfile', > +'location' => 'Location', > 'log' => 'Log', > 'log enabled' => 'Log Enabled', > 'log level' => 'Log Level', >
Just out of curiosity, why do you find this information so helpful? -Michael On Fri, 2016-01-01 at 20:16 +0100, Matthias Fischer wrote: > Hi, > > Tested. > > Works. > > Thanks! ;-) > > One suggestion: > > If you change line ~156 in 'netexternal.cgi' from: > > ... > <td>$nameserver</td> > ... > > to > > ... > <td align="center">$nameserver</td> > ... > > it looks even better... (see Attachment) > > Jm2C! > > Best, > Matthias > > > On 01.01.2016 18:11, IT Superhack wrote: > > Add the GeoIP location flag to the nameservers entry on > > netexternal.cgi. The appropriate flag is shown between > > ip address and dnssec status. > > > > Signed-off-by: Timmothy Wilson <itsuperhack@web.de> > > --- > > diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi > > -bin/netexternal.cgi > > index 299612d..757785e 100644 > > --- a/html/cgi-bin/netexternal.cgi > > +++ b/html/cgi-bin/netexternal.cgi > > @@ -19,6 +19,7 @@ > > # > > # > > > > ################################################################### > > ############ > > > > +use Geo::IP::PurePerl; > > use strict; > > > > # enable only the following on debugging purpose > > @@ -28,6 +29,7 @@ use strict; > > require '/var/ipfire/general-functions.pl'; > > require "${General::swroot}/lang.pl"; > > require "${General::swroot}/header.pl"; > > +require "${General::swroot}/geoip-functions.pl"; > > require "${General::swroot}/graphs.pl"; > > > > my %color = (); > > @@ -99,6 +101,9 @@ if ( $querry[0] ne~ ""){ > > <strong>$Lang::tr > > {'nameserver'}</strong> > > </th> > > <th align="center"> > > + <strong>$Lang::tr{ > > 'location'}</strong> > > + </th> > > + <th align="center"> > > <strong>$Lang::tr > > {'status'}</strong> > > </th> > > </tr> > > @@ -138,10 +143,20 @@ END > > } > > > > my $table_colour = ($id++ % 2) ? > > $color{'color22'} : $color{'color20'}; > > + > > + # geoip lookup > > + my $geoaddr = Geo::IP::PurePerl->new(); > > + my $ccode = $geoaddr > > ->country_code_by_name($nameserver); > > + my $fcode = lc($ccode); > > + # Get flag icon for of the country. > > + my $flag_icon = &GeoIP::get_flag_icon($ccode); > > > > print <<END; > > <tr bgcolor="$table_colour"> > > <td>$nameserver</td> > > + <td align="center"> > > + <a href='/cgi > > -bin/country.cgi#$fcode'><img src='$flag_icon' border='0' > > align='absmiddle' alt='$ccode' title='$ccode'></a> > > + </td> > > <td bgcolor="$bgcolour" > > align="center"> > > <font > > color="$colour"><strong>$message</strong></font> > > </td> > > diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl > > index 2bca854..836d12f 100644 > > --- a/langs/de/cgi-bin/de.pl > > +++ b/langs/de/cgi-bin/de.pl > > @@ -1429,6 +1429,7 @@ > > 'local vpn hostname/ip' => 'Lokaler VPN Hostname/IP', > > 'localkey' => 'Localkey', > > 'localkeyfile' => 'Localkeyfile', > > +'location' => 'Standort', > > 'log' => 'Protokoll', > > 'log enabled' => 'Log aktiviert', > > 'log level' => 'Log Level', > > diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl > > index 4c52392..51a6241 100644 > > --- a/langs/en/cgi-bin/en.pl > > +++ b/langs/en/cgi-bin/en.pl > > @@ -1459,6 +1459,7 @@ > > 'local vpn hostname/ip' => 'Local VPN Hostname/IP', > > 'localkey' => 'Localkey', > > 'localkeyfile' => 'Localkeyfile', > > +'location' => 'Location', > > 'log' => 'Log', > > 'log enabled' => 'Log Enabled', > > 'log level' => 'Log Level', > > >
Hi,
For me: its not really important - just "nice to have"...
