A tool to send updates of IP address changes to a web server securely over simple HTTP.
- ipupdater.py
- Runs on the client to send the updates to the web server.
- Get its public IP address with an authenticated message from the web server (to circumvent NAT).
- Send an authenticated update message to the web server.
- ipupdate.php
- Receives the updates on the web server.
- Validates the message authentication.
- Logs the update in a SQLite database.
- getip.php
- Show the current IP address on the web server from the last entry in the database.
- config.php
- Contains the configuration variables: database location and shared secret.
Requirements
- A webserver with any version of PHP (just needs SQLite enabled).
- Python 3.x in the client machine.
Steps
- Put ipupdate.php and getip.php on a web server with PHP.
- Put ipupdater.py anywhere in the machine you want to serve as client.
- Set the SECRET variable in ipupdate.php.
- Change the names of the files if you don't want the original names.
- Use a cronjob in your client to run the ipupdater.py at the interval you want, like 1 hour.
- Access getip.php on the web server to see the current IP address
The usage of ipupdater.py is:
ipupdater.py -w HOST -p SECRET [-u URL]
Sometimes it's useful to connect to our home, or even host some public service there, but normally this IP addresses are dynamically assigned and can change anytime.
Can also be used to get the history log of the IP addresses changes.
This tool can be usefull as a backup to those services. since they can fail for somes reasons:
- The service is taken down abruptlly, which happens.
- The client stops working, for example when the ISP router is switched or takes a factory reset and you forget to configure the dynamic DNS client again.
Or you just don't like the security of those services protocols.
If it doesn't use some authentication mechanism, and someone knows the procedure to update the IP address, they can change it at will, enabling attacks by directing you or someone else to other address they control, or just a simple denial of service.
Instead of having a simple password being passed in plaintext, it uses an HMAC which produces an hash based on the message (the IP and a timestamp) and a shared password.
By having the same password configured in the ipupdater.py and ipupdate.php they generate the same hash at both ends thus verifying the authenticity of the update. This prevents replay attacks by having a timestamp in the messages, and verifying that a new update have a more recent timestamp than the last update.