Cloudflare - why backends are easy to find

[SrsX]

Cloudflare is nice, but even if you try 99% to hide your backend IP address using any service, including Cloudflare - it's a pain in the ass if you don't know what you're doing.

A lot of sites using cloudflare run some-sort of forum, etc. If there is a option for image uploading(avatar usually the best for MyBB/IPB/SMF/etc), then we can just have the server request to a IP logger and it'll log the backend of the persons server.

I suppose the point of this thread is, if you're going to run something and really don't want people finding the backend that easily, disable anything which would make your server send out a request to some site.

Even if you think you set up service like Cloudflare, etc. properly in order to not let people find your backend, it's still possible if they have a way to send out a request from your server, in this case avatar uploads on MyBB.

 

[drmike]

This is so true.  

No real way to hide from such either.   You would have to disable all upload functionality and anything that HTTP GETs things from remote servers.

I am sure true network ninjas could do something to further protect things.  NAT?  Anycast?

Generically, I guess one could setup environment variable for proxy and send outbound via a proxy not on the same network.  Crafty, I know.  You'd think I'd have worked around this before or something.

 

[WebSearchingPro]

Its the low hanging fruit principal. 

 

[Sunshine]

Yeah, a lot of holes like that. Another very common one is outgoing email headers containing the server IP.

And drmike is right, it can be solved as he describe it. I'm doing it

What I do with almost everything, is run nginx with php-fpm for each website in a chroot jail (takes a bit of tinkering to make everything work) and with a different username.

Then you can filter outgoing traffic per username with iptables, example:
 


iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables --new-chain user01
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner user01 -j user01
iptables -A user01 -m tcp -p tcp -d 127.0.0.1 --dport 3306 -j ACCEPT
iptables -A user01 -j REJECT
(Requires the ipt_owner module for iptables. If you're on a OpenVZ VPS, you may have to ask your provider to enable that module for you.)

In this example, "user01" is the username used by php-fpm. Any new outgoing traffic is blocked for everything except port 3306 (MySQL) on localhost.

You could then set up stunnel or GRE tunnel to another server, to retain some functionality for your website avatars, outgoing emails, plugin installing and updating, or whatever. Adjust iptables rules accordingly.

And of course the principle is the same, whether you use nginx, apache, php or whatever. I just like to use nginx + php-fpm.

Anyhow, this prevents your server IP from leaking, but other less-likely things can still happend. Through poor coding, the PHP code could be leaking your server IP or hostname obtained from environment variables, etc. So I scrub all that stuff before it reaches PHP.

Also keep in mind, that the free Cloudflare service will begin routing traffic directly to your server if the attack reaches a certain size (about 2 Gbps, if I'm not mistaken).

BuyVM and SecureDragon has some very affordable DDoS mitigation services.
 

 

[drmike]

^--- super cool!  More posts from Sunshine!

This situation shows the value of DDoS services from BuyVM, SecureDragon, RamNode, etc.   Show the filtered IP....  Heck I eliminate the non filtered IP entirely

 

[nunim]

From what I've seen most people use CloudFlare in an attempt to stop some automated attacks like WP login bots or to speed up page load times. It's not particularly effective at either of those tasks on its own but W3 Total Cache + WordFence + CloudFlare makes a nice combo.


CloudFlare is not really DDOS protection in my books and if someone really wants to DDOS, they'll probably find a way no matter what you're using.

 

[splitice]

GRE / IPIP tunnels and L2TP + IPsec solve these issues (especially if NAT'ed since then only a private IP address is ever leaked in case of mistake / hack attempt).

FYI Cloudflare will also remove their proxying if there is any significant legal pressure.

 

[TruvisT]

Mail servers also don't hide behind CF either. We had to move our mail servers out after they took a dDoS.

It is funny how many people think hiding behind a proxy service makes them safe from legal actions too.

 

[splitice]

And lets not forget the large percentage of people who don't disable the direct.domain.com subdomain or leave the IP in apache error messages.

 

[SrsX]

And lets not forget the large percentage of people who don't disable the direct.domain.com subdomain or leave the IP in apache error messages.

Let's classify those people as ... well nevermind.