Tracking activity through ip address

I have just finished reading a police detective fiction book, nkt important who wrote it or any more details. But it had a section where the detective traced the bad guy through his ip address, which made me think and wonder…

I know my IP address at home and have had on rare occasions a need to find it.

I know if i try to access a uk web site and watch a video on the news, some sites will come up and say, you are not in the uk so cannot see this content.

I am not sure if they get that from myself, or orange who is my internet provider.

Can the police actually say your ip is this and we know where you live and we knkw you looked at X on line yesterday at a set time?

Dont worry i am not looking at anything bad and not causing offence. Just wonder how much big brother is watching ME.

I dont have a vpn, i dont do dark cloud stuff i dont even us the incognito mode as everything I do is above board and very boring !

Sometimes books use a writers licence but are close to the truth!

Thanks for reading and contributing tomy search

3 Likes

Hi, Paul

Basically they can do that. But they only would if there was a need. Let’s say you sent a threatening text to someone and they contacted the police. If they felt it was a valid concern, they could use that person’s phone to see from “where” (ip address) the text was sent. If you sent it from your home, they would be knocking on your door soon. :grinning:

So anything done on your phone, from your computer, etc. is all seen as coming from your ip address.

If you are not concerned about anything you do online, then I would not worry. But if you are privacy-concious, you should use a VPN which masks your true location.

Sheila

4 Likes

But most of us dont have a static IP address.
Can they trace a dynamically allocated IP address?

3 Likes

They can trace it back to the ISP Provider. If it is a matter of law enforcement, most ISPs will work with them, and it will show up as your location to the Provider.

Sheila

3 Likes

ISP’s are often reluctant to release “who got what IP address and when” metadata…

There was “famous” case where the copyright owners of flick “The Dallas Buyers Club” (2013) tried to get an Australian ISP (iiNet) to tell them who was allocated a range of IP addresses from their pool of IP addresses that customers are “dynamically” allocated… i.e. they got the IP address of someone in Australia “seeding” a torrent - but couldn’t identify them from that information : Media Releases - 07-04-2015 | iiNet

You can usually find out who owns an IP address with the ancient “UNIX” “whois” command. Domestic (home) ISP customers hardly ever own their IP address(es) - it’s so rare as to be not worth mentioning. Home users “rent” their IP address from their ISP. Heck - some ISP’s mask / vpn / proxy all traffic - which can let them allocate PRIVATE IP addresses (non-internet routable) to their customers (e.g. 192.168.x.x, 10.x.x.x, 172.x.x.x) - that way they can save money by not having to buy / lease / rent subnet ranges from their local “registry”.

I actually ran it this morning - 'cause I looked at my outlook.com personal mailbox and someone in Europe had tried to login as me : their IP address was : 198.105.111.104

╭─x@titan ~  
╰─➤  whois 198.105.111.104

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#


NetRange:       198.105.96.0 - 198.105.127.255
CIDR:           198.105.96.0/19
NetName:        RIPE
NetHandle:      NET-198-105-96-0-1
Parent:         NET198 (NET-198-0-0-0-0)
NetType:        Early Registrations, Transferred to RIPE NCC
OriginAS:       
Organization:   RIPE Network Coordination Centre (RIPE)
RegDate:        2016-07-21
Updated:        2016-07-21
Ref:            https://rdap.arin.net/registry/ip/198.105.96.0

ResourceLink:  https://apps.db.ripe.net/search/query.html
ResourceLink:  whois://whois.ripe.net


OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:      
PostalCode:     1001EB
Country:        NL
RegDate:        
Updated:        2013-07-29
Ref:            https://rdap.arin.net/registry/entity/RIPE

ReferralServer:  whois://whois.ripe.net
ResourceLink:  https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444 
OrgTechEmail:  hostmaster@ripe.net
OrgTechRef:    https://rdap.arin.net/registry/entity/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444 
OrgAbuseEmail:  abuse@ripe.net
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE3850-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2024, American Registry for Internet Numbers, Ltd.
#

Found a referral to whois.ripe.net.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://apps.db.ripe.net/docs/HTML-Terms-And-Conditions

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '198.105.111.0 - 198.105.111.255'

% Abuse contact for '198.105.111.0 - 198.105.111.255' is 'abuse@syn.one'

inetnum:        198.105.111.0 - 198.105.111.255
netname:        SYN-GB-200
country:        GB
descr:          SYN LTD
admin-c:        SL13762-RIPE
tech-c:         SL13762-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-SYN
created:        2022-09-30T17:42:34Z
last-modified:  2022-09-30T17:42:34Z
source:         RIPE

role:           SYN LTD
address:        Coriander Ave
address:        London
address:        E14 2AA
address:        United Kingdom
nic-hdl:        SL13762-RIPE
mnt-by:         MNT-SYN
created:        2020-09-11T22:27:52Z
last-modified:  2023-04-01T20:47:03Z
source:         RIPE # Filtered

% Information related to '198.105.111.0/24AS64080'

route:          198.105.111.0/24
descr:          SYN LTD
origin:         AS64080
mnt-by:         MNT-SYN
created:        2022-11-11T17:21:16Z
last-modified:  2022-11-11T17:21:16Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.113.2 (DEXTER)

That is an awful lot of information to digest - but the “gist” of it is that it was registered in the Netherlands, but possibly being used in the UK.

