Software

Support trick: Automatically receive the IP addresses of remote computers

Marco Fioretti shares a little tip and script for an easy way to have the IP addresses of computers you support automatically sent to you.

I have installed Linux on the computers of relatives with very, very limited computer skills. With Linux, they are safe from Windows malware and almost always, I can support them (including doing remote backups) without leaving home and without any effort on their side. In practice though, this only happens if, whenever Uncle Franco asks for help, I can get the current IP address of his computer without asking him (if you don't know what such addresses are, see the text box at right)!

That's a problem, because all these people have low cost, residential Internet accounts with dynamic IPv4 addresses. Some of the involved ISPs randomly reassign the addresses every few hours, even if the customer did not disconnect. To make things worse, I often receive these help requests when we're all away from our computers, maybe at somebody else's place. I must be able to answer, "Sure, Uncle, next time you'll turn on the computer (which may be 2 days later...) I'll take care of that, don't worry about it anymore".

To handle these situations, I need to receive the IP addresses of these computers, every time they change or the computers are turned on, because:

  • All the involved computers (including mine) have dynamic IP addresses. Yes, theoretically, I could have set up some dynamic DNS service, but why do that if there is a simpler way?
  • None of those computers really is under my control; some are laptops that are moved around every day. I feel better if these machines cannot connect to each other without someone manually typing a password.
  • Above all, this is not only about backups or automatic, unattended tasks. Me, I use the trick below to perform different support work every time. But knowing the IP address of a friend's computer automatically makes many other activities a bit easier, from gaming to working together online, without using third party services

How can you get those addresses?

In practice, I set up every computer I need to assist with:

    1. a new email address, just for this purpose ("uncle@example.com" in the code below), for each "customer"
    2. a corresponding configuration file for the Mutt email client.
    3. a script that, every few minutes, finds what the current IP address is, and sends it to me by email

      Step 1 is needed to not interfere with people's real email, and to avoid problems if they change the corresponding passwords. Step 2 means preparing a Mutt configuration file ($RCFILE in the script) containing just what is necessary to send email from the command line, with the right email address:

        set smtp_url="smtp://uncle.joe@smtp.example.com/"
        set smtp_pass="the_password_for_that_account"
        set realname="The IP Address monitor of Uncle Joe"
        set from="uncle.joe@example.com"
        set envelope_from = yes
        set copy = yes
        set record = /tmp/mutt_send_ip_address.`/bin/date +%Y.%m`
        set postponed = /tmp/mutt_ip_postponed
        unset use_domain
        set hostname = example.com
      Please note that the URL in smtp_url must be whatever Uncle Joe' ISP declares as "outgoing email" server! The "record" option, instead, sets the Mutt archive mailbox, which may be useful for debugging. All the options are thoroughly explained in the Mutt Manual, so I won't get in more detail. Just remember, after you've replaced the right values in the file above, to try to send an email with it, to be sure it works!

      This, instead, is the shell script that does the real job:

             1  #! /bin/bash
             2
             3  EMAIL=YOU@example.com
             4  IPFILE=/tmp/my_ip_address
             5  RCFILE="$HOME/Documents/mutt_send_ip/muttrc_ip"
             6  $LOG=/tmp/send_ip_log
             7  if [ ! -f "$IPFILE" ];
             8  then
             9      touch $IPFILE
            10  fi
            11
            12  PREVIOUS_IP=`cat $IPFILE`
            13  CURRENT_IP=`w3m -no-cookie -dump http://whatismyip.com | sed -n 's/^\([0-9\.]\+\)$/\1/p'`
            14
            15  if [ "$PREVIOUS_IP" != "$CURRENT_IP" ]
            16      then
            17          echo -n `date` >> $LOG
            18          echo "IP address changed from $PREVIOUS_IP TO $CURRENT_IP" >> $LOG
            19          rm -f $IPFILE
            20          echo $CURRENT_IP > $IPFILE
            21          mutt -F $RCFILE -s 'New IP Address is '$CURRENT_IP $EMAIL < $IPFILE
            22      fi

      Line 3 is the email address that must receive the notifications. Line 13 does a bit of Web Scraping to get the current IP address. Basically, it queries with the text browser w3m a Web service that provides this information. Then, using the sed program, it extracts from that Web page only the line that consists of four numbers separated by dots. To see how it works in detail, open http://whatismyip.com in your browser then run w3m -no-cookie -dump http://whatismyip.com | sed -n 's/^\([0-9\.]\+\)$/\1/p' at a command prompt.

