Windows10 VPN connection

With VPN connection, you can connect securely via the company’s network or the Internet(when working in a public place like a coffee shop).

Before connecting to VPN, it is necessary to prepare a VPN profile on the PC. You can create a VPN profile yourself or set up a workplace account to get a VPN profile from your company.

On the add VPN connection screen, do the following:
Under VPN Provider, select Windows(built-in). In the Connection name box, enter the friendly name of the VPN connection profile(for example, your VPN). This is the name of the VPN connection search for when connecting. In the server name and address box, type the VPN server address.
Under [VPN type], select the type of VPN connection to be created. You need to know the type of VPN connection used by user computer or VPN service. In the type of sign-in information, select the type of sign-in information (credential information) to use. It will be a user name and password, a one-time password, a certificate, or a smart card if you connect to VPN at work. Enter a user name and password in each box(optional).

VPN Connection

VPN is a virtual private network built using public lines. It is a technology that allows you to share data and information using a VPN device such as a router with VPN function even if you are a remote location. The merit of VPN is that it costs less than leased line. Especially for Internet VPN it is inexpensive because it uses normal internet line contract.

VPN is a network technology that has been in use since the 2000s, with the background of the development of IT technology and virtualization technology in the background. Besides low-cost merits, data communication is also secured for safety, so more enterprises are introducing it.

Mechanism and features of VPN connection using the Internet
To establish a VPN connection between business offices located in geographically remote places, connect a LAN by installing a VPN dedicated router at both offices. This creates a virtual leased line via the Internet and allows you to access data on each other’s servers even if you are at a remote place. Because it becomes like connected to a common LAN, even you are away, you can share files and the work the same way.

Writing automatic configuration script, PAC file

In the PAC file, describe the processing condition for specifying the proxy server to use based on the information such as the URL of the access destination. Within script processing, it returns the destination(URL or IP address) and port number of the proxy server matching the condition such as the host name of the URL and the IP address.

PAC file sample

function FindProxyForURL(url, host){
  if(isPlainHostName(host)){
    return "DIRECT";
  } else {
    if (shExpMatch(url, "http://www.bing.com/")){
      return "PROXY www.bing-proxy.com:6060";
    } else if (shExpMatch(url, "http://www.microsoft.com/")){
      return "PROXY www.microsoft-proxy.com:7070";
    } else {
      return "PROXY www.other-proxy.com:8080"
    }
  }
}

Proxy server setting method of Windows 10

When browsing a web page on the internet, it may be set to access via a specific server. This server is called “Proxy server”. It can also be used for non-web access.

The main advantages of this setting are as follows.

Caching can be used when viewing the same web page from multiple personal computers.
(It is unnecessary for all the personal computers to acquire the same data, and the communication volume is reduced)
You can use the “filter” function of not accessing specific URLs.
It is possible to collectively record access histories of all personal computers.

Let’s see how to set “proxy server” on Windows 10.

Open setting and chose network and internet.

Here you can see proxy.

Use setup script
use automatic configuration script
Just specify the location of the PAC file. In what cases proxy to use is described in the PAC file (programming language, a file written in JavaScript)

Specify the URL of the PAC file
Manual proxy set up
specify your own proxy server(specify address and port)
setting method
specify the proxy server address and port number

iptablesの無効化

iptablesとは一般的なLinuxに搭載されているパケットフィルタ
パケットとは、ネットワーク上を流れるデータの事。パケットフィルタとは、このパケットを選別して、通すものと通さないものを分けるということを意味
iptablesは商用製品に匹敵する、とても高機能かつ高性能なパケットフィルタ
サーバ自身を守ることはもちろん、パケット転送などにも対応しているため、ネットワークアダプタを二つ搭載したマシンの上で動作させパケット転送制御を行うことで、ネットワーク型ファイアウォールとしても使用可能

