upc sold me a static line, then changed the ip :(

RoyalMarine

I set up a business acc with upc, got a static ip, and configured a server to operate on it.
it took me a long long time to get it all up and running, as i had to begin reading on how to operate windows server 2003 efficiently and securely.

I then wrote a few programs and some software that auto connected vpn's, mapped network drives etc for the company, and this took a long time.

So it was all running since march, and not a single hiccup.

Today i got a call from one of the employee's saying he could no longer access the server and was getting error messages.

I spent about 3 hours rebooting the server, checking everything was working, and then i noticed my ip had changed!

i rang upc and they fobbed me off saying no one can answer that question, you will need to contact it support. they gave me a number, and it went to a voice mail account and that was it.

no response at all.

has anyone had this problem?

Im hoping it an error on their behalf, and i truly do have a static ip, rather than a dynamic ip with a prolonged lease time.

If its the latter, it will not suit as the software i wrote will take a long time to change everything over, get all their laptop's together and update everything.

Im very pissed off over this, as when i ordered it, i explained to them what we were doing and they said they have lots of company's who do the same, and it wont be a problem.

watty

You should use a separate firewall/NAT and only LAN IPs on the server. Then it's trivial if IP does change and also you are then protected from about 3/4 of exploits.

I'm biting my tongue.

A decent router can even do Open VPN. VPN is the only really safe way to have remote people on a private server. We set up OpenVPN on port 80 so remote clients work anywhere.

RoyalMarine

watty wrote: »

You should use a separate firewall/NAT and only LAN IPs on the server. Then it's trivial if IP does change and also you are then protected from about 3/4 of exploits.

I'm biting my tongue.

A decent router can even do Open VPN. VPN is the only really safe way to have remote people on a private server. We set up OpenVPN on port 80 so remote clients work anywhere.

aye i did look into open VPN, but since i host the webserver and mail server here too, then its not really an option and my knowledge isnt that in depth to do this without a static ip address.

watty

How isn't it an option?
I have WSUS, mailserver, IIS, MS-SQL, Apache, MySQL, fileshares, printer spools and more on a Windows 2000 server. I can run MS VPN *AND* Open VPN on the server using only private LAN IPs.

Almost ANY firewall/router/NAT box will map ANY public IP to that. You don't need to do ANYthing except tell the clients if IP changes.

In my case in the past I used DynDNS to map domain to IP and have Router automatically update DynDNS. Now I use a DNS record for subdomain on my shared hosting that points to home IP as it rarely changes. If it changes it's less than 1min on Web to change DNS record.

NEVER connect servers direct to Internet unless:
1) you are expert
2) Ideally they are running Linux

I could run OpenVPN on my Firewall, but at present it's running just like any €50 router you might have to connect a LAN to a Modem.

My VPN (openVPN or MS VPN), web servers, Mail server or anything never needs to know the Public IP. Only the LAN Gateway and Server private LAN IPs.

Remote clients can work with my sub domain name via any DNS or direct input of the Public IP of my cable modem.

RoyalMarine

I dont have the knowledge or time to do all that.

I do see where your coming from, but for what we need/wanted, doing all of that is too much time/work and not within our budget.

Feidhlim

Hire watty for few hours! He knows all!

watty

RoyalMarineComm wrote: »

I dont have the knowledge or time to do all that.

I do see where your coming from, but for what we need/wanted, doing all of that is too much time/work and not within our budget.

It's simpler and cheaper and MUCH safer that what you have done.

How are you connected to UPC cable? Modem or Modem Router?

All you need is 10mins to 20mins configuration if it's a UPC combo Modem Router or a €50 to €100 Router + 10min to 20mins if it's a plain Scientific Atlanta Modem.

vibe666

RoyalMarineComm wrote: »

I dont have the knowledge or time to do all that.

I do see where your coming from, but for what we need/wanted, doing all of that is too much time/work and not within our budget.

not being funny, but if you don't have the knowledge to do it the way watty is recommending (i.e. the right way) then you REALLY shouldn't be connecting your server directly to the net at all.

you said "as i had to begin reading on how to operate windows server 2003 efficiently and securely." and have then gone out of your way to set it up inefficiently and insecurely.