      If $CURRENT_IP is different from the content of $IPFILE, the script rewrites that file and logs the event to $LOG. Then it tells Mutt (line 21) to send an email with the subject "New IP Address is $CURRENT_IP" to $EMAIL, using the configuration stored in $RCFILE. A cron job like;

      */2 * * * * /absolute/path/to/the/script

      will run the script every two minutes, thus informing $EMAIL quickly whenever the address change.

      Now, I'm going to be mean...

      As is, the script has two issues. One is technical, one is not. Which issues, you ask? Well, I leave finding them as... an exercise for the reader, to check if you were paying attention (but don't worry, I'll post them in the comments anyway!).

      About

      Marco Fioretti is a freelance writer and teacher whose work focuses on the impact of open digital technologies on education, ethics, civil rights, and environmental issues.

      33 comments
      christieyes4u
      christieyes4u

      just gaining new knowledge here. very interesting,wish I had more time

      christieyes4u
      christieyes4u

      well,i agree,and im just browsing and gaining new knowledge


      mfioretti
      mfioretti

      I ended the article saying "As is, the script has two issues. One is technical, one is not." Here are those two issues. The purely technical issue is that if the computer (but not the modem!) is powered off, and then powered on again, the "support person" will not be informed that the computer is up and online again, because the script will not see a change in the IP address. This can be overcome, if it is a problem, in many ways. A simple one is adding a couple of lines to the shell script that cancel the my_ip_address file if the uptime is less than 10 minutes. The non technical issue is privacy. This "support trick", or any other alternative suggested in the comments, lets the "support person" know whenever the "users" are surfing the Net from that computer. It makes scenarios like "I didn't hear your call because I was sleeping" "No, you weren't, I know you had just turned on your computer" possible. In my case, this is not an issue because I only do this as unpaid assistance for relatives to whom I HAVE explained all the implications and only AFTER they have explicitly accepted. If they don't like the idea, then the deal is "next time I come to your place, even if it's ten days from now, I'll help you to "fix" your computer". YMMV

      jwronski
      jwronski

      I can't read a sed command to save my butt, but (ha ha, a pun) copying and pasting the guts of line 13 into a command prompt "just worked". My debian system has mutt and w3m installed, so it runs here, but I don't have any linux using aunts or uncles. Real nice, though.

      lindalou2002
      lindalou2002

      To me this is scary. I'm not as tech savy as you so I apologize for ignorance. But this is scary to me since I was recently hacked by a co-worker/supervisor so that he could spy on my family at home. He went so far as to obtain a credit report about me that he had no reason to. How to prevent hacking has become something I'm trying to figure out.

      aroc
      aroc

      I see this with both cable and DSL. The providers' modems are NAT'ing, so will only show their Internet-facing IP, not that of any PC's "inside". Seems to me you would need to deal with opening a port for external access, and then would need to find the PC on the in-home network (even if only one). Does this solution not require direct Internet connection?

      dwgoldfarb
      dwgoldfarb

      I setup a WWW site on my own computer and can see the IP address in the access log. Either you setup a wget/curl every 15 minutes in a cronjob, or you can ask them to manually go to the WWW site if you suspect that the IP address has changed since the last cronjob. The URL doesn't even have to exist...http://myWWWsite.com/unclebob will tell you uncle Bob's IP address even when Uncle Bob gets a 404 non-existent error.

      info
      info

      The only issue I have with this is that you're now limiting 'Aunt Joyce' and 'Uncle Frank' to their browsers and Email. While this is usually no issue, what about if they want to learn a bit more about their systems, or just fool around a little? They'll ask for advice or take a local class which, of course, will be for MS Windows... Local support, I just have them manually go to the whatismyip website and tell me the number over the phone. As for remote backups, I don't go that far. I'll teach people how to drive better, but I won't do their driving for them all of the time.

