Private vs. Public IP Addressing?

[stevenbriggs]

Everything I've read indicates that I must use routable IP addresses on each server that I license. Why?

Is there a reason that I shouldn't be able to just privately address each node, and then do simple port-forwarding with my load-balancers, and SSL termination as well?

 

[stevenbriggs]

Ok, I've been reading around, and I understand that your current system does not support private addressing.

Still... argh.

Does it absolutely *have* to be a fact of life that, with your system, every node that I run must possess a routable IP address? Is there no way around that?

I would like to employee SSL termination as well as a few other nifty features most load-balancers can do, and this makes things a bit difficult.

Thoughts?

 

[quackweb]

There is absolutely no way around it, if they allowed internal IP addresses, people could share the license among anyone and all they have to do is change their IP address to match the one in the license. This is standard with all commercial control panels, otherwise how else would they make money?

 

[sfxdana]

There is a way around it, let the DA server connect to a DA license server. The license server can check both the real and local IP. If people are trying to use more DA servers behind one IP then they have licenses for, the license server could check the against local IP's. And match it against the number of bought licenses.

That way you could use NAT and still make sure that people bought the licenses.

And it doens't matter if a DA users has one IP or more.

Just my 2 cents.

 

[nobaloney]

I'm not quite sure how the license server could check what you call the real IP (I'd call it the public IP).

Perhaps because I'm not a networking guru.

Can you explain a workable scenario?

If you're suggesting the license server simply check to see what IP# the connection is coming from, I'll simply respond back that it's too easy to forge an IP or to do multi-hop routing. And even then, if the license server could figure out the license should be invalid, it might be blocked from disabling it.

Remember, all it takes is one method to be published and that version of the product is forever open.

Jeff

 

[sfxdana]

real IP=public IP=routable IP etc etc.

I bought a invoice tool which uses this solution to check the license (www.wefact.nl) currently only in dutch.

The wefact license server(s) checks the public IP address, of the server that is connecting, which is trying to validate the license key, with the public IP adress that is linked with the license key. (Should be simple to check the originating public IP when using an apache server.) The wefact software license is checked every time before an user/admin is logged in.

Because there is only a need for one invoice server, wefact doesn't have to check the local IP. (IP of primary interface, not the public IP on the NAT FW/router)

But for an DA server it should be posible to create an php script or even an compiled program to connect to the license server that sends it's local IP (primary interface) and license key. The license server knows the public IP because you have to connect to it via the internet.

If the public IP is used for more then one DA server like in an loadbalanced situation, you can also use the local IP to check against a valid license. If you have bought 4 DA licenses, with the same public IP (loadbalanced situation). You know that there can only be 4 unique local IP's in the license database.

If one of the servers needs to be reinstalled, no problem, give it the same IP address and it's up and running again. If you use a different IP for some reason, then you need to ask to delete one of the local IP's from the license database, or change the IP in the license database.

Same goes for the real IP address, but that already needs to be done with the current system.

I can't even think of a way to bypass this, unless you edit the PHP script/compiled program. But you can check that for tampering etc. Haven't bought/installed DA yet, so don't know if you use something like ionCube to protect the PHP scripts.

There should also be a way to let the license check client be aware of an fake license server, how I have no idea, not a programmer Maybe an domain name created using the current date as the key.

I could try and see if the creators of wefact can share info about there solution, or contact them yourself. Follow the contact link on the site.

 

[sfxdana]

Just tried to install my first DA server. Server is at home at the moment, as expected it didn't work. So no choice to install the server in place, and no DA preconfig/testing at home....

But for what I understand of the current license check is that it shouldn't be hard to implement. Only thing needed is to add an public IP field to the license (https://www.directadmin.com/clients) and add the server IP to the download string of update.tar.gz. Something like
$BIN_DIR/wget $WGET_OPTION -O $DA_PATH/update.tar.gz --bind-address=$SIP https://www.directadmin.com/cgi-bin/daupdate?uid=$CID\&lid=$LID\&sip=$SIP

Where $SIP is the IP of eth0 (Primary interface, Local adres)

The public IP is already checked when trying to download it, hence the "* You are not allowed to run this program *". So only thing needed to get it working is having the license server check the server IP field with the public IP adres (NAT address) of that server.

Only an small change needed in the setup script itself, to send the server IP. And a few changes to the server checking the license, depending on how it is written it shouldn't be that hard. I expect the license info to be in a database so shouldn't be that hard to change either.

And a big bonus no need to change the current license check system so security (sharing of licenses) shouldn't be an issue, as it's the same license check system currently in use, with some added features.

I know at least 10 people myself who would love to switch from expensive PLESK/CPANEL to DA, if the license would support NAT servers. I'm currently installing this server for a customer. But if NAT is supported I would buy at least 2 licenses for my own company, and more in the future.

So I'm guessing on my own experience there are a lot more people interested in NAT support, which in turn could finance the people needed to change the license check software.

Hope somebody from the JBMC software is reading this

sfxdana