現在設定されているポリシー
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,EST ABLISHED
ACCEPT all — anywhere anywhere
INPUT_direct all — anywhere anywhere
INPUT_ZONES_SOURCE all — anywhere anywhere
INPUT_ZONES all — anywhere anywhere
DROP all — anywhere anywhere ctstate INVALID
REJECT all — anywhere anywhere reject-with icmp-ho st-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere ctstate RELATED,EST ABLISHED
ACCEPT all — anywhere anywhere
FORWARD_direct all — anywhere anywhere
FORWARD_IN_ZONES_SOURCE all — anywhere anywhere
FORWARD_IN_ZONES all — anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all — anywhere anywhere
FORWARD_OUT_ZONES all — anywhere anywhere
DROP all — anywhere anywhere ctstate INVALID
REJECT all — anywhere anywhere reject-with icmp-ho st-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all — anywhere anywhere

Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_public all — anywhere anywhere [goto]
FWDI_public all — anywhere anywhere [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_public all — anywhere anywhere [goto]
FWDO_public all — anywhere anywhere [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain FORWARD_direct (1 references)
target prot opt source destination

Chain FWDI_public (2 references)
target prot opt source destination
FWDI_public_log all — anywhere anywhere
FWDI_public_deny all — anywhere anywhere
FWDI_public_allow all — anywhere anywhere
ACCEPT icmp — anywhere anywhere

Chain FWDI_public_allow (1 references)
target prot opt source destination

Chain FWDI_public_deny (1 references)
target prot opt source destination

Chain FWDI_public_log (1 references)
target prot opt source destination

Chain FWDO_public (2 references)
target prot opt source destination
FWDO_public_log all — anywhere anywhere
FWDO_public_deny all — anywhere anywhere
FWDO_public_allow all — anywhere anywhere

Chain FWDO_public_allow (1 references)
target prot opt source destination

Chain FWDO_public_deny (1 references)
target prot opt source destination

Chain FWDO_public_log (1 references)
target prot opt source destination

Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_public all — anywhere anywhere [goto]
IN_public all — anywhere anywhere [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination

Chain INPUT_direct (1 references)
target prot opt source destination

Chain IN_public (2 references)
target prot opt source destination
IN_public_log all — anywhere anywhere
IN_public_deny all — anywhere anywhere
IN_public_allow all — anywhere anywhere
ACCEPT icmp — anywhere anywhere

Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp — anywhere anywhere tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target prot opt source destination

Chain IN_public_log (1 references)
target prot opt source destination

Chain OUTPUT_direct (1 references)
target prot opt source destination

chain forward, chain inputなどがある

Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy ACCEPT)

ルーティングして、input, forward, outputしてアプリケーションに接続している。
あああああああああ、これやべーやつだ。

sshdのポートを22番以外で開ける

ネットワークの入り口:ゲートウェイから全てのパケットが入ってくるので、サーバ毎にFirewallを設定する必要がある
Linuxであればiptables

22番以外を開ける理由は、22番ポートへの侵入を目的とするアタックを回避する

VPN経由で内部からしかリモートログインできない、特定のIPアドレスからのみリモートログイン出来る、という場合はFirewallが守る

代表的なプロトコル
ssh: tcp 22
http: tcp 80
https: tcp 443

ftpを使うなら tcp20, telnet 23, smtp 25, dns 53, dhcp 67, dp 68, pop3 110, ntp 123

なるほどね。

WebDAV

よくみたら、cyberduckの接続にwebDAVありますね。。

WebDAV,FTP,FTP-SSL,SFTP,Windows Azure Storage, Backblaze B2 Cloud Storage, DRACOON, Google Cloud Stroage, Amazon S3, Rackspace Cloud Files, Swift, Dropbox, Google Drive, Microsoft One Drive

なるほど、オンラインストレージはそれぞれ独自の通信技術を使っているのですな。なんだかなー

PROPFINDメソッド

XXX.XXX.XXX.XXX – – [05/Apr/2018:13:07:49 +0900] “PROPFIND / HTTP/1.1” 405 166 “-” “-”

https://docs.microsoft.com/en-us/previous-versions/office/developer/exchange-server-2003/aa142960(v=exchg.65)
WebDAVのよう。
WebDAVって何?

