QuickTip : Automatically building IP lists for whitelisting?
Automation is in our blood here at Valkyrie, and we like to take this to certain extremes sometimes. A couple of days ago we were doing some development for a couple of integrations at a client of ours. Their system integrates with several external parties such as Twitter, Foursquare, etc.
They rely heavily on webhook communication coming from those parties to keep their data up-to-date.
The thing is that there is a certain level of security already available through signature and token verification. But we were thinking about an added level of security in the form of whitelisting IP addresses ( both single IP’s and ranges of IP’s (CIDR).
Problem : Static lists would get out of date pretty fast
As soon as we started to think about creating these lists, we realized that even with CIDR notation, these large tech firms would outgrow those lists pretty soon.
So we needed a way to keep these lists up to date without much hassle.
Solution : Whois in combination with ASN numbers
Everyone who’s done a little bit of system/network administration will know that you can retrieve a massive amount of information about a company/web address/ip address through the whois service.
Whois can be regarded as an entity of trust, service and innovation. And was founded by ICANN : The internet corporation for assigned names and numbers (https://whois.icann.org/en/history-whois)
An AS number (Autonomous System number) can be compared to a company registration number and identifies an online entity and all of it’s connected IP routing prefixes. Read the following article on wikipedia to find out more about this.
After doing some digging about combining those, we came up with the following command to get whois information about the IP addresses and CIDR ranges that belong to a certain service.
Q: How do I retrieve the AS number of an entity?
There are multiple ways of retrieving the AS number, the one that we used was through the following online service : ASN Lookup Tool
Q: How would I automate this?
The output of this command still needs to be sanitized a little bit, but after you’ve done this, you could feed it into for example iptables. That’s a task I’ll let you do :)