Matthew Seaman wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 19/05/2010 04:55:26, Aiza wrote:
I take a totally different approach to this problem for my production
web sites. This is the result of people running scripts that roll
through a large block of ip address scanning each ip address for open
[STANDARD\] ports, and when they find port 80 open, they then attack the
web server. The simple solution is not to have your web server use the
standard port 80. Your web site is not know by it's ip address but by
it's url (ie; www.domain-name.com.). My domain name register has option
to associate my "www.domain-name.com" with any port number I want to use
at the specified ip address. This way my web site has total access by
anyone who knows it's URl, the URL is scanned by yahoo and google
indexing bot and becomes know to the public. Nobody knows or cares that
the web site is not using port 80. I then close inbound port 80 in my
firewall thus locking out all the script kiddies who run the port scan
on standard ports. This method has worked for me the last 10 years
without ever having my production web servers attacked. Sure some nay
sayers will counter by saying all the scanners have to do is scan all
the ports. Yah sure that can be done, but in 10 years it has never
occurred.
If the URL for your site is http://www.domain-name.com/ then any client
that attempts to access it will try to connect to port 80. That's the
point of having well known ports. Now, you can explicitly state a
different port in the URL: http://www.domain-name.com:8080/ but this is
generally only useful amongst a closed group of users: the general
public will on the whole just get confused, so it's not often
encountered on general access websites.
Your domain registrar can't control anything to do with port numbers.
For some unknown reason this is a common misconception, particularly
among management types. The DNS only associates hostnames with ip
numbers and vice versa[*]. Now, it may be the case that your server is
behind some sort of NAT/PAT gateway or HTTP reverse proxy, and that
locally you are running apache bound to some arbitrary port numbers.
Which is fine, but unless you are specifically telling people to use a
different port in your URLs, then the world at large is accessing your
site through port 80. Which means that port scanners can certainly find
it and attempt to attack it. Guess what? Because the attacks are in
the form of valid HTTP queries, they'd go straight through any sort of
port address translation just like your normal traffic.
What I think you're actually doing is that all your web sites use name
based virtual hosts. So a query to the IP number of your server gets
directed to a different bit of the apache config (and probably rejected)
compared to a query to a site by name. That's actually a pretty good
design, and if you combine it with a reverse proxy which knows about
what hosts and URLs should be behind it, you can filter out a lot of bad
traffic very effectively before it gets anywhere near your real web server.
Cheers,
Matthew
Matthew
Nothing is worse than someone insinuating the original poster don't know
what they are talking about. I find your remarks totally un-necessary.
Your telling the poster they don't know what their doing when it's you
who don't know what options are offered by their register. How can you
say something is not available when you are not the one using or
providing the register service. For you information port forwarding is
common function when the domain name is specified to a dynamic ip
address. Check out http://www.zoneedit.com/
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