This content is no longer actively maintained. It is provided as is, for anyone who may still be using these technologies, with no warranties or claims of accuracy with regard to the most recent product version or service release. The WebDAVPROPFIND Method retrieves properties for a resource identified by the request Uniform Resource Identifier (URI). The PROPFIND Method can be used on collection and property resources.

ProfpindはWebDAVメソッドの一つ
WebDAVとはサーバー上のファイルを読み取りや編集を、Webブラウザ上で行えるようにする仕組み

WebDAVクライアント: Webフォルダ、CyberDuck, cadaver, SkunkDAV
WebDAVサーバー:Apache+mod_dav, nginx+ngx-dav-ext-module, IIS5, jigsaw, Zope

WebDAVとはサーバー上のファイルを読み取りや編集を、Webブラウザ上で行えるようにする仕組みのことを言います。
オンラインストレージはWebDAVに似ている。
Microsoftが1999年に発表

自組織への不正侵入を防ぐためにプロトコルに応じて出入りを許可したり禁止したりすることでセキュリティレベルを維持している。
HTTPを拡張し、WebDAVでファイル共有という別の機能を実現

HTTPだけで全てのコンテンツ管理を完結できる。また、HTTPの拡張のみによって実装されているため、ファイアウォールによって既存のファイル転送サービスが利用できない環境や、HTTPプロキシを経由した環境でも利用できる。

PROPFIND
指定したURIが示す資源の属性を取得する。具体的には、要求する属性をクライアントがWebサーバに送信すると、サーバはそれに対応した属性値を返す。また、その資源の属性全てを取得することも出来る。

さくらでもあるが、マネージドサーバー

Intro to Networking

Your phone -> REQUEST “I want earthquake data!” -> Computers at USGS
Response: “Here’s a list of earthquakes from our earthquake data set…”

protocol/scheme
host/domain/authority
resource path
query (param)

HTTP Connection
1.Form HTTP Request
2.Send the Request
3.Receive the Response and makes sense of it
4.Update the UI

net cat command

Netcat is a utility that’s used for sending and receiving messages over a network connection. Netcat is known as the Swiss Army knife of networking tools, and we’ll be using it to communicate directly with a server.

# sudo yum install nc nmap
[vagrant@localhost]$ nc google.com 80
GET / HTTP/1.1

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: http://www.google.co.jp/?gfe_rd=cr&ei=vdh5WPnNOK3K8gfgs5d4
Content-Length: 259
Date: Sat, 14 Jan 2017 07:52:29 GMT


302 Moved

302 Moved

The document has moved here.
[vagrant@localhost ruby3]$ nc example.com 80
HEAD / HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Sat, 14 Jan 2017 07:55:51 GMT
Etag: "359670651+gzip"
Expires: Sat, 21 Jan 2017 07:55:51 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (rhv/818F)
X-Cache: HIT
x-ec-custom-error: 1
Content-Length: 606
[vagrant@localhost ruby3]$ nc example.com 80
OPTIONS / HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Allow: OPTIONS, GET, HEAD, POST
Cache-Control: max-age=604800
Date: Sat, 14 Jan 2017 07:59:08 GMT
Expires: Sat, 21 Jan 2017 07:59:08 GMT
Server: EOS (lax004/280C)
x-ec-custom-error: 1
Content-Length: 0

HTTP/2 was developed by the IETF’s HTTP Working Group, which maintains the HTTP protocol. It’s made up of a number of HTTP implementers, users, network operators and HTTP experts.

Note that while our mailing list is hosted on the W3C site, this is not a W3C effort. Tim Berners-Lee and the W3C TAG are kept up-to-date with the WG’s progress, however.

A large number of people have contributed to the effort, but the most active participants include engineers from “big” projects like Firefox, Chrome, Twitter, Microsoft’s HTTP stack, Curl and Akamai, as well as a number of HTTP implementers in languages like Python, Ruby and NodeJS.

To learn more about participating in the IETF, see the Tao of the IETF; you can also get a sense of who’s contributing to the specification on Github’s contributor graph, and who’s implementing on our implementation list