      mihalyreg
      mihalyreg

      Nice. And maybe complicated. But why don't you use DynDns ?

      cybershooters
      cybershooters

      The source IP of the sender is usually in the header of an e-mail somewhere. You don't need to automate it like this unless you really do want them to leave the thing on and remote in hours later. It's not foolproof I admit but on the other hand it isn't hard to explain to them how to open a command prompt and run ipconfig either. Of course if their e-mail is up the snuff it doesn't work but then neither does the method described.

      pgit
      pgit

      For one thing I don't have w3m installed on any of my Linux boxes by default. (solved easily of course) But once I installed and typed in the example command you give, I get this error: sed: -e expression #1, char 1: unknown command: `' Note that in the terminal the second to last character there is actually a diamond shaped black blob with a white question mark in it, it's between the ` and the '. Not sure what gives with that. Could it be utf or some other like difference between your distro and mine? You using BSD or something??

      rbees
      rbees

      when I installed this it used wine. The downloads don't have md5sums or some other way to verify them. You have to actually install the full version on a remote Linux host to use it, because there is no quick connect module for them. And windows hosts need the quick connect module installed. All said and done kind of defeats the op's reasoning behind his method.

      mfioretti
      mfioretti

      Hi LindaLou, Yes, another way to read this post is that it can be quite easy for people more tech-savvy than you to "spy" into your computer. See my comment titled "Here are those two issues" for more

      Neon Samurai
      Neon Samurai

      Your co-worker/supervisor committed a crime by breaking into your personal machines without your prior permission to do so. He also would have used methods well known already so nothing new was created or discovered. This was not hacking (self guided learning through hands on experimentation and creation), this was a criminal act plane and simple. A real Hacker would ask your permission first and show you how it was done along with how you can protect yourself after. The mass media representation is meant to drive profits not deliver accurate information else they'd use the term criminal when what they are discussing is crime. As for defense, the same safe computing habits you should be developing in general would also protect you against your co-worker. - keep your software up to date; Your operating system and all the applications you install on top of it. That means Windows or osX and whatever programs have been added. The really hot targets right now are Adobe Flash, Adobe Reader (PDF files in general) and Java. At minimum, you need to confirm that the OS and those programs (if installed) are up to date. - keep your antivirus up to date - only install what programs you need and only if you've downloaded them from a trusted source (get your Adobe PDF Reader from Adobe not Bob's Software Download Site) - do not open unexpected email especially from unknown sources - do not open unexpected attachements - do not click on links in email (hover the mouse you can at least confirm if the link displayed really points back to where it says it does) - use a user level account with a password for day to day computer use and question why it is prompting you for administrator rights when that happens. Do not share your password with anyone (the kids can have there own accounts). Do not leave your mobile devices unattended without at least locking the screen so your password is needed before tampering with it. The real Hackers will happily provide tips on how you can stay safe. If someone is breaking in without permission, they are not a Hacker regardless of what they or the mass media claims.

      reggaethecat
      reggaethecat

      Keep all your software and anti-virus up to date. Don't click on links in emails when you don't know what they are. Don't visit dodgy websites. Use a firewall, or several. NEVER give out your password to anyone. Use a complicated password. Trust no-one. There are lots more examples you'll be able to find with a quick Google search.

      mfioretti
      mfioretti

      ...with users who have more than one computer behind their router, yes. Personally, I've not come across this configuration yet (crossing fingers)

      Neon Samurai
      Neon Samurai

      I wouldn't figure this an adhoc solution. If your taking the time to setup a script to check the IP and email it somewhere then you surely have the time to open port 22 in the house router and set a proper firewall rule so the machine only accepts connections from you. It doesn't even add any real time to drop fail2ban on there should someone try hammering port 22; heck, toss in psad for the extra five minutes that's initially going to take and now your automatically banning anyone that isn't you who's even touching port 22 let along trying passwords against it. Personally, psad and fail2ban are defaults in my *nix system builds so the initially install process is going to have those in place without any further effort on my part. Leaving port 22 open and forwarded from the router.. no problem.

