Come out, come out, wherever you're tunneled into!
December 1, 2007 7:02 PM   Subscribe

Identifying my home machines via their VPNed-in tunnel interfaces without dynamic DNS - help!

I have a number of home machines that are regularly VPNed into my place of work. The internal VPN pool is DHCP-dynamic and the segment in question will not be offering dynamic DNS service record updates anytime soon. I need a way to sweep the VPN pool(s - multiple concentrators) and identify which machines are mine and which are which with a reasonable degree of certainty.

VNC is the only service they all have in common, so as a stopgap measure I had been doing an nmap sweep with '--open -p 5900' to find all VNC servers and then banging on all of them with login attempts until i found mine. Besides being security-stupid (unencrypted), this pisses many savvier users off and mandates that I keep X running on boxes that don't need GUIs. I'd like to find a replacement service that can run on all of my machines (many linux, a few windows, 1 mac) that can be quickly polled with nmap and return a unique string ala 'quirky hostname lives here' that can be parsed out of the nmap results with grep.

I can already do such things with SNMP but I don't think NMAP can poll snmp strings. I'm thinking about qotd, chargen, upnp, etc. but while I know of them I've never customized them. Does anyone know of any such services which I can install on all of my hosts that will advertise themselves on all interfaces (even temporary ones)?

Thanks!
posted by datacenter refugee to Computers & Internet (7 answers total)
 
DHCP reservations.
posted by rhizome at 7:49 PM on December 1, 2007


Response by poster: DHCP reservations.

I wish, but our DNS/DHCP admins are fairly adamant about not wanting to do this. Our security guys have also voiced similar concerns.
posted by datacenter refugee at 7:55 PM on December 1, 2007


Can you read the tunnel endpoints? That would make it trivial to find your machines.

Otherwise, I'd build it the other way -- set up something that can catch a TCP connection, and make that connection when you build the tunnel. Netcat is your friend here.
posted by eriko at 8:08 PM on December 1, 2007


Run VNC on a port not likely to be used on other machines.
posted by rhizome at 8:13 PM on December 1, 2007


Can the VPN hosts access your work machine? They could ping/write to a file/share with their aquired VPN IP, then you would always have an up to date list?

On review: what eriko said!
posted by mattdini at 8:29 PM on December 1, 2007


Well, what I'd do is:

1) Run a DNS server internally that accepts DDNS updates
2) Delegate some portion of the public DNS space to the internal server
3) Run a standard DDNS update client on each of your home machines.

The elegance here is you're publishing the address of the internal DDNS server, but not the hosts themselves, on the Internet. Only the internal DNS server should be able to actually return the home IPs.

I admit it's a bit convoluted :) But it does have the nice effect of working on _everyone's_ machine, not just those you scan from.
posted by effugas at 1:24 AM on December 2, 2007


It's pretty easy to set up a server, that listens on any port you'd like, in perl (and python too probably). I've got a really basic UDP one that's less than 20 lines. (Let me know if you'd like me to send it to you.)

I like eriko's idea of building your solution in reverse though. I'm thinking of something along the lines of a simple script that adds the host's IP address to a file that's stored in your company's network somewhere.
posted by philomathoholic at 1:31 AM on December 2, 2007


« Older Want to extend laptop battery   |   How to freeze pomegranates? Newer »
This thread is closed to new comments.