Best,
Matthias
On 04.01.2016 17:59, Michael Tremer wrote:
> Just out of curiosity, why do you find this information so helpful?
Hello Michael, hello Matthias,
Michael Tremer:
> Just out of curiosity, why do you find this information so helpful?
As Matthias said already, is is more a "nice to have" than something
which is seriously needed.
I wrote this patch because a friend of mine in France discovered that
his ISP assigns DNS servers from Australia and Great Britain, which
was slowing down DNS resolving a lot.
Therefore I thougt it might be useful to see in which countries your
DNS servers are located, just in case you didn't set some by your own.
In general, adding geographic information to IP addresses is very
helpful in my point of view because anomalies can be detected much
better and more precise firewall rules are possible.
However, some thing might still be improved: For example, the ipinfo.cgi
file shows the IP address, the rDNS name, whois information, but not
the appropriate flag. So, if someone scrolls through the connection tracking
page, he/she/it sees the source and destination IPs of any active (and
recently closed) connection. At the moment, there is no way of telling
which country an IP belongs to - without using additional web services, of
course - since the flag is shown neither at the connection tracking page
nor at the ipinfo.cgi page. This isn't very helpful, is it?
That is basically the motivation behind the two patches I submitted
recently.
Best regards,
Timmothy Wilson
Hi, On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote: > Hello Michael, hello Matthias, > > Michael Tremer: > > Just out of curiosity, why do you find this information so helpful? > > As Matthias said already, is is more a "nice to have" than something > which is seriously needed. This is not too much of an argument. My argument against this is that it brings down page load times because of a not too useful information. > I wrote this patch because a friend of mine in France discovered that > his ISP assigns DNS servers from Australia and Great Britain, which > was slowing down DNS resolving a lot. I get that and this is actually a pretty good one. That only leaves resolvers like 8.8.8.8 which will show "US" but actually are located at many places around the world. Let's hope that people don't get the wrong thing from the flag - or actually start changing their DNS servers to something else :) > Therefore I thougt it might be useful to see in which countries your > DNS servers are located, just in case you didn't set some by your > own. It is sometimes. Although geographic location doesn't mean that it is close on the network. A system in GB is probably not an issue. Australia actually is a bit far away. > In general, adding geographic information to IP addresses is very > helpful in my point of view because anomalies can be detected much > better and more precise firewall rules are possible. I don't get why. > However, some thing might still be improved: For example, the > ipinfo.cgi > file shows the IP address, the rDNS name, whois information, but not > the appropriate flag. So, if someone scrolls through the connection > tracking > page, he/she/it sees the source and destination IPs of any active > (and > recently closed) connection. At the moment, there is no way of > telling > which country an IP belongs to - without using additional web > services, of > course - since the flag is shown neither at the connection tracking > page > nor at the ipinfo.cgi page. This isn't very helpful, is it? The ipinfo.cgi page shows the whois information for an IP address. That may contain the name and HQ location of a company this IP address belongs to, but that does *not* mean that the host is actually located in that country - and almost certainly not at that address. The GeoIP database is a completely different thing. Judging by the location of the host does make any sense if you care about security. > > That is basically the motivation behind the two patches I submitted > recently. > > Best regards, > Timmothy Wilson >
Hello Michael, Michael Tremer: > Hi, > > On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote: >> Hello Michael, hello Matthias, >> >> Michael Tremer: >>> Just out of curiosity, why do you find this information so helpful? >> >> As Matthias said already, is is more a "nice to have" than something >> which is seriously needed. > > This is not too much of an argument. My argument against this is that > it brings down page load times because of a not too useful information. > >> I wrote this patch because a friend of mine in France discovered that >> his ISP assigns DNS servers from Australia and Great Britain, which >> was slowing down DNS resolving a lot. > > I get that and this is actually a pretty good one. > > That only leaves resolvers like 8.8.8.8 which will show "US" but > actually are located at many places around the world. Let's hope that > people don't get the wrong thing from the flag - or actually start > changing their DNS servers to something else :) > >> Therefore I