LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-12-2009, 04:22 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
duplicate IP checks


I have a service that I provide a 24hr trial for. To stop people from registering multiple demo trials, I check their IP but this is ane xact IP check and does nothing to help prevent dynamic IP changes. The user could then set up a different email account and re-register.
Any ideas on how to get round this?
 
Old 09-12-2009, 04:53 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
You could do a whois on their IPs, and deny people
from the same IP range, but that may rule false positives
out. You could try running nmap scans against them to
get an OS fingerprint; but that may fail because of their
local firewalls/corporate firewalls ... really, there's not
much you can do to make this 100% fool-proof other than
having them apply, and verify their domestic address via
snail-mail.



Cheers,
Tink
 
Old 09-13-2009, 03:29 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
You could do a whois on their IPs, and deny people
from the same IP range, but that may rule false positives
out. You could try running nmap scans against them to
get an OS fingerprint; but that may fail because of their
local firewalls/corporate firewalls ... really, there's not
much you can do to make this 100% fool-proof other than
having them apply, and verify their domestic address via
snail-mail.



Cheers,
Tink
I can't verify addresses because the site is online and products are online based, they simply pay through an online ecommerce site if they want the product.
I feel the IP range would block out too many legitimate users.
I guess an nmap fingerprint could work but I'd have to do this in the PHP page wouldn't I or could I issue an nmap scan 5mins later using the IP address?
 
Old 09-13-2009, 12:55 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
You should be able to do that from within PHP; that is,
for most of its advanced options nmap requires you to
be root, so you'd probably need to wrap that up in a
script and involve sudo.

http://php.net/system


Cheers,
Tink
 
Old 09-13-2009, 01:44 PM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
You should be able to do that from within PHP; that is,
for most of its advanced options nmap requires you to
be root, so you'd probably need to wrap that up in a
script and involve sudo.

http://php.net/system


Cheers,
Tink
If 2 users have similar computers and OS's, won't this generate false positives as well?

As an example, I get this in a scan. AM I supposed to store the entire text in a DB and compare every time?
Code:
[root@localhost ~]# nmap -O -v xx.xx.xxx.xxx

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-13 19:46 BST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:46
Scanning xx.xx.xxx.xxx [4 ports]
Completed Ping Scan at 19:46, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:46
Completed Parallel DNS resolution of 1 host. at 19:46, 0.00s elapsed
Initiating SYN Stealth Scan at 19:46
Scanning ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx) [1000 ports]
Completed SYN Stealth Scan at 19:46, 6.11s elapsed (1000 total ports)
Initiating OS detection (try #1) against ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx)
Retrying OS detection (try #2) against ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx                                                                                                 )
Host ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx) is up (0.048s latency).
Interesting ports on ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx):
Not shown: 994 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
6667/tcp filtered irc
Warning: OSScan results may be unreliable because we could not find at least 1 o                                                                                                 pen and 1 closed port
Device type: phone|general purpose|switch|router|printer
Running (JUST GUESSING) : Nokia Symbian OS (98%), Microsoft Windows 2000|95|XP|N                                                                                                 T (96%), Intel embedded (95%), Adtran embedded (95%), EtherWerX embedded (95%),                                                                                                  HP embedded (95%), IBM z/OS 1.9.X (95%)
Aggressive OS guesses: Nokia E65 mobile phone (Symbian OS) (98%), Microsoft Wind                                                                                                 ows 2000 SP0 (96%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (96%), M                                                                                                 icrosoft Windows 95 (96%), Microsoft Windows XP (96%), Intel Express 510T switch                                                                                                  (95%), Adtran NetVanta 3200 router (95%), EtherWerX PT-1000 PPPoE terminator (9                                                                                                 5%), HP Photosmart 8400 printer (95%), IBM z/OS 1.9 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 12 hops

Last edited by qwertyjjj; 09-13-2009 at 02:29 PM.
 
Old 09-13-2009, 04:02 PM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
If 2 users have similar computers and OS's, won't this generate false positives as well?
Of course it will. As I said - the only (reasonably) safe method will be to
send them snail-mail (or an SMS via cell, may be more up to current standards
than snail-mail, and definitely faster; but that, too, limits your "customers"
to people with a cellphone). Everything thing else is just a balancing act.


What you need is some way of tying them to something that makes them individually
identifiable, an address, a cell-phone number, social security # (not that I'd
hand the latter to any website other than maybe a government agency, ... ) and
make that part of the enrollment.



Cheers,
Tink
 
Old 09-13-2009, 04:18 PM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
Of course it will. As I said - the only (reasonably) safe method will be to
send them snail-mail (or an SMS via cell, may be more up to current standards
than snail-mail, and definitely faster; but that, too, limits your "customers"
to people with a cellphone). Everything thing else is just a balancing act.


