Monday, July 18, 2022

let Apache logging show source port for NAT444 forensic logging

With NAT444 / CGNAT, different users share one IPv4 address. So only logging the IPv4 address is not enough to find the specific user; you need to log the source port too. I guess legal intercept logging can then find the individual user.

So ... how do you let Apache webserver log the source IP address plus the source port? Answer: on Ubuntu, in the file /etc/apache2/apache2.conf, as root change the line

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

to

LogFormat "%h:%{remote}p %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined


So instead of only the remote IP address %h , the IP address plus the source port :%{remote}p is logged.


Example result from /var/log/apache2/access.log


18.12.12.65:63022 - - [18/Jul/2022:18:16:10 +0200] "GET /dump/ HTTP/1.1" 200 1571 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"


The source port is 63022


op No comments:

Thursday, June 9, 2022

Videoland en "Oeps, we konden de video niet afspelen. Het starten van de video is mislukt. Playservice error."

Op Videoland kreeg ik foutmelding "Oeps, we konden de video niet afspelen. Het starten van de video is mislukt. Playservice error.". 

Oorzaak gevonden: mijn IPv6-tunnel via Hurricane Electric. Na het uitschakelen van de IPv6-tunnel kon ik wel Videoland kijken.

Gokje: Videoland beschouwt the IPv6-tunnel als buiten-EU / buiten-Nederland, en weigert daarom met die cryptische melding om af te spelen. En nettere foutmelding (bijv: "u / uw IP-adres xyz komt van buiten de EU, daarom spelen we niet af") zou duidelijker zijn.


Oeps, we konden de video niet afspelen

Het starten van de video is mislukt.

Playservice error




Ah, de Videoland-app geeft een betere foutmelding als de IPv6-tunnel aanstaat: "Videoland is helaas niet beschikbaar in Verenigde Staten" 




op No comments:

Wednesday, February 16, 2022

PCExtreme with "IPv6-only" VPS ... certain IPv4 traffic is working, from behind NAT

 

PCExtreme offers "Standard Server 1GB IPv6 only" for only €1 ex VAT per month. See https://www.pcextreme.com/cloud-servers/standard

I wanted to try that out, because: how does IPv6-only work in practice? Is that working in 2022?

So I bought a VPS, and now I'm a bit disappointed: the VPS does have IPv4 after all. It's behind NAT. Just like a device on a home LAN with an ISP connection.

However, some of my IPv4 traffic failed, like git connections to special git ports (no problem via https). So I did some research by trying to connect to outside ports

Some checks: HTTP and HTTPS are both allowed:

port 80 is allowed

port 443 is allowed

SMTP Port 25 is of course not possible:

port 25 not reached


Other ports ... to find out.



op No comments:
Subscribe to: Posts (Atom)