thougt it might be useful to see in which countries your >> DNS servers are located, just in case you didn't set some by your >> own. > > It is sometimes. Although geographic location doesn't mean that it is > close on the network. > > A system in GB is probably not an issue. Australia actually is a bit > far away. The problem here was something else: A couple of months ago, his ISP assigned DNS servers in France, which worked quite well and belonged to the ISP, according to whois information. The list of assigned DNS servers must have changed somewhere in the meantime, and he still does not know why since the ISP does not answer related questions. So, if your ISP suddenly assigns you DNS servers in a very different location than it has done long before, you know that something might be wrong here. (The Quantumhand-program of the NSA lists "DNS injection" as a possible method to impersonate a server - why not even change the DNS server to one they own? Would be much easier...) [http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-impersonates-facebook-inject-malware.html] > >> In general, adding geographic information to IP addresses is very >> helpful in my point of view because anomalies can be detected much >> better and more precise firewall rules are possible. > > I don't get why. For example, many active connections from an internal host to china, korea or an african country might indicate that a host is infected. If someone need to call ipinfo.cgi for every IP he/she/it does not know, it will end in a nightmare... > >> However, some thing might still be improved: For example, the >> ipinfo.cgi >> file shows the IP address, the rDNS name, whois information, but not >> the appropriate flag. So, if someone scrolls through the connection >> tracking >> page, he/she/it sees the source and destination IPs of any active >> (and >> recently closed) connection. At the moment, there is no way of >> telling >> which country an IP belongs to - without using additional web >> services, of >> course - since the flag is shown neither at the connection tracking >> page >> nor at the ipinfo.cgi page. This isn't very helpful, is it? > > The ipinfo.cgi page shows the whois information for an IP address. That > may contain the name and HQ location of a company this IP address > belongs to, but that does *not* mean that the host is actually located > in that country - and almost certainly not at that address. That's right, GeoIP shows the location of the server and not those of its owner. But looking at this whois output: CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191 CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255 Not very helpful in first place, is it? ;-) > > The GeoIP database is a completely different thing. > > Judging by the location of the host does make any sense if you care > about security. Basically, yes. As I mentioned above, GeoIP makes more sense to detect anomalies and to allow, e.g., only VPN access from countries which are necessary. > >> >> That is basically the motivation behind the two patches I submitted >> recently. >> >> Best regards, >> Timmothy Wilson Best regards, Timmothy Wilson
Hi, On Mon, 2016-01-11 at 09:10 +0100, IT Superhack wrote: > Hello Michael, > > Michael Tremer: > > Hi, > > > > On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote: > > > Hello Michael, hello Matthias, > > > > > > Michael Tremer: > > > > Just out of curiosity, why do you find this information so > > > > helpful? > > > > > > As Matthias said already, is is more a "nice to have" than > > > something > > > which is seriously needed. > > > > This is not too much of an argument. My argument against this is > > that > > it brings down page load times because of a not too useful > > information. > > > > > I wrote this patch because a friend of mine in France discovered > > > that > > > his ISP assigns DNS servers from Australia and Great Britain, > > > which > > > was slowing down DNS resolving a lot. > > > > I get that and this is actually a pretty good one. > > > > That only leaves resolvers like 8.8.8.8 which will show "US" but > > actually are located at many places around the world. Let's hope > > that > > people don't get the wrong thing from the flag - or actually start > > changing their DNS servers to something else :) > > > > > Therefore I thougt it might be useful to see in which countries > > > your > > > DNS servers are located, just in case you didn't set some by your > > > own. > > > > It is sometimes. Although geographic location doesn't mean that it > > is > > close on the network. > > > > A system in GB is probably not an issue. Australia actually is a > > bit > > far away. > The problem here was something else: A couple of months ago, his ISP > assigned DNS servers in France, which worked quite well and belonged > to the ISP, according to whois information. > > The list of assigned DNS servers must have changed somewhere in the > meantime, and he still does not know why since the ISP does not > answer > related questions. > > So, if your ISP suddenly assigns you DNS