Internet EventServer
Copyright 2002 (c) Ron Bessems


Description:

	This is the replacement for the old TCPIP server.

Features:

	* passwords are sent encrypted over the network
	* sniffing connection is useless as the encryption cookie changes every time
	* abuse protection
	* subnet matching
	* MAC address matching
	* hostname matching
	* all host allow


Configuration of the server:

	- Open the settings dialog
	- Go to the hardware tab
	- Select the Internet Eventserver
	- If the Internet Evenserver isn't checked, check it now, and press apply.
	- If needed reselect the Internet Eventserver
	- Press settings

	Now the settings dialog of the eventserver is open.

	If this computer is connected to the internet we first want to deselect 
	"Allow All" and only allow certain trusted hosts. See below the part
	about "Allowed Hosts"
	
	Now we want to set the Password and the port number, be sure to choose
	something different from the default :-)

	If you don't care about the abuse protection or are experimenting you
	can turn it off. What the abuse protection does is it prevent hosts that
	are guessing the password from doing this fast. If the hosts that just
	tried a incorrect password connects again within 5 seconds it will get
	no special error it will look as if the password it gave was incorrect.
	If it keeps trying the time before the next allowed login grows linear
	with the number of tries. This prevents people from brute force guessing
	the password that you use on your server.


Configuration: Allowed Hosts
    
	In the hostname box you can type the name of the host that you want to 
	allow. The program expects the following convention:

	* Match single IP address : #.#.#.# 

	  For example 131.155.1.1

	* Match range of IP addresses: #.#.#.#/#
	  
	  The first 4 number are as always the IP address number, the last
	  is the subnet mask, this can be 0,8,16,24 or 32. It signifies
	  what part of the hostname should be compared to the incoming 
	  connection for example:

	  You want to allow you whole local network to access the server,
	  you local network has ip address in the range 131.155.#.# so
	  you'd type 131.155.0.0/16, now every ip that begins with 131.155
	  will match.

	  If you have a subnet that has 131.155.224.# as the range you'd
	  type 131.155.224.0/24.

	  Taking this all the way if you only want to allow 1 host you could
	  type 131.155.224.29/32. This is the same as leaving the /32 out.
	  
	  Now if you want to allow the whole internet to share in the fun,
	  you'd type 0.0.0.0/0 Needless to say this is not recomended.

	* Match Hostname

	  To match a single hostname type /<hostname>, the slash in front
	  is very important, the program detects this and applies the correct
	  matching routines.

	  For example you want to allow girder.nl access, now you would type
	  /girder.nl

	* Match MAC address.

	  The MAC address is the hardware address of the network card. Windows
	  keeps a list of these in its cache, however it does not see them
	  from all over the internet, so this will only work on your local 
	  network, before the router kicks in. You can check if the MAC address
	  is in the hostcache by typing "arp -a". If the number isn't in there
	  too bad the matching won't work.

	  #:#:#:#:#:# where the # are hexadecimal numbers. You can find the
	  MAC address of your network card through winipcfg (win9x) or 
	  ipconfig -all ( win2k).


Configuration of the Girder Client

	First make sure that the Internet Event Server client is enabled in the 
	settings dialog and that the Internet Server is configured properly 
	and enabled.

	- Open the settings window
	- Go to the action plugin tab
	- Check the Internet Server Client
	- Press apply.

	Now add a command, select this and go to the plugin tab.
	Select the Internet Event client and press settings.
	A dialog will popup prompting you for the hostname, port,
	password and eventstring. Carefully fill these in. With this
	client you can connect to a Girder Internet Event server on
	a different computer, thus controlling Girder from a different
	computer.

Configuration of the console client

	Well there isn't much to configure just open a dos box and
	type "ieventc <hostname> <port> <password> <eventstring>"
	of course replace the <x> stuff with the real values

Configuration of the php client

	Just upload and use it, it is meant as an example, you can
	take the function "SendEventString" out of this php file
	and use it in your own projects.


Description of the Protocol

	The protocol for the Internet Event server was designed with security
	in mind. As such I took a good look at the APOP protocol and based 
	the protocol on this.

	This is how it works:

	* The client connects to the server
	* The client sends "quintessence\n" to wake the server up. 
	  the reason for this is to prevent portscanning from finding out
	  that this is a Girder internet event server easily.
	* The server will respond with a cookie, this is a 4 character
	  hexadecimal number that you will use next

	* With the cookie we are now going to create the encrypted response
	  
	  - first make a string <cookie>:<password>
	  for example the cookie was 6c2f and the password is NewDefPWD
	  the string would be "6c2f:NewDefPWD" (don't use the quotes)
	  - Pass this string to a MD5 digest calculator, this gives you
	  a string like this
	     
		 b1aa58f5050feb6f3643cf737088dac6

	  Send this to the server. 
	* If the digest was correct the server will respond with a 
	   "accept\n"
	* Now you are allowed to send any string as long as it ends
	  with a "\n".
	  So sending "hello\n" will result in an eventstring of "hello"
	* To close the connection you can send "close\n" and close the 
	  connection. ( This also means that close cannot be used as an
	  eventstring )

	* If the server closes the connection it will also send "close\n"
	* Sending of payloads is also possible, to send a playload send this 
          string before the actual event. "payload <payload string>\n". The first
	  payload will be pld2. You can also send multiple payloads. Simply keep
          sending the "payload <payload string>\n" commands. ( the second payload
          will get name pld3 and so on. ).

        * prohibited eventstrings:
          "close","payload"

Troubleshooting

	If the server doesn't want to load or behaves strangely and you
	are running Windows 95 please upgrade your winsock.

	http://www.microsoft.com/windows95/downloads/contents/wuadmintools/s_wunetworkingtools/w95sockets2/

	If none of the events are coming in also check your firewall.

Warning / Disclaimer

      Internet servers are inherently dangerous, there is always the possibility
	  of abuse. Although I have been very carefull to design the protocol as 
	  safe as possible I cannot garantuee anything, so please use with care.
	  I'm not responsible for any damage that occured because you used this 
	  plugin.