From owner-freebsd-questions@FreeBSD.ORG Wed May 19 09:27:11 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 70934106566C for ; Wed, 19 May 2010 09:27:11 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id C73FA8FC14 for ; Wed, 19 May 2010 09:27:10 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.4) with ESMTP id o4J9QuE1071688 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 19 May 2010 10:26:56 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <4BF3AEDF.3030904@infracaninophile.co.uk> Date: Wed, 19 May 2010 10:26:55 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Aiza References: <4BF26530.3080501@comclark.com> <4BF26F3B.6000203@infracaninophile.co.uk> <4BF3612E.9050406@comclark.com> In-Reply-To: <4BF3612E.9050406@comclark.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.96 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_ADSP_ALL,SPF_FAIL, URIBL_SBL autolearn=no version=3.3.1 X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on lucid-nonsense.infracaninophile.co.uk Cc: "questions@freebsd.org" Subject: Re: Apache web server being attacked X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2010 09:27:11 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 19/05/2010 04:55:26, Aiza wrote: > I take a totally different approach to this problem for my production > web sites. This is the result of people running scripts that roll > through a large block of ip address scanning each ip address for open > [STANDARD\] ports, and when they find port 80 open, they then attack the > web server. The simple solution is not to have your web server use the > standard port 80. Your web site is not know by it's ip address but by > it's url (ie; www.domain-name.com.). My domain name register has option > to associate my "www.domain-name.com" with any port number I want to use > at the specified ip address. This way my web site has total access by > anyone who knows it's URl, the URL is scanned by yahoo and google > indexing bot and becomes know to the public. Nobody knows or cares that > the web site is not using port 80. I then close inbound port 80 in my > firewall thus locking out all the script kiddies who run the port scan > on standard ports. This method has worked for me the last 10 years > without ever having my production web servers attacked. Sure some nay > sayers will counter by saying all the scanners have to do is scan all > the ports. Yah sure that can be done, but in 10 years it has never > occurred. If the URL for your site is http://www.domain-name.com/ then any client that attempts to access it will try to connect to port 80. That's the point of having well known ports. Now, you can explicitly state a different port in the URL: http://www.domain-name.com:8080/ but this is generally only useful amongst a closed group of users: the general public will on the whole just get confused, so it's not often encountered on general access websites. Your domain registrar can't control anything to do with port numbers. For some unknown reason this is a common misconception, particularly among management types. The DNS only associates hostnames with ip numbers and vice versa[*]. Now, it may be the case that your server is behind some sort of NAT/PAT gateway or HTTP reverse proxy, and that locally you are running apache bound to some arbitrary port numbers. Which is fine, but unless you are specifically telling people to use a different port in your URLs, then the world at large is accessing your site through port 80. Which means that port scanners can certainly find it and attempt to attack it. Guess what? Because the attacks are in the form of valid HTTP queries, they'd go straight through any sort of port address translation just like your normal traffic. What I think you're actually doing is that all your web sites use name based virtual hosts. So a query to the IP number of your server gets directed to a different bit of the apache config (and probably rejected) compared to a query to a site by name. That's actually a pretty good design, and if you combine it with a reverse proxy which knows about what hosts and URLs should be behind it, you can filter out a lot of bad traffic very effectively before it gets anywhere near your real web server. Cheers, Matthew [*] I speak loosely. That's the way it works for the HTTP(S) protocol used by websites. For some more recently specified protocols like XMPP the situation is different. - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvzrt8ACgkQ8Mjk52CukIwnyACdFFVhVuGjxebfZXpHG1zfGUaY 0HYAnAiqXjsT2XowGUNpYdjfDZg2UhPT =2Drn -----END PGP SIGNATURE-----