Wednesday, November 23, 2016

Enforcing IP Access control for cloud-security-protected web applications (Cloudfare, Sucuri)

A lot of cloud-protected services claimed that your web site is safe and secure once you have set up DNS for your web sites pointing to their DNS servers.  This claim is far from truth.

A naive way to bypass is an attacker can find out about your actual IP from various way.   And use the host header and your actual IP to directly attack your web sites without having to worry about the protection.

Assume your IP is blocked by Cloudflare.   You can just do quick test.

Hacker-Mac: yehg$ curl http://your_server_ip --header "host: yehg.net" --header "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
Hey, you have bypassed!



How to allow only Cloudflare IP addresses (for Apache)

  1. Get the list of current Cloudflare IP range (https://www.cloudflare.com/ips-v4 , https://www.cloudflare.com/ips-v6)
  2. Set deny, allow rule in your .htacces file https://gist.githubusercontent.com/yehgdotnet/6353e367cb1178017980d2437417d6a5/raw/f25e88d0fc5899752c296510132b036ceacb9788/gistfile1.txt

Hacker-Mac: yehg$ curl http://your_server_ip --header "host: yehg.net" --header "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
<html><head><title>Error 403 - Forbidden</title><head><body><h1>Error 403 - Forbidden</h1><p>You don't have permission to access the requested resource. Please contact the web site owner for further assistance.</p></body></html>




No comments:

Post a Comment