Somebody tried to get access to my TYPO3 backend. I already have the IP adress of the attacker and want to block it from the backend.
I already tried to block ip with .htaccess but this doensn't work. I think the rules are overwritten by something else in the .htaccess file which I couldn't figure out yet.
Captcha is at the moment not a suitable solution.
Are there any good extensions for blocking IP adresses or is there another way to avoid these brute-force attacks?
If you are really concerned about somebody to be able to successfully get access to the system I suggest to go the "white list" path instead of blacklisting single IPs.
TYPO3 has a built in feature to block backand access for ALL IPs except some white listed ones.
To do this just add the following into AdditionalConfiguration.php putting your own IP and the IPs (or subnets) of other users too.
$GLOBALS["TYPO3_CONF_VARS"]['BE']['IPmaskList'] = 'x.x.x.x,y.y.y.*,z.z.*.*';
Other than that, just make sure you take the basic steps to make your backend more secure:
1) Force SSL for the backend:
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = 2;
2) Implement a secure password policy for the backend users by using e.g. EXT:be_secure_pw
3) Secure session cookies to have ssl_only and http_only attributes:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieHttpOnly']=1;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure']=1;
4) And last but not least: make sure you are using the most recent version of your TYPO3 version line, ideally a maintained LTS version.
You should block requests before PHP/MySql is in use in the best case. So .htaccess is the correct way in my eyes. If it does not work, you should ask your hoster.
It sounds like you want to block the IP of the attacker and put measures in place to block known bad ip's. One of the main issues with blocking the IP of the attacker is that it's fairly easy for an attacker to setup a new IP address and launch a new attack.
There are services that provide lists of known bad ip's if you wanted to implement your own firewall.
Alternatively you can look to place your URL behind a solution such as Cloudflare that have the ability to block IP's or countries. I know of business's that block traffic from China and Russia since they identified that most of their attacks came from these countries.
Related
I would like to know what is the best way to redirect everything from marketing-address.com to real-address.com.
best means
as less effort as possible,
as cheap as possible,
as secure as possible.
In detail:
Less effort: If possible without the need of creating a website oder some code like javascript
Secure: https://marketing-address.com should be accpeted by the browsers - no warning.
Cheap: if possible without buying a certificate (I don't think that this is possible) and without having a second webserver running
So in theory, the communication would be like this:
Making the address targeting the same IP address
Making the existing IIS listen to that address to
Let IIS tell the caller "yes, you're totally right here, but I neither I have a website nor do I have a certificate, but you don't need anything of that since you get redirected anyway..."
Is there a chance to accomplish that? If no, I would need to buy a certificate. What would be the solution then?
There are 2 restrictions:
We are using an Azure App Service for hosting an asp.net core site, which seems to be very restricted in configuration possibilities
The browser should definetly show the real-address.com in the URL, not the marketing-address.com.
Have you tried to use an Application Gateway before the IIS/Webapp at the backend?
I believe the AppGW will solve these issues, the AppGW can redirect the hostname to another web address, as many you want to.
https://learn.microsoft.com/en-us/azure/application-gateway/ssl-overview#tls-termination
I am using AMP (McMyAdmin3) as control panel for my minecraft and the servers are located at a secret address, except my bungeecord (proxy so multiple minecraft servers can be connected) ofcourse. Now I am trying to have a control panel for my admins, but I want them not to see the IP.
I was thinking of an SRV record, but I am not sure if this even CAN work or HOW it even works.
(Well I have an idea of how it works but I don't know if I am correct)
So I have pointed my domain 'manage.mydomain.com' to the IP I want, I put cloudflare protection on it, so if they resolve the IP, they cannot see the real IP. However, with this done they cannot type in the URL bar 'manage.mydomain.com:[port]' because cloudflare does not allow you to do that, because of the protection. So I tried setting up an SRV record like this:
_mcmyadmin._tcp.manage POINTS TO SRV 0 0 [port] manage.mydomain.com
I waited for 2 days now, and it still did not work, so I am sure that is not the case.