RoyalMarine

vibe666 wrote: »

not being funny, but if you don't have the knowledge to do it the way watty is recommending (i.e. the right way) then you REALLY shouldn't be connecting your server directly to the net at all.

you said "as i had to begin reading on how to operate windows server 2003 efficiently and securely." and have then gone out of your way to set it up inefficiently and insecurely.

i dont see how i have done it inefficiently and insecurely.

The server is online, its accessible to the company staff, everything they need works, e-mail, website, file share access etc.

watty

Well...

Amazing

So why are you posting here then?

vibe666

RoyalMarineComm wrote: »

i dont see how i have done it inefficiently and insecurely.

The server is online, its accessible to the company staff, everything they need works, e-mail, website, file share access etc.

because you've basically (figuratively speaking) put your server in your front garden instead of having it locked safely in your house and the worst bit is that you don't even know that you've done it.

the fact that you don't know what a major mistake you've made covers the 'insecurely' part pretty much conclusively and the fact that you have to spend ages reconfiguring everything now instead of letting dyndns take care of a simple IP address change covers the inefficiency part.

network security is a full time and well paid career for a lot of people. you can't just read a couple of articles on how to build a server and how to make it publicly available on the net and think that's the end of it.

BUT, personally speaking if i wanted to know something (anything) that i didn't know about networking, the one person out of all the people on boards.ie that i'd 100% trust to give me the best advise would be watty.

Nehaxak

I would've done nearly exactly what Watty suggested for you if I lived locally to you, for a couple hundred euro, and both documented and explained it all to you afterwards. I'm sure you could get someone locally with similar basic knowledge who would do the same for little cost.
The cost due to downtime, hacks or absolute destruction of your data and services due to what you've done cannot even have a price tag put on it.
Do yourself a favour and advertise locally for someone to set it all up properly for you. It might end up costing you a little more now due to whoever sorting it out having to also sort out the mess you created in the first place but it'll be worth it in the long run.
Or, leave it as it is and remember to check back in to tell us all how many Serv-U warez ftp sites you're now hosting on your servers that you were unaware of and how you've somehow been added to open-relay blacklists because some spammers have been relaying millions of spam through your servers for the last few weeks... and that's only the simple stuff.

CptSternn

More importantly is the legal responsibility under the data protection act.

If someone hacks your server, and you are running with no front-end security, you can be held accountable for not providing proper security for the data you are hosting.

If one customer/client of yours has any bit of personal details exposed because of your lack of security, your negligence could mean a huge fine for the company and they could shut ye down.

http://www.dataprotection.ie

You also could be held personally accountable if they feel you acted with gross negligence, meaning they could come after your personal assets.

All it takes is one person to file a formal complaint and say they think their email address was leaked by ye - and then the formal investigation will show your lack of security, and you are banjaxed at that point sure.

Just a heads up.

axer

OP, getting back on topic, UPC should not have changed the IP address since it was static without giving ample notice.

I am surprised that you were still using DHCP if you had a static IP address. I would statically set it.

There probably is little recourse here since my understanding is that a static IP address costs very little. The best you could probably do here is to write a letter to UPC with your complaint.

It might be worth looking at using a service like no-ip.com and using DNS instead of an IP address - that would stop such an issue arising again. The laptops etc would be better off using DNS to get the IP since you never know in the future the business might want to change internet providers etc otherwise they are stuck with UPC forever.

watty

The problem is that he has hardcoded a Public IP into all his server apps. Setting everything up properly (i.e. Private WAN IPs for everything and a €60 Firewall/Router with NAT configured in 15mins) then it's simply not an issue.

no-ip and DNS won't work with his current setup.

RoyalMarine

ok, id like to thank everyone for all the advice.

It has not been ignored. I have arranged for someone to "educate" me on the essential steps i need to take in order for this to be as you call it "safe and secure"

Thanks for opening my eyes, i really was in over my head on this one.

regards,
mike.

vibe666

don't worry about it, it happens to us all and to some of us more times than we'd care to admit publicly.