Date: Thu, 20 May 2010 07:36:17 +0800 From: Aiza <aiza21@comclark.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: "questions@freebsd.org" <questions@freebsd.org> Subject: Re: Apache web server being attacked Message-ID: <4BF475F1.9060902@comclark.com> In-Reply-To: <4BF3AEDF.3030904@infracaninophile.co.uk> References: <4BF26530.3080501@comclark.com> <4BF26F3B.6000203@infracaninophile.co.uk> <4BF3612E.9050406@comclark.com> <4BF3AEDF.3030904@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Seaman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 19/05/2010 04:55:26, Aiza wrote: >> I take a totally different approach to this problem for my production >> web sites. This is the result of people running scripts that roll >> through a large block of ip address scanning each ip address for open >> [STANDARD\] ports, and when they find port 80 open, they then attack the >> web server. The simple solution is not to have your web server use the >> standard port 80. Your web site is not know by it's ip address but by >> it's url (ie; www.domain-name.com.). My domain name register has option >> to associate my "www.domain-name.com" with any port number I want to use >> at the specified ip address. This way my web site has total access by >> anyone who knows it's URl, the URL is scanned by yahoo and google >> indexing bot and becomes know to the public. Nobody knows or cares that >> the web site is not using port 80. I then close inbound port 80 in my >> firewall thus locking out all the script kiddies who run the port scan >> on standard ports. This method has worked for me the last 10 years >> without ever having my production web servers attacked. Sure some nay >> sayers will counter by saying all the scanners have to do is scan all >> the ports. Yah sure that can be done, but in 10 years it has never >> occurred. > > If the URL for your site is http://www.domain-name.com/ then any client > that attempts to access it will try to connect to port 80. That's the > point of having well known ports. Now, you can explicitly state a > different port in the URL: http://www.domain-name.com:8080/ but this is > generally only useful amongst a closed group of users: the general > public will on the whole just get confused, so it's not often > encountered on general access websites. > > Your domain registrar can't control anything to do with port numbers. > For some unknown reason this is a common misconception, particularly > among management types. The DNS only associates hostnames with ip > numbers and vice versa[*]. Now, it may be the case that your server is > behind some sort of NAT/PAT gateway or HTTP reverse proxy, and that > locally you are running apache bound to some arbitrary port numbers. > Which is fine, but unless you are specifically telling people to use a > different port in your URLs, then the world at large is accessing your > site through port 80. Which means that port scanners can certainly find > it and attempt to attack it. Guess what? Because the attacks are in > the form of valid HTTP queries, they'd go straight through any sort of > port address translation just like your normal traffic. > > What I think you're actually doing is that all your web sites use name > based virtual hosts. So a query to the IP number of your server gets > directed to a different bit of the apache config (and probably rejected) > compared to a query to a site by name. That's actually a pretty good > design, and if you combine it with a reverse proxy which knows about > what hosts and URLs should be behind it, you can filter out a lot of bad > traffic very effectively before it gets anywhere near your real web server. > > Cheers, > > Matthew > Matthew Nothing is worse than someone insinuating the original poster don't know what they are talking about. I find your remarks totally un-necessary. Your telling the poster they don't know what their doing when it's you who don't know what options are offered by their register. How can you say something is not available when you are not the one using or providing the register service. For you information port forwarding is common function when the domain name is specified to a dynamic ip address. Check out http://www.zoneedit.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BF475F1.9060902>