I occasionally, when I can be arsed, check my fail2ban logs - and do a “whois” on the IP addresses of numpties trying to login as root onto my Raspberry Pi - and guess what? Surprise surprise! They’re almost always either in China or Russia…

I see/hear some awful stuff written by non-techies on some TV shows… I LOVED the UK series “Utopia” (both seasons!) - but - there’s one scene (and it’s on the brilliant Christobal Tapia De Veer soundtrack too) where a “hacker” claims to have encrypted his IP address - that is so LAME!

If you encrypt your IP address, then it’s no longer an IP ADDRESS! Try sending an “encrypted” IP address to the next hop router!

You can encrypt your network packets - e.g. using a VPN or something like ToR - but YOU STILL NEED AN IP ADDRESS to talk to stuff on the public cloud (or connect to your VPN provider!).

5 Likes

Thanks for the replies.

Must point out i am not worried for myself as i dont do anything considered illegal, it was more about the book story posibilities.

Like others i thought dynamic ip addresses were just offered each time you connect and tomorrow i may have a totally different one to today. Somewhere within a range of numbers or submasks. But then wondered how many a isp may have. I am with orange who took over french telecom. Suspect they are the biggest provider in france, who chooses how many they have and would they run out during a period.

I am on holiday, hence the reading, today in Portugal but yesterday in spain, day before in france, so have been through 3 countries and at least 3 isp so different connections each time… hard to trace ?

Add to that now many use phones for internet and as you move around you change connections .

By the way the book was not very good and will not bother with that author again.

3 Likes

It’s just a tale, and better treat it so… :wink:

Books/movies don’t have to stick too tight to real possibilities otherwise they could get boring.

However, I think involving ISP into investigation, tracing is partially possible.
Theoretically the ISP knows exactly who had a given IP at a given time in their pool.
(Let’s assume, the ISP cooperates with the authorities)

But that trace is possible only until reaching your router.
Then who could prove, that your wifi password was not stolen, and the naughty guy not just hacked your wifi in order to do the nasty things in your name? :slight_smile:

So tracing the IP is theoretically possible, catching a real bad guy is a different story.

4 Likes

Things become more interesting when using your phone on the go.

In some countries phone providers are required to keep location data, log phonecall metadata, and all internet traffic.

Imagine what an author could do to a hapless protagonist!

2 Likes

I have a “non-fixed” IP address from my ISP. However, it’s been unchanged since (at least) January 1, 2023 when I started checking it.

If you have a personal server you can see who is trying to log in by looking at
/var/log/auth.log (that’s the file location in Ubuntu but it may be elsewhere in other versions of Linux)

Since changing the listening SSH port from 22 (the default) to another, randomly chosen port, almost all the hacking attempts have stopped. I guess there are enough folks out there with port 22 open that the hackers don’t bother looking elsewhere. Now it’s just four or five internet security companies (Censys, Palo Alto Networks, and the like) who rattle the doorknob every couple of days.

1 Like

Changing the port i have read about but never done as first of dont know how, also dont know why i would need to and finally what effect it would have on my day to day operation.

I know when i set up mail connection using tools like thunderbird i must know the ports to send and receive, but generally now with thunderbird and similar they have the configuration details already available so it just click to accept.

Changing the SSH port from the default to another number will not affect your day-to-day use of the computer. You won’t notice a difference once the change is set up.

To make the change involves a couple of steps.

First, get your server working.

Install OpenSSH
https://ubuntu.com/server/docs/openssh-server

Your server needs to have a fixed internal IP address. That’s where the router will send SSH connection requests. In my ASUS router the assignment of a fixed internal IP address is at LAN > DHCP Server > Manual Assignment > click “Yes” to enable it. You then put in MAC address of your server. You can get the MAC address from the list of clients using your router. In my router this is called the Network Map.

In the router there’s a feature called “port forwarding”. Exactly where this is in the router interface varies with the brand. In my ASUS router it’s at WAN > Virtual Server / Port Forwarding. SSH and SFTP connection requests are forwarded to Port 22. You tell the router to forward Port 22 requests to the fixed internal IP address you just assigned to your server.

At this point you have a working server accepting connections via Port 22, the default setting.

If you want to change to a non-default port number you have to take two steps:

You need to choose a new number. There are 65,535 ports available but some are in use by other services so don’t choose one of those. This article will help you find unused port numbers: Common Ports Cheat Sheet: The Ultimate List

Once you have chosen what port number to use you put the new number in the router’s Port Forwarding setting. You erase “22” and put in the new port number. “22” will no longer be used for anything.