servers in a very different > location > than it has done long before, you know that something might be wrong > here. > (The Quantumhand-program of the NSA lists "DNS injection" as a > possible > method to impersonate a server - why not even change the DNS server > to > one they own? Would be much easier...) > [http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-im > personates-facebook-inject-malware.html] Yeah, I get where you are coming from. The flag however won't change much here. A check if the IP address of the DNS servers are part of the AS of the ISP would be a better one to find fakes. A latency check would find name servers that are "too far" away on the network. The GeoIP information just very loosely corresponds to a few of these things. Nothing more in my opinion. > > > > > In general, adding geographic information to IP addresses is very > > > helpful in my point of view because anomalies can be detected > > > much > > > better and more precise firewall rules are possible. > > > > I don't get why. > For example, many active connections from an internal host to china, > korea or an african country might indicate that a host is infected. > If someone need to call ipinfo.cgi for every IP he/she/it does not > know, > it will end in a nightmare... Nobody will check this at the right time. Something like snort would help you more here. > > > > > However, some thing might still be improved: For example, the > > > ipinfo.cgi > > > file shows the IP address, the rDNS name, whois information, but > > > not > > > the appropriate flag. So, if someone scrolls through the > > > connection > > > tracking > > > page, he/she/it sees the source and destination IPs of any active > > > (and > > > recently closed) connection. At the moment, there is no way of > > > telling > > > which country an IP belongs to - without using additional web > > > services, of > > > course - since the flag is shown neither at the connection > > > tracking > > > page > > > nor at the ipinfo.cgi page. This isn't very helpful, is it? > > > > The ipinfo.cgi page shows the whois information for an IP address. > > That > > may contain the name and HQ location of a company this IP address > > belongs to, but that does *not* mean that the host is actually > > located > > in that country - and almost certainly not at that address. > That's right, GeoIP shows the location of the server and not those of > its owner. No, still wrong. Just check 8.8.8.8. GeoIP will show you US. It is actually an anycast with many hosts in the world. That is quite typical for name servers. This *must* be added to the documentation in the wiki and state very clearly that this information is never very accurate and especially with name servers less accurate than usually to expect. > But looking at this whois output: > > CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191 > CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255 > > Not very helpful in first place, is it? ;-) Why not? > > > > The GeoIP database is a completely different thing. > > > > Judging by the location of the host does make any sense if you care > > about security. > Basically, yes. As I mentioned above, GeoIP makes more sense to > detect > anomalies and to allow, e.g., only VPN access from countries which > are > necessary. You should know that IPFire downloads this GeoIP database from an untrusted source over an untrusted connection. > > > > > > > > That is basically the motivation behind the two patches I > > > submitted > > > recently. > > > > > > Best regards, > > > Timmothy Wilson > Best regards, > Timmothy Wilson > -Michael
Hello, Michael Tremer: > Hi, > > On Mon, 2016-01-11 at 09:10 +0100, IT Superhack wrote: >> Hello Michael, >> >> Michael Tremer: >>> Hi, >>> >>> On Sun, 2016-01-10 at 17:25 +0100, IT Superhack wrote: >>>> Hello Michael, hello Matthias, >>>> >>>> Michael Tremer: >>>>> Just out of curiosity, why do you find this information so >>>>> helpful? >>>> >>>> As Matthias said already, is is more a "nice to have" than >>>> something >>>> which is seriously needed. >>> >>> This is not too much of an argument. My argument against this is >>> that >>> it brings down page load times because of a not too useful >>> information. >>> >>>> I wrote this patch because a friend of mine in France discovered >>>> that >>>> his ISP assigns DNS servers from Australia and Great Britain, >>>> which >>>> was slowing down DNS resolving a lot. >>> >>> I get that and this is actually a pretty good one. >>> >>> That only leaves resolvers like 8.8.8.8 which will show "US" but >>> actually are located at many places around the world. Let's hope >>> that >>> people don't get the wrong thing from the flag - or actually start >>> changing their DNS servers to something else :) >>> >>>> Therefore I thougt it might be useful to see in which countries >>>> your >>>> DNS servers are located, just in case you didn't set some by your >>>> own. >>> >>> It is sometimes. Although geographic location doesn't mean that it >>> is >>> close on the network. >>> >>> A system in GB is probably