Network Topology & httpd Prevent direct access on your ip without netfilter rule
by: ev1lut10n
well this is a trick that i use for jasaplus.com
here's an example of network topology to prevent direct access on your ip
=======================
[your server]
|
|
|
[cloud computing network]
(servers that use port forwarding on port 80 to your server)
(dns servers) ==========resolved to one of server inside cloud computing (this server use port forwarding on port 80 to your server)
|
|
|
|
[internet]
=====================
[How is it possible for your server to process http request from the forwarder ???]
Below is a sample of http request from a browser:
====
root@ev1lut10n-Vostro1310:/home/ev1lut10n# nc -l 80 -vvv
Connection from 127.0.0.1 port 80 [tcp/www] accepted
GET / HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/31137
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
=================
from the above request we see this :
============
Host: localhost
============
it's the key for most httpd to respond with correct virtual hosts configuration. A typical user with a browser that request your domain will always include this:
==========
Host: yourdomain.com
==========
your httpd will read this line to determine what virtual host file configuration's should be processed.
meanwhile the above topology still have some weakness, suppose someone from internet still get your real ip address. Basically you can play with some netfilter trick
but it's not for our game, to give more protection , example when u use nginx httpd, here's a sample nginx configuration that will trick the attacker:
===========
server {
listen 80;
server_name your_server_ip_address_here;
server_tokens off;
rewrite ^(.*) http://127.0.0.1;
===============
this will redirect each attacker that try to access your server's ip directly to http://127.0.0.1
meanwhile the above trick can be bypassed, suppose the attacker know one of your virtual host, then he may add an entry to his /etc/hosts file with this entry:
====
yourserver_ip your_virtual_host
====
since the httpd request will include :
Host : your_virtual_host
so your httpd will process it directly based on your virtual host configuration.
How to cover this ??? use netfilter or you may add additional configuration to check the http request whether it's coming from your forwarder server or a direct hit through internet. the most extreme way is by modifying your httpd source code