The other necessary step is to edit the sshd_config file (which is etc/ssh/sshd_config.d/sshd_config) Find the lines that say

What ports, IPs and protocols we listen for
Port 22

and change the 22 to your chosen port.

It sounds complicated but it’s just a chain of events. An outside request comes in asking for an SSH connection to port 22. But now no machine is listening to that port. The connection attempt goes nowhere.

But you come in asking for an SSH connection to your chosen port, like this:

ssh -p (your-port-number) (your external IP address)
The -p needs to be a lower case p.

This sends an SSH connection request to your server at the port your server is listening to.

For an SFTP connection the command is similar:

sftp -P (your-port-number) (your-external-IP-address)
You have to use an uppercase -P here. I don’t know why there’s a difference.

In place of “your external IP address” you can use your DNS address.

An optional step (unrelated to changing the port): disable password authentication and use only public-key/private-key authentication. You make this change by editing that ssh_config file. This sets things so that you don’t have to type any password and only computers with pre-shared public keys in your server will be allowed in. Makes you pretty certainly un-hackable. There are lots of articles on the web about this.

4 Likes

I don’t change my port on the actual host - I just forward a different non-standard port from my router to port 22…

I reckon I should change that from time to time… i.e. a different port…

The initial one I used was one that one of my colleagues said was allowed out from the office - that’s no longer relevant as I no longer work in the office - and even when I do, there have been several different iterations of network topology at the office - since that time (pre-Covid)…

4 Likes

Thanks for the very detailed answer don.

I am away for a few weeks on holiday so will look further on my return

Essentially, when you connect to a website, that site gets your IP address from your web browser, and can roughly determine where in the world you’re located from that address, usually with the whois information indicating your ISP, and the country it’s located in. For example, when I search for my own IPv4 address, I get back ATT as my ISP, located in Redmond, WA, USA. Since I live in Ohio, USA, that information’s not very informative, but it will allow a website to determine whether I can view their content, assuming it’s based on DRM (digital rights management).

If someone commits a crime using a computer, law enforcement can get a warrant for the address of the IP address. With that warrant, and information, the police can then go to the IP owner’s address and confiscate any computers on the premises to determine which one was used to commit the crime, and which user was logged in, identifying who committed the crime. For example, if a perpretrator, anmed for example Sue, sends a threatening message from her home computer, or any computer she had to log into, that message can be used to identify the IP address it came from, and ultimately, the loged in user when the message was sent. WHile there’s more to it that the simple scenario I describe here, yes, it is possible for law enforcement to identify, and perhaps prosecute you if you commit a serious enough crime.

Ernie

1 Like

Thanks ernie for the mkre detailed information. Interesting.
I notice you wrote ip 4, not upgraded to ip6 yet ?
Ours changed a while back although i have both configured

Only if you use your own computer.
I think that is behind a lot of attempts to gain illegal entry to computers open to the internet. If you commit a crime from someone else’s computer, you are not traceable.

1 Like

So true. Even if your computer gets hacked, and a cyber-criminal uses it remotely to commit crimes, unless you can prove your innocence (proving you were not at home when the crime was committed, etc.), or that your computer was hacked (perhaps with evidence from the logs, etc.), you could be charged/prosecuted for a crime you did not commit. The sad part is that law enforcement will not usually go beyond proving that your computer was used to commit the crime they’re investigating, so if you’re innocent, you have to prove it yourself, or pay some cyber-technician to find the proof for you.

One thing I do to protect myself (since I don’t run any Internet connected servers here) is to make sure that my router/gateway device is set up to ignore incoming connection requests on all ports, a configuration better known as putting my ports in stealth mode, and I annually check my configuration at Steve Gibson’s Shields Up website, where I can have my ports scanned to determine their configuration for free.

Another thing I do is adopt a serious level of skepticism about anything that comes from the Internet, and I avoid clicking on any Internet hyperlinks before I check where they’ll take me. When I hover my mouse over a link, Firefox displays the destination URL on the status line at the bottom of its window, and so does Thunderbird. If the destination doesn’t correspond with the text on the link’s label, I don’t click. In fact, if I have any doubts about any link at all, I don’t click. My theory is that my computer can only be as secure as the user at the keyboard lets it be.

My2Cents,

Ernie

3 Likes

So , “I must have been hacked” is not a letout. You have to prove it.

1 Like

I recently received a fine for parking my car, but it was not me, in a place i have never visited and had to look on a map to find it.

Luckily I was with a member of our local council and the president of our association that same day.

But it took letters from them both to prove i was not there, but the police said parking does not allways involve the owner if the car is used by my wife etc…

In the end it was a parking ticket collectors error in the noting of the plate, but it went on for months over a 10 euro fine. Been easier on my part just to pay.

Proving you were not using your computer or phone would be even harder

1 Like

Of course. Law enforcement will stop investigating when they have enough evidence for a conviction. They usually have too many cases to spend time trying to find out if this time, the suspect’s claim of innocence is true, especially when the norm is that the computer owner is usually the guilty party, sad, but true.

Ernie

3 Likes