not an issue. Australia actually is a >>> bit >>> far away. >> The problem here was something else: A couple of months ago, his ISP >> assigned DNS servers in France, which worked quite well and belonged >> to the ISP, according to whois information. >> >> The list of assigned DNS servers must have changed somewhere in the >> meantime, and he still does not know why since the ISP does not >> answer >> related questions. >> >> So, if your ISP suddenly assigns you DNS servers in a very different >> location >> than it has done long before, you know that something might be wrong >> here. >> (The Quantumhand-program of the NSA lists "DNS injection" as a >> possible >> method to impersonate a server - why not even change the DNS server >> to >> one they own? Would be much easier...) >> [http://securityaffairs.co/wordpress/23129/hacking/quantumhand-nsa-im >> personates-facebook-inject-malware.html] > > Yeah, I get where you are coming from. The flag however won't change > much here. A check if the IP address of the DNS servers are part of the > AS of the ISP would be a better one to find fakes. Great idea! I will try to develop this over the weekend. (Guess the AS number is easy to find out, maybe there is a central database for this, too.) > > A latency check would find name servers that are "too far" away on the > network. I like this idea, too. Still, it requires that the nameservers answer to ICMP packets, which is not always true... :-( > > The GeoIP information just very loosely corresponds to a few of these > things. Nothing more in my opinion. > >>> >>>> In general, adding geographic information to IP addresses is very >>>> helpful in my point of view because anomalies can be detected >>>> much >>>> better and more precise firewall rules are possible. >>> >>> I don't get why. >> For example, many active connections from an internal host to china, >> korea or an african country might indicate that a host is infected. >> If someone need to call ipinfo.cgi for every IP he/she/it does not >> know, >> it will end in a nightmare... > > Nobody will check this at the right time. Something like snort would > help you more here. Proposed snot is active (not possible on ARM devices), running at that network interface and has the correct signatures loaded, yes. > >>> >>>> However, some thing might still be improved: For example, the >>>> ipinfo.cgi >>>> file shows the IP address, the rDNS name, whois information, but >>>> not >>>> the appropriate flag. So, if someone scrolls through the >>>> connection >>>> tracking >>>> page, he/she/it sees the source and destination IPs of any active >>>> (and >>>> recently closed) connection. At the moment, there is no way of >>>> telling >>>> which country an IP belongs to - without using additional web >>>> services, of >>>> course - since the flag is shown neither at the connection >>>> tracking >>>> page >>>> nor at the ipinfo.cgi page. This isn't very helpful, is it? >>> >>> The ipinfo.cgi page shows the whois information for an IP address. >>> That >>> may contain the name and HQ location of a company this IP address >>> belongs to, but that does *not* mean that the host is actually >>> located >>> in that country - and almost certainly not at that address. >> That's right, GeoIP shows the location of the server and not those of >> its owner. > > No, still wrong. Just check 8.8.8.8. GeoIP will show you US. It is > actually an anycast with many hosts in the world. That is quite typical > for name servers. > > This *must* be added to the documentation in the wiki and state very > clearly that this information is never very accurate and especially > with name servers less accurate than usually to expect. Okay, I will add this to the DNS server list. > >> But looking at this whois output: >> >> CariNet, Inc. NET-26 (NET-71-6-158-128-1) 71.6.158.128 - 71.6.158.191 >> CariNet, Inc. CARINET-5 (NET-71-6-128-0-1) 71.6.128.0 - 71.6.255.255 >> >> Not very helpful in first place, is it? ;-) > > Why not? There is no address, no abuse contact, just these two lines. Now you may start searching, and with no luck, there will be more than one company called "CariNet" out there... I do not expect whois outputs to be user friendly, but I expect them to be admin friendly, which means they show me who to blame and where to blame. ;-) Sorry, speaking for the network operators, here... > >>> >>> The GeoIP database is a completely different thing. >>> >>> Judging by the location of the host does make any sense if you care >>> about security. >> Basically, yes. As I mentioned above, GeoIP makes more sense to >> detect >> anomalies and to allow, e.g., only VPN access from countries which >> are >> necessary. > > You should know that IPFire downloads this GeoIP database from an > untrusted source over an untrusted connection. *Sigh* Thanks for mentioning it... > >>> >>>> >>>> That is basically the motivation behind the two patches I >>>> submitted >>>> recently. >>>> >>>> Best regards, >>>> Timmothy Wilson >> Best regards, >> Timmothy Wilson >> > > -Michael > Best regards, Timmothy Wilson