0

Given an IPv4 and an IPv6 address of a machine and only access to the public services it provides, is it possible to check that they are assigned to the same network interface controller? Assume the machine is a LAMP server using Let's Encrypt SSL certificates for HTTPS, having SSH and a mail server running. Assume that Apache serves different things for different domains with different SSL certificates.

I am aware of this answer, however, I'd like an answer that takes into account additional information provided by the services I listed (and potentially other standard services).

Xilexio
  • 111
  • 4
  • Doesn't **ifconfig** tell you what ip addresses are assigned to the interfaces? I don't see what the services have to do with it. – joeqwerty Jan 19 '21 at 17:55
  • It does, but I want to check it remotely without access to the machine other than public services it provides. – Xilexio Jan 19 '21 at 17:57
  • 4
    Nothing better than answer you linked to. IPv6 and IPv4 are different, so less similarities, less possibility to have a fingerprinting. From the same network (ethernet segment), you can compare MAC addresses. Remotely, I'd say, no. – Nikita Kipriyanov Jan 19 '21 at 17:57
  • Thanks @NikitaKipriyanov. I wasn't sure that you can't get the MAC address from WAN. Anyway, it occurred to me that ssh fingerprint may give out the identity of the server. I'm confirming it at the moment. – Xilexio Jan 19 '21 at 17:59
  • 2
    You cant. I wrote, "same ethernet segment". Nowhere else you see MAC address of target system. SSH fingerprint may be a good catch, the same server key fingerprint with high confidence says it's same machine. – Nikita Kipriyanov Jan 19 '21 at 18:06
  • 1
    @NikitaKipriyanov I think that your comment answers my questions the best. We might get high confidence of it being the same machine, or at least having the same owner, but it being the same NIC requires quite a lot of assumptions. If you can make it into an answer, I'll accept it. – Xilexio Jan 20 '21 at 02:37

1 Answers1

1

Services listening on both IPv4 and IPv6 that provide means of authenticating the server using the same key/certificate will, with high confidence, indicate that the two IP addresses point to a server with the same data. Not necessarily the same NIC or server, although likely when the services it provides are small in scale.

SSH is one of services that authenticates the server and by default it uses the same key for server authentication:

# ssh <ipv6 address>
The authenticity of host '<ipv6 address> (<ipv6 address>)' can't be established.
ECDSA key fingerprint is SHA256:SAMESTUFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.
Are you sure you want to continue connecting (yes/no)? ^C
# ssh <ipv4 address>
The authenticity of host '<ipv4 address> (<ipv4 address>)' can't be established.
ECDSA key fingerprint is SHA256:SAMESTUFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.
Are you sure you want to continue connecting (yes/no)? ^C
Xilexio
  • 111
  • 4
  • 4
    This tells you if it is the same machine, but not if it is the same NIC. – Michael Hampton Jan 19 '21 at 18:49
  • 3
    Same ssh or x509 certificate doesn't even tell you if it is the same machine, as the IP address could be load balanced to different backends. Sometimes happens with multi node git hosting, for example. – John Mahowald Jan 19 '21 at 19:00
  • 1
    That's true. And someone could use the same key in multiple machines (purposely or by making a 1:1 backup). I'll wait for a better answer. – Xilexio Jan 19 '21 at 20:02