What you need is some way of tying them to something that makes them individually
identifiable, an address, a cell-phone number, social security # (not that I'd
hand the latter to any website other than maybe a government agency, ... ) and
make that part of the enrollment.



Cheers,
Tink
True but anyone who knows what they're doing will enter different registration details when they register. This is open to the www so people put in names like Abe Simpson living at 123 Home street !!!
How likely would a fingerprint be to get false positives? I mean how much does the fingerprint get back from the OS?
Doesn't the finger print come in some sort of code that I could store in the DB? When I ran nmap, I got a whole load of verbose text.
 
Old 09-13-2009, 04:32 PM   #8
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by qwertyjjj View Post
True but anyone who knows what they're doing will enter different registration details when they register. This is open to the www so people put in names like Abe Simpson living at 123 Home street !!! :)
You missed the unique part, and the idea of reaching
them back on the cell they entered ;}
They give you their cell-number, you send them a
one-off token they need to enter to confirm who
they are ... how many people will have more than
one or two cells? ;}


Quote:
Originally Posted by qwertyjjj View Post
How likely would a fingerprint be to get false positives? I mean how much does the fingerprint get back from the OS?
Doesn't the finger print come in some sort of code that I could store in the DB? When I ran nmap, I got a whole load of verbose text.
Yes, you'd have to compare the works. You could also
take into account the user-agent strings, maybe they
have some uniquely identifiable info in there. Maybe
set some cookie and hope they're not clever enough to
clean them out?

It really depends on how much trouble you want to go
through to stop double enrollments, what's the cost/
benefit ration of tying it down as tightly as possible.


Cheers,
Tink
 
Old 09-14-2009, 09:34 AM   #9
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Tinkster View Post
You missed the unique part, and the idea of reaching
them back on the cell they entered ;}
They give you their cell-number, you send them a
one-off token they need to enter to confirm who
they are ... how many people will have more than
one or two cells? ;}




Yes, you'd have to compare the works. You could also
take into account the user-agent strings, maybe they
have some uniquely identifiable info in there. Maybe
set some cookie and hope they're not clever enough to
clean them out?

It really depends on how much trouble you want to go
through to stop double enrollments, what's the cost/
benefit ration of tying it down as tightly as possible.


Cheers,
Tink
Cookies sounds like a good idea...it's at least an extra layer.
With the namp fingerprint...shouldn't the fingerprint be 1 long line of garbled letters and numbers? All I get from my output is some verbose text which looks like it would be different each time.

Code:
[root@localhost ~]# nmap -O -v xx.xx.xxx.xxx

Starting Nmap 5.00 ( http://nmap.org ) at 2009-09-13 19:46 BST
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:46
Scanning xx.xx.xxx.xxx [4 ports]
Completed Ping Scan at 19:46, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:46
Completed Parallel DNS resolution of 1 host. at 19:46, 0.00s elapsed
Initiating SYN Stealth Scan at 19:46
Scanning ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx) [1000 ports]
Completed SYN Stealth Scan at 19:46, 6.11s elapsed (1000 total ports)
Initiating OS detection (try #1) against ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx)
Retrying OS detection (try #2) against ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx                                                                                                 )
Host ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx) is up (0.048s latency).
Interesting ports on ip5452e28e.speed.planet.nl (xx.xx.xxx.xxx):
Not shown: 994 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
6667/tcp filtered irc
Warning: OSScan results may be unreliable because we could not find at least 1 o                                                                                                 pen and 1 closed port
Device type: phone|general purpose|switch|router|printer
Running (JUST GUESSING) : Nokia Symbian OS (98%), Microsoft Windows 2000|95|XP|N                                                                                                 T (96%), Intel embedded (95%), Adtran embedded (95%), EtherWerX embedded (95%),                                                                                                  HP embedded (95%), IBM z/OS 1.9.X (95%)
Aggressive OS guesses: Nokia E65 mobile phone (Symbian OS) (98%), Microsoft Wind                                                                                                 ows 2000 SP0 (96%), Microsoft Windows 2000 SP4 or Windows XP SP2 or SP3 (96%), M                                                                                                 icrosoft Windows 95 (96%), Microsoft Windows XP (96%), Intel Express 510T switch                                                                                                  (95%), Adtran NetVanta 3200 router (95%), EtherWerX PT-1000 PPPoE terminator (9                                                                                                 5%), HP Photosmart 8400 printer (95%), IBM z/OS 1.9 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 12 hops
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Data Integrity Checks itnaa Linux - Software 7 12-22-2006 01:28 PM
amavisd-new header checks clpl1980 Fedora 1 12-19-2006 02:48 AM
Script that checks mapsize objorkum Linux - Software 1 07-06-2005 11:42 AM
Checks during bootup?? halo14 Slackware 1 09-23-2004 09:52 AM
Integrity checks on RH 6.1 munyard Linux - Security 1 12-11-2002 07:29 AM


All times are GMT -5. The time now is 08:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration