FQDN in Administration/API whitelist

Add your suggestions for improving Poker Mavens
Post Reply
Grim
Posts: 87
Joined: Thu Oct 15, 2020 8:11 pm

FQDN in Administration/API whitelist

Post by Grim »

I would really like FQDNs to be added to the whitelists. As it's hard to get static IP for residential users, the IP I'm connecting from varies. I'm using the web-ui remotely as it's much easier than anything else but it also means I have to update the whitelists every time my ISP change IPs. I'm not sure if you're using apache, but in 2.4 you can set Require forward-dns example.com and if the connecting IP matches the IP(s) of example.com, you get access. Something similar would be awesome.
(https://httpd.apache.org/docs/2.4/mod/m ... _host.html)
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: FQDN in Administration/API whitelist

Post by Kent Briggs »

Poker Mavens is self-contained, it doesn't use any external web server software. Seeing if an IP belongs to a particular domain name would likely require some kind of interaction with a who-is database. Not sure how I would do that or if it was even possible for a residential ISP. Implementing a subnet mask to catch a range of IPs would be simpler. But for now I'd suggest just changing the default "admin" and "api" paths in the settings to something obscure. That would also prevent any interaction with an unauthorized user.
Grim
Posts: 87
Joined: Thu Oct 15, 2020 8:11 pm

Re: FQDN in Administration/API whitelist

Post by Grim »

I'm not sure we're on the same page here. A residential ISP wouldn't have to do anything. You simply do a lookup (nslookup in command prompt is built in) which simply is a DNS lookup on example.com. That would return either a single IP but usually multiple IPs since it could return multiple IPv4 and v6 addresses (e.g. nslookup cnn.com). Those would be the allowed IP(s). The DNS lookup would have to happen when an IP not in the whitelist, tries to connect, so it could slow the connection (authentication) process down by seconds (1-3 seconds I'd guess). (It would also mean that any portscanning bots could trigger a DNS-lookup, but it's not exactly resource demanding.)
On my (home) end I would use providers like dyndns.com or similar on my router which would always update mysubdomain.dyndns.com with my current IP.

Please note that this method, which Apache calls forward-dns, is vastly different than their "Require host example.com". The latter method involves the host doing a reverse DNS lookup on the IP you're connecting from, e.g. 1.2.3.4 and checking if the reverse DNS lookup is returning example.com. For residential ISP that would never happen as it usually would be something in the neighborhood of xxxx.cust.isp.com.

I have changed the API and admin path and such but every time my ISP change my IP, I have to update the whitelists. Especially for the API as it's connecting to a web-server at home which in turn connects to an SMS API and the web-server is also doing an API call to PMavens to get the players account balance which is included in the SMS so I don't want random people accessing either APIs. :) On my web-server I'm using forward-dns so I don't have to do anything for incoming web hooks from PMavens.
If I could get the same functionality in PMavens, I'd be set as the API calls to PMavens are coming from my home as well. Here dyndns.com comes to the rescue making sure my domain is always pointing to my IP.

Also, my IPs vary hugely. I've had 32.x.x.x IP, 37.x.x.x and 45.x.x.x IPs so far, so subnets wouldn't really help. I do realize that this is another corner case as most people doing API/web-hooks usually have the luxury of static IP, but here we are. :)
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: FQDN in Administration/API whitelist

Post by Kent Briggs »

Grim wrote: Mon Dec 20, 2021 7:50 pm On my (home) end I would use providers like dyndns.com or similar on my router which would always update mysubdomain.dyndns.com with my current IP.
Ah, ok. That makes more sense now. Finding Delphi code to replicate nslookup might be an issue, though. I'll have to look.
I have changed the API and admin path and such but every time my ISP change my IP, I have to update the whitelists.
I was suggesting do that in lieu of whitelists. If an attacker knows your secret path and your login credentials then you are already compromised.
Grim
Posts: 87
Joined: Thu Oct 15, 2020 8:11 pm

Re: FQDN in Administration/API whitelist

Post by Grim »

Thanks!

I'm not familiar with Delphi but I would assume dns lookups is included in a lot of network libraries. nslookup is on both Windows and Linux. Linux and Macs also have dig, but libraries would probably have their own thing and not use os commands.
Post Reply