      mfioretti
      mfioretti

      as several other comments, this simply does NOT apply to the scenario I presented. Specifically, it won't work when the support person too has a dynamic IP address at home, or any time he/she is traveling and accessing the Net only through other computers/ip addresses

      mfioretti
      mfioretti

      "what about if they want to learn a bit more about their systems, or just fool around a little?" Info, what on Earth makes you think that I would ever **prevent** people who did want to learn more about Linux and computers from doing that? This is a trick I use ONLY with the others

      Neon Samurai
      Neon Samurai

      "manually go to whatsmyip".. which conflicts with the key point of the article; to provide the support person with an IP address with *no* manual steps by the user. Also, nothing limiting Aunty or Uncle. If they need more than a browser or email, options are available. If they want to learn more about there system, resources are available. Why can't they pick up the phone and call Nephew to ask for advice? Given that they have specific needs including providing an IP address with no user interaction; me thinks your desire to push Windows is well outside the scope of the discussion.

      mfioretti
      mfioretti

      for the reasons already explained by pgit. The problems he mentioned were quite frequent also in my case, much more than cron failures. it takes much, much, much less to write and set up script like that than just getting mad over dyndns only because it is more elegant. Especially in cases where nobody else needs to access those boxes.

      pgit
      pgit

      I have several accounts, most are used for pushing backups over ssh to remote locations. The one problem with it is a change in IP might not register with the service for some time. I have had backups fail because the ISP changed the IP sometime just before the backup was to run. That's not a frequent problem, and isn't a show stopper, for sure. I think DynDNS is an excellent solution, better than having cron running scripts on every remote host. Cron can fail, there might be a timeout with whatsmyip, there are variables that can render the whole thing useless. DynDNS offers one point of failure, if you want to look at it that way, and they are redundant beyond belief. Your only real point of failure is if the remote host or firewall go down, eg power failure. The point of the article was a how-to in the event one doesn't want to use a dynamic DNS solution. The only glitch I see is in my prior post: the command doesn't work for me using an rpm based distribution. (I'm pretty sure I'm not typing anything wrong)

      mfioretti
      mfioretti

      cybershooters, I know very well that the sender source IP is (almost always) in the headers of each email message. However, this solution is worst than mine, or simply will NOT work, in all cases like mine. The first reason is the one I clearly mentioned at the beginning of the post: "without ANY effort on their side". With this system they don't have to log in and send an email. They only have to push the button that turns their pc on and forget the whole business, go to sleep, have a walk... Or their nurse, or a friend passing by, can do it for them. If they are at my place, they can phone home and tell whoever answers first to push the button and that's it. Then there is another reason why what you say simply won't work, also explained: dynamic IP addresses. I came up with this solution exactly because I DID start by asking people over the phone to "just send me an email" and check its headers manually... and then I would have to call TEN minutes later, because the provider had automatically changed their IP address in the meantime :-(

      mfioretti
      mfioretti

      pgit,, yes, I have reproduced the exact problem you describe... here, on the same computer on which I tested and usually run this script. The reason is, indeed, some utf-related formatting/character encoding error when going from the ASCII files in my computer to the HTML version here. However, the quick solution is to replace the characters that generate those "diamonds" with single quotes. Sorry for the complication!

