Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Censys.io ip leaking
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Censys.io ip leaking

TheWalkingZTheWalkingZ Member
in Help

So im using cloudflare and nginx load balancers and for some reason censys.io is leaking all the origin IPs behind it. im using centos and cloudflare backend certs. Should i setup some kind of firewall rules or there is some hole which i need to look into?

Comments

  • vovlervovler Member

    Make sure that your VPS/Dedi IP is not redirecting to your website or loading your website's ssl certificate

    Thanked by 1Bopie
  • rick2610rick2610 Member

    You can also configure your firewall to only accept port 80,443 from cloudflare ips.

  • TheWalkingZTheWalkingZ Member

    @vovler said:
    Make sure that your VPS/Dedi IP is not redirecting to your website or loading your website's ssl certificate

    Could you please explain this one a bit further. I'm very curious about it.

  • rick2610rick2610 Member

    @TheWalkingZ said:

    @vovler said:
    Make sure that your VPS/Dedi IP is not redirecting to your website or loading your website's ssl certificate

    Could you please explain this one a bit further. I'm very curious about it.

    Type in browser: https://your-dedi-IP

    is it redirected to your site?

  • HarambeHarambe Member, Host Rep

    Allow these IPs to access the site on 80 & 443, block everything else. https://www.cloudflare.com/ips/

    But your origin has already leaked so you'll want to get that IP swapped for a new one.

  • LearntoliveLearntolive Member

    Get new IP and block other Connections. Allow only cf.

  • TheWalkingZTheWalkingZ Member
    edited July 2019

    @rick2610 said:

    @TheWalkingZ said:

    @vovler said:
    Make sure that your VPS/Dedi IP is not redirecting to your website or loading your website's ssl certificate

    Could you please explain this one a bit further. I'm very curious about it.

    Type in browser: https://your-dedi-IP

    is it redirected to your site?

    No.

    This is my configuration for proxy_pass

    Iptables:

    iptables -A INPUT -p tcp --dport http -j DROP
iptables -A INPUT -p tcp --dport https -j DROP
//cloudflare ip
iptables -I INPUT -p tcp -m multiport --dports http,https -s "131.0.72.0/22" -j ACCEPT
....

    Reverse proxy settings:

    server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name site.com;

        # SSL
             ssl_certificate ssl/site.pem;
             ssl_certificate_key ssl/site.key;
             ssl_client_certificate ssl/cloudflare.pem;
             ssl_verify_client on;

        # reverse proxy
        location / {
        limit_req zone=mylimit burst=5 nodelay;    
        proxy_pass https://backend_ip:443;
        proxy_ssl_trusted_certificate ssl/site.pem;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_http_version  1.1;
        proxy_cache_bypass  $http_upgrade;

        proxy_set_header Upgrade            $http_upgrade;
        proxy_set_header Connection         "upgrade";
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Forwarded-Host   $host;
        proxy_set_header X-Forwarded-Port   $server_port;
            }

        }

    Now on the backend server, I couldn't block 443 because the traffic which comes from a reverse proxy is also blocked.

    So I did it like this

    server {
    listen       80;
    server_name  backend_ip;
    return 444;
}

server {
    listen       443;
    listen [::]:443;
    server_name  backend_ip;
    return 444;
  • vovlervovler Member

    @TheWalkingZ

    Censys caches their results. If you made any changes that you think should solve the IP leaking, wait a week or so and check their website again.

    Also open https://IP (even if the response is 444) and open the certificate information to see if anything points to your domain

  • Jake4Jake4 Member

    It's an SSL cert leak, fix your certificate and swap IPs and it'll be fine.

  • TheWalkingZTheWalkingZ Member

    @vovler said:
    @TheWalkingZ

    Censys caches their results. If you made any changes that you think should solve the IP leaking, wait a week or so and check their website again.

    Also open https://IP (even if the response is 444) and open the certificate information to see if anything points to your domain

    Yes, it does point to domain with invalid certificate message. How to remove it from there?

  • TheWalkingZTheWalkingZ Member

    @Jake4 said:
    It's an SSL cert leak, fix your certificate and swap IPs and it'll be fine.

    How to fix ssl cert leak as im using origin cloudflare cert with settings posted above.

Sign In or Register to comment.