I use CloudFlare, so my server's IP address is hidden, and I want to keep it that way. When I make an HTTP request obviously my IP will be revealed. But does gethostbyaddr reveals my IP address? I want to get the user's IP host, so I do:
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
Will the user be able to find out my server's IP address by this?
gethostbyaddr does a reverse DNS lookup. It does not contact the host directly. However, it may contact DNS servers to do the reverse lookup.
Typically PHP will ask the system's DNS service for the reverse lookup, and if the answer doesn't happen to be cached, the service will contact its closest DNS server to get the answer. If that doesn't have the answer, it will go out and contact its closest upstream server etc. etc. until the answer comes back.
So, rarely if ever should the server reach out further than its closest DNS server. It's certainly not impossible though, and if your server happens to contact a DNS server which your user happens to have control over, that user could see the incoming DNS resolution request.
That will be extremely rare, and again, typically the only DNS server your server will have contact with is its closest DNS server, but cannot be entirely ruled out.
Related
I am running into an issue in relation to security and verification. I have a software that checks to confirm a user, and I need to make sure it's the same client sending a PHP request and a node server request. However, on the node server, the client's IP is shown in IPv4, and on the PHP it is shown in IPv6. Is there any way I can get the same output somewhere, for example extract the IPv6 on the node server, or the IPv4 on the PHP server? Thanks.
Obtaining the same IP or verifying that it is the same client despite a "different" IPv4 and IPv6
The problem is that IPv6 and IPv4 are not coupled in any way. There's no way to deduce a v6 address from the v4 address or the other way around.
In my humble opionion, verifying users by their IP addresses is something you should avoid as IP addresses are spoofable, and the practice leads to these kind of issues. That said, there are a couple of "solutions".
Disable IPv6 on the webserver that's hosting the PHP application. Since you haven't mentioned which type of webserver this is, you should be able to google something like 'disable ipv6 apache' on how to achieve this. This should garantuee an identical IPv4 address on both servers. I personally don't particularly like this solution as it hinders IPv6 adoption.
Enable IPv6 on the node server. Please note that clients can still prefer IPv4 over IPv6 for any reason at all and there's no way to garantuee that it will use IPv6 to both webservers.
You could proxy all calls from one webserver to the other and pass the original IP in for example an 'X-Forwarded-For' header. This will introduce some overhead, but the source IP will be stabler.
Personally, I'd shy away from using the IP address and implement some sort of token stored on the client that can be verified on both servers by means of a shared database if that is an option.
I am working on a WordPress website and have the plugin WP Security installed. It tells me the current IP Address I am on when viewing the website. However the IP address it is producing isn't my correct IP address. I did the same thing on another WordPress website and it did produce the correct IP address.
The reason I'm trying to figure out the IP address is because someone entered their login credentials wrong 5 times. The website is set up so when that happens it locks that person out of website for an hour. Well when this happened it didn't just block their IP address, but blocked our IP address and the clients IP address. And the IP address it said it was blocking was neither of ours.
What could be the reasoning for this single website to be grabbing the incorrect IP address and believing it belongs to us and our client?
EDIT: after looking into it a little more the IP address that is showing up on this website is through Liquid Web, our hosting provider. So it is showing that IP address instead of our current/local IP address.
"All" traffic is routed to your webserver via another server (CDN, Firewall, Nginx etc). Following a failed login attempt the WP plugin is blacklisting this intermediate servers IP address locking everyone out.
Typically php scripts gets the visitors IP frome the REMOTE_ADDR environment variable: but depending on configuration with e.g. intermediate Nginx server REMOTE_ADDR may contain the nginx server IP; and the "real visitor" IP may be in HTTP_X_REAL_IP
You can use this script to: check which environment variable on your site contains the actual visitor IP.
It would be useful if you provided the link to the site from which you got the WP Security plugin.
Solution:
Ask your host provider to configure servers so REMOTE_ADDR on your web server will contain visitors IP; or
If you know which environment var is valid (above); then the security plugin may have a setting to configure accordingly; or
Report as a bug on plugins support forum.
i'm using opencart on a virtual host with a dedicated ip. bank allows virtual pos queries only from dedicated ip, but server ip is used by php to communicate with bank's api. is there any way to force php to use that dedicated ip?
ps: there is a in-code solution, however i prefer more general solution like as php.ini edits.
The proper way is to bind() your connecting socket to the IP address of the interface you wish to use. This will guarantee the behavior you want. (You can set the port number to zero to have the OS choose one.)
You can also make the OS pick the interface appropriately. In fact, I'm surprised it is not. You didn't list any specific IP addresses, interface configurations, or a routing table, but if we assume your private IP is 172.16.0.222 and the bank's IP address is 172.16.0.11, then opening a connecting socket to 172.16.0.11 should use your local private IP address. If it's choosing your public address, then the OS thinks it has a route from that address to the destination. Make sure that is not the case and your problem should be fixed.
How to change ip address such that it does not reveal our original address when using $_SERVER['REMOTE_ADDR']; in php
You need to use a proxy server if you're trying to access a website from a different IP than your own. Wikipedia has more information.
There are several options I have in mind for this. I will go from the simpler to the more complicated one.
First, you could use a proxy server and ask him through an HTTP request made by your program or your browser, to fetch a resource for you. The proxy server will take the role of querying a resource in your place to the target service.
Example :
You want to retrieve the main page of the domain stackoverflow.com. You ask the proxy server to ask stackoverflow's HTTP server to send him the main page and he will forward it back to you.
To SO webserver, the superglobal $_SERVER['REMOTE_ADDR'] variable will correspond to the proxy server's IP address and not yours. However, the HTTP protocol implements some fields such as HTTP_VIA, HTTP_X_FORWARDED_FOR, or HTTP_FORWARDED which can be used to know if the current HTTP request is made by a proxy or not.
A transparent proxy will not specify those fields and will not modify your request whereas a non-transparent proxy may reveal the original IP address of the original requester. You got to use a reliable proxy which will act as you intends it to act. Another thing to consider is the use of an SSL tunnel between you and the proxy to avoid eavesdropping.
The second solution is to use a VPN (Virtual private network) server. It would be too complicated to fully explains how this works, but remember this, when you are connected to a computer using a VPN service (like l2tpd, pptpd ...) it's like you were on the same LAN with this computer. So you can transparently make requests to a webserver and he will never find out what's your real IP address.
A third solution could be to use linked nodes based network such as TOR. It's a free network you can connect to, and you will be completely anonymous to regular people. The TOR network power is to provide a network of many nodes and each nodes doesn't know anything about other nodes, so even people connected to the TOR network cannot know anything about you. I suggest you to read more about this if you're interested.
There are more complicated other solutions such as TCP session hijacking which is generally used to fake IP addresses and literally steal another computer's TCP connection, but this is out of the scope of this answer.
I just downloaded PhProxy from here. When I went to some IP locator site my IP was a Dallas/Texas IP. Is there any way to change the IP PhProxy uses? I couldn't find a way to do it.
PHProxy - like all proxies - accepts requests from any of a number of IPs and acts on their behalf to fulfill that request. The IP you're seeing is almost certainly the IP address of your webserver, and no you can't edit some setting to change it. Your server makes a request to some address and includes its own address - this is how the remote end knows how to answer back. You couldn't change this with a PHProxy setting even if you wanted to - if you could, your packets wouldn't get back to you.
You could get a different webhost, if a Dallas-located IP is a real problem, but it would be locked to the new webhost just the same. Webservers can't exactly IP-hop...