      ddgrick
      ddgrick

      I have no experience with a Linux install of Teamviewer and it's use of Wine. Are you saying that you have an objection to it's use for some reason or just being informative? Do you believe there is some overuse of system resources like CPU or hard drive space because of a full version versus just a host version or security related to using a minimal amount of code that may possibly be exploitable? I do have issues with their point to point "VPN" since it does not give out an IP address on the remote LAN and therefore can not be used to overcome censorship in different countries i.e. torrents from Isohunt or BBC video. It also needs BIOS remote control. http://en.wikipedia.org/wiki/Intel_Active_Management_Technology Version 8 is adding remote print capabilities to the already useful file transfer and videochat functions. You can find more information about security concerns here: http://www.teamviewer.com/en/help/cat19-Security.aspx You can submit a ticket for next day email support to ask them about putting up a webpage with checksums for installers. I personally do not see the security implications of this because if they can hack the download server containing the executables, it is likely they can also change the webserver with the page containing the checksums. I have taken advantage of their client to overcome Nvidia driver black screen problems that Microsoft RDP was unable to solve. You may also not like the fact that your actions are going through Teamviewer's servers. If you have serious concerns about security, besides the obligatory 20+ character password to deter GPU cracking, standard user and whitelisting of email contacts and executables on your computers, you should setup a PFSense L2TP/IPSec VPN to replace their gateway. You can use a script to gather the outside WAN NIC IP address and http the text to your ISP's webserver space instead of relying on dynamic DNS pointing to your usually ISP TOS unallowed server. There may be provisions for exceptions to this rule regarding security solutions. I know FiOS has such a clause which would allow the VPN server. This configuration is also useful for smartphone security over free wi-fi (even with WPA2 encryption) at retail establishments because you are further segregated from anyone else on that WLAN. Obviously once you are on their LAN, you can use whatever tools you prefer to support them. Additionally, Windows computers should also use MBSA to rectify their security profile, EMET to help mitigate poorly coded software, and IE using InPrivate Browsing which defaults to using no add-ons, thus minimizing your security footprint. Although I have no experience with Logmein, it may be a better choice for you. I do agree that remote control applications do not support the op's reasoning for just an easy way to get an IP address. The bigger picture is what utility that information has. He needs to support relative's computers remotely with a solution that is always available. He can use a laborious script configuration that is self-supported. It will require using two different technologies/providers (Web/Email) which decreases reliability and ironically uses third party services that are implied as being undesirable. This paradoxically is claimed to be simpler than a Dynamic DNS or a simple remote control executable installation with commercial support. The choice is his.

      Neon Samurai
      Neon Samurai

      Another fantastic option though not free like the previous two.

      pgit
      pgit

      You could have each client use a different port, especially for the incoming connections you might make. Let the router/firewall sort 'em out.

      Neon Samurai
      Neon Samurai

      Let ddclient run as a deamon if your using *nix rigs. I have it updating a dynamic IP shared by about five domain names. The IP can change frequently some days but ddclient is keeping up with it. Not sure if it'll maintain connection during a long rsync but may be worth looking at if you haven't yet.

      mfioretti
      mfioretti

      between the actual article and other comments, I have already explained this point several times, but it is evident that it wasn't enough (my fault, surely), so I'll do it again. This is not NIH. This is a solution for people who, like me, do not WANT to use anything DNS for this task, because, among other things, the involved computers have really, really no reason at all to be discoverable/reachable all the time through constant domain names. I do NOT want that to happen this solution is simpler, quicker to set up and more portable than anything based on DNS. Any version of m utt and w3m will work in that way. Oh, and from the ddclient home page "Dyndns decided to change their business model and they stopped offering free account. It made me decide to make dyndns less important for ddclient. " is the publicly discoverable domain names you end up with under ddclient.

      Neon Samurai
      Neon Samurai

      I'm not sure that it's entirely NIH. Maybe not having setup ddclient recently (dead simple for the folks with dpkg-reconfigure available but still). The one difference I see between the two is the publicly discoverable domain names you end up with under ddclient. One may not want the private machines they support sitting behind a public domain name. The solution in the article sends the IP directly to the author which makes the machines less discoverable; you have to run IP network scanning which the target machine can detect versus domain name brute forcing which dyndns may not care to respond to and which the target machine will never know about. Either way, I'd make sure those machines where locked down with proper security mechanisms rather than just obscuring the location by not providing a domain name: IBR; Internet Background Radiation - the hostile network noise generated by both ongoing active network scanning and various malware infections that remain active and scanning for a path to propagate through.

      leifnel
      leifnel

      This seems a case of the NIH-syndrome. Appearently the original poster is not aware of ddclient, or the correct usage, and so invented his own solution. I cannot see the advantages of his system instead of just having the remote systems using adresses such as john.hisdomain.dyndns.org, peter.hisdomain.dyndns.org etc. But surely it must be embarrassing having invented such a system, and writing an article about it, and then having people telling "why don't you just..."

      Editor's Picks