Is there any way to make this work? Or is not even possible with domain stuff :p
Or is there another way to fix this?
Kind regards,
Runefist
DNS is the public phone book of the internet. Its purpose is to take a domain name and map it to an IP Address. It is simply not possible to put anything in DNS and keep it secret.
When you put an address into your browser the first thing it does is find out the IP address associated with it.
In order to use a SRV record the application that uses it needs to be written to use them. Unless you are writing the frontend yourself, there are very few applications that will use SRV records. You can't just put data in there and expect it to be used.
If your intention here is to provide extra security to your servers, this isn't going to do you a lot of good. If you look at your server logs you are already being probed just by being online. The addition of a domain name won't do much change that.
You will be far better off understanding and hardening the security of your server than hiding it and hoping that nobody finds it, because it is almost guaranteed that they will if they have the inclination to do so.
Minecraft SRV records are _minecraft._tcp, you can't change the service name or the client won't be able to resolve it.
That being said, Michael B is right, what you're doing is implementing security by obscurity (which, as we all know, is no security). Instead, you should be using iptables to block all IPs except for the bungee from being able to reach the backend.
I am familiar with denying access based on an IP, block of IPs, browser, URL etc... but my problem here is, let me state, how to deny access if it came from some IP address, at least 3 times a second for long period of time. Here, you don't know the IP address unless you look at the access file. By the time you found out the IP address it's already drawn too much of the bandwidth.
You can't use htaccess for doing this. The out-of-box apache directives can't handle browsing sessions. You'll need to install some sort of log parser, maybe something like fail2ban? Or you can probably cook up a set of iptables rules for blocking lots of connections from one IP: https://askubuntu.com/questions/437059/linux-command-to-prevent-dos-attack-by-using-netstat-and-iptables
I'm trying to put online a staging area for an upcoming website... I'd usually rather use an htaccess rule to enable only me and my client to see the website...i think is safer and you dont need to rememebr passwords and so...
but my client this time has an internet provider who doesnt give him a static ip, aparently everyday or so, his ip chamges...so i have to change my htaccess!
there is any solution for that?
First of all, dynamic IPs are very common, a lot of providers disconnect the client in intervals of 12 or 24 hours, which usually means they get a new IP assigned.
Second, just giving out a username / password combination not only seems safer, but also more hassle-free. You are about to invest time into a solution that's probably not worth it. I also don't see how you would obtain the valid IP address of the client to update your .htaccess file, apart from having the client install a service that updates a dynamic DNS entry mayb - more of a hassle than remembering a login, if you ask me.
You could have him use a dynamic DNS service like dyndns.com or no-ip.com. That way he can setup a domain name like someguy.dyndns.com which would always resolve to his ip (he'll probably need to install a small daemon/service/program to automatically update the IP though). Then you can add a rule into your .htaccess like allow from someguy.dyndns.com.
Is it possible for crook to redirect website site/landing to your domain to elsewhere? Say, a visitor's intended website is, knowledgenotebook.com, but the crook redirected the user to google.com or yahoo.com or anything else? And doing so randomly, so, it can try to avoid detection.
I believe you can do that with DNS cache poisoning or XSS.
With DNS poisoning it would still say knowledgenotebook.com in the URL. With XSS i think it would have to have the new URL.
What do you mean by randomly? As in user X will get redirected but users Y and Z will not? If that is what you mean then they could probably randomize it with XSS. I don't think it could be randomized using DNS poisoning...
Yes it is possible. He can use several techniques to achieve that like DNS hijacking, IP spoofing, ARP poisoning, edition of hostfile etc. Hakin9 is a very good magazine for beginners (but not only) interested in security matter
Yes, he can do it by modifying the hostsfile
Yes, it is possible. The best way for your users to ensure that they are actually getting your site is to use an SSL certificate. The HTTPS protocol requires browsers to verify that the domain name it is trying to get matches the domain name of the certificate (otherwise you'll get a security warning in your browser).
There's not really any way to prevent all the possible ways that someone can do this, as it can happen anywhere between your server and the user. DNSSEC is supposed to help with some of these issues, like cache poisoning.