I am implementing push notifications for mobile banking application using GCM. According to IBM Document we have to open ports 5228,5229,5230 and 443. And our firewall should allow all the IP ranges specified in ASN15169 specification. Because of security reasons Security team not giving access to IP ranges of ASN15169. Please suggest me if we have any other way to access gcm services for application instead of allowing all the ip blocks.
This is related to Google.
If your banking environment does not allow these ports then you need to either convince the security managers of the bank to allow it. Or, create a separate network from the banking systems where you will install a server and connect a device to test the notifications.
Related
Mixpanel is using "SoftLayer" which blocks all the request from IPs coming from Iran. Is there a workaround to redirect these request to IPs in another country to be able to bypass their filter and send the data to Mixpanel?
There are multiple ways depending on your configuration and platform
what is your hosting? If its shared then your options are limited but if you deployed your application on a dedicated server or VPS you can route your traffic via transparent proxies or through a vpn tunnel. And there are many services for that either!
for example Squid is a well-documented and easy to use service for that! But keep in mind that it works better on linux! you can read these articles for configuring a transparent proxy with squid: On Ubuntu, On CentOS
But given the circumstances I recommend using an open-source analytical system such as:
Matomo (formerly known as Piwik)
Open Web Analytics
Heap (a famous iranian event site (Evand) was using Heap)
You can connect through a VPN tunnel. It works the way that you connect to a computer somewhere else (in your case in another country) and then you connect from that computer to the rest of the internet. So from the rest of the internet it looks like you're somewhere else.
You can check out ProtonVPN, they have VPN tunnels through a bunch of countries.
I have set up a LAMP server on a Raspberry Pi on my home network. I would like to expose the pi to the internet by opening up ports 22 and 80 on my router so i can ssh into it as well as use any web services i set up on it.
This is a little pet project I'm using to learn more about networking, server setup and linux in general - with only a cheap RPi which i can wipe and start again easily anything goes wrong. I do plan to put it on a separate subnet to the other devices on the home network, just in case.
(Yes, i know this is a little much for a raspberry pi - this is just a learning exercise and a proof of concept before i throw money at this to build a rig for it)
My understanding is that SSH is already secure, so i don't have to worry about my username and password being seen across the web when i want a terminal session.
My concern is that if i send anything to a web service (such as a wordpress or phpmyadmin password) it'll be clear to see on the web. How can i stop this?
My plan was SSL, but from what I've read, an SSL certificate needs a domain name for a certificate to be issued by most places. When all I'll be doing is pointing to a static IP from my ISP on the devices I'll be using.
The other use i have planned for it is as a mysql server for my kodi boxes to use for the library data so my devices can share data (the videos live on another server running windows). So other devices on a local network need to be allowed access to mysql easily without the silly level of security the internet-side requires. I assume this will be easily possable alongside my other use cases as I'd not be opening the port for it on the router and the only things that would access msql are local network devices, and services on the mysql host itself
Are any of my assumptions or conclusions wrong?
Are there any better ways to achieve what I'm after than what I'm describing?
Is there a preferred way to interact with the Pi if i just wanted it to set off a specific script? (say send a wake-on-lan packet to a specific computer)
Is there a way for me to have the web server onllly communicate with specific devices that i have the appropriate keys/certificates loaded onto so that i can be certain that I'm the only one with access?
Are any of my assumptions or conclusions wrong?
Using a username/password combo for SSH is probably secure enough, but it's generally more secure to use a public/private SSH key pair.
Your assumptions about MySQL seem sound. Just make sure to have some authentication on the server just in case you have a nosey houseguest on your WiFi. :)
Are there any better ways to achieve what I'm after than what I'm
describing?
A couple options that come to mind:
You could generate a self-signed certificate for the web server and then manually copy that onto your client devices. I think this would allow you to get around the requirement for a domain name.
You could set up a secure VPN into your home network. This way you wouldn't have to expose your web/SSH servers to the world.
Is there a way for me to have the web server only communicate with
specific devices that i have the appropriate keys/certificates loaded
onto so that i can be certain that I'm the only one with access?
The VPN option mentioned earlier would allow you to do this.
You could restrict access to the Apache server to only devices with specific client certificates: https://stackoverflow.com/a/24543642/2384183
I'm faced with a problem when trying to access the GCM from a controlled environment that restrict me to a few websites that I can access. In this environment I need to specify what websites I would get access. At first time, I allow the https://android.googleapis.com/gcm/send to free access, but it does not work. Only when I allowed the whole http://google* (notice the asterisc) that worked fine, but I don't can let that mode.
Anybody knows the whole list of websites that are accessed by GCM, in order to register them in my firewall whitelisting?
From the GCM Http Connection server documentation, it states that:
Note: If your organization has a firewall that restricts the traffic to or from the Internet, you need to configure it to allow connectivity with GCM in order for your GCM client apps to receive messages. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
So you need to configure you ports for 5228, 5229, and 5230.
I have developed an IOT module which can connect to the Wi-Fi and send data to the internet, the module can send data (string) to specific IP address on the specific port.
The internet server should store that information to the data base and display that information to the user via HTTP (web page).
When I set the port to the 9081 (any random number) and my local computer IP address as IP address that module should send data to, I can see data on my local computer terminal.
My question is that how can I send that data to the internet?
What I have in mind is that I can purchase domain name, host and develop a web site (HTTP) which by default listen to port 80. The service provider only give me a basic services such as HTTP, HTTPS and FTP which make it possible to upload website and I don’t have access to other protocols and ports.
Should I purchase virtual private server or I should use any specific cloud services or the module can send data to the server on port 80 without getting conflict with web pages and web contents?
Please give me some suggestion.
I did something similar with an IoT module. There are two options that I also considered. Before we describe, there is no need to buy a domain name. You can comfortably use the IP address to connect to. If you have some spare cash go for it.
Send everything to the web server on your local computer. To have access to the local computer you must enable port 80 to be accessible over the internet. You do this on a router. This is called port forwarding. You setup a rule such that all the requests made to your IP address on port 80 should be redirected to your local computer on whatever port the web server is listening to. This is the cheapest method available. Also, there is an important limitation: you're local computer needs to be switched on all the time if you want to access the data.
Buy a droplet (virtual private server). The workflow is the same as 1, but you don't need to port forwarding anything. These are usually setup and ready to use. However, this is usually expensive. Most of these providers offer pay-as-you-go services (e.g., Digital Ocean is the one that I used). There are other providers which offer free but limited versions. These are usually developer trial versions. If you go over a number of transactions, or space, you will have to pay (have a look at Parse).
Our product (Network Forensics and analytics tool) has a requirement to dissect RDP sessions on Windows 200x servers and
Map each session to a logged-in account.
Track all TCP/UDP sessions that are going to the internet.
URLs visited
External Servers and ports connected to, etc.
I have designed a code that can achieve this by installing an NT service on each of the terminal servers. This service will mine the data on that server and push it to my linux-based appliance. Alternatively it can log the information to the local Eventlog and then I can use simple WMI calls to retrieve this information.
However, I would like to know if there is a way to retrieve all TCP/UDP connections by polling the terminal servers externally (via WMI or otherwise) and gather the same information. Basically, I am trying to check if there is a way to avoid installing anything on the Windows terminal servers.
Thanks,
-Chandra