How are dynamic dns entries discovered by hackers and what tools are they using to glean this information?
A few days ago I signed up at no-ip.org for a free dns entry in order to open up my e-commerce site to a third party that needs to make calls to it in my development environment. Within a day I saw ip addresses coming to my site that are NOT from this third party. I’m wondering how this brand new dns entry was discovered and so quickly. At least one of these persons was attempting to hack the site and knew exactly the base product I was working with, an open source e-commerce system, and attempted to gain access to the admin area which has got me curious on how exactly these hackers are able to pull this information so quickly and know exactly the product I’m working with.
For now I’ve white-listed the ip addresses from this third party but I’d like to use the same logic these hackers are to look at my site from a security standpoint and better protect against it when we go to production.
To be alerted to new IPs listed in a nameserver requires privileged access to the zone files on the server, regardless of whether those IPs are entered through manual edits to the zone files or through an automated process like DDNS. A quick check shows that those rights aren't enabled by default through the standard mechanism at no-ip.
> server nf5.no-ip.com
Default Server: nf5.no-ip.com
Address: 83.222.240.75
> ls no-ip.com
[nf5.no-ip.com]
*** Can't list domain no-ip.com: Server failed
The DNS server refused to transfer the zone no-ip.com to your computer. If this
is incorrect, check the zone transfer security settings for no-ip.com on the DNS
server at IP address 83.222.240.75.
They do enable zone-transfers by-request, and I suppose that would be a nice thing for a hacker monitor. Fresh servers have the easiest vulnerabilities.
But honestly, it's just as likely that it was a random IP hit, as Marc suggested. To get your product info also isn't hard. After cataloging the server as a new device, it's typically easy to identify the service platform. Just establishing a TCP/IP connection to the server will typically reveal the operating system it runs through subtle tells in number sequences in IP packets and other tidbits of information. It can look deceptively like someone knew all about your server upon first connection.
Related
Guys I really want to know how to hide my IP Address. And know why is it necessary to hide it?
I tried using anonymox, but I want to hide it without using any third party software.
You could try the methods listed here : https://pc4u.org/windows-10-how-to-connect-to-a-free-vpn-without-going-through-third-party-software/ if you don't want to use a third party software to hide your IP Address. You need to setup a VPN in your computer to achieve that. This will tunnel your network connection.
Source: pc4u.org
The only way to accomplish this without 3rd party software would be to use an online proxy and configure your browser to use said proxy. This will only change your IP as it appears to sites you visit through the browser and not other services you may be using on your computer.
The "best" way to "hide" or change your IP is to use a VPN (which you'll need software for). You can purchase a VPN service from one of Many providers. Some of the providers have their own apps that you can use, or, you can manually configure your own OpenVPN client. There are also many great scripts out there, AWS one-click servers, and cheap VPS providers that make it easier than ever to create your own VPN server. This might be over the "average" users head though...
The benefit of using a VPN is that it not only changes your IP, also encrypt your traffic.
It should be noted that VPN's are not 100% fool-proof. If not configured properly, you will expose your real IP. In addition, many VPN providers are not reputable.
The best recommendation I can make on this and every other topic on online privacy is this site here:
https://privacytools.io
This is (IMO) the best, most comprehensive source of information about protecting your privacy online. They will guide you in the right direction regarding VPN's, proxies, securing your browser, and much, much more. Check it out. Seriously...
OpenVPN has builds for all operating systems. https://openvpn.net
Like i said though, you'll have to purchase access (or if you're brave, find a free 'solution') from a provider and then configure OpenVPN to use your purchased credentials. This is usually about 5$ a month (for the solid / no logs / unlimited bandwidth ones ). There are many, many posts about setting up OpenVPN here on stackoverflow.
Finally, as far as the proxies go, again, you can purchase access to some of the reputable ones or search for a free one - though, in my experience the free proxies are very touch and go.
The scenario is - I need to send push notification to Apple push server hosted at gateway.sandbox.push.apple.com. This Apple server is load balanced and the destination IP address can be anything in 17.x.x.x block.
Now my server which will be requesting Apple server is in secure environment and is behind firewalls. I have got the IP range 17.x.x.x unblocked, but DNS resolving is not possible on that server. That server also doesn't have Internet access on it.
What I did was - I pinged the Apple server from another system and got the Apple server's IP address for the moment. Then I mapped that IP address with the DNS name in the hosts file of my Windows server. This worked, but now the IP address can change anytime at the Apple end, and this will break things.
What can I do in this scenario?
You can talk to your security people and in cooperation with them come up with a proper, internally supported, way to provide what you need. What you need is to look up an address, and then talk to that address. Currently, you are only provided half of that.
What you're asking us for is a way to circumvent your own organization's security policies (policies that admittedly appear stupid, but that's another matter entirely). Even if someone here can come up with a technical way to do what you ask that works for now, it's likely to break at any time, since you're working at odds with your own workplace. Also, what will your bosses say if they find out that you're violating security policies?
Security very often comes down to tradeoffs. As the saying goes, the only truly secure system is one that has been encased in concrete and sunk to the bottom of the sea. But such a system will also be somewhat difficult to get useful work out of, so usually we accept lesser security in order to get work done. In your case, the tradeoff currently sits in a place that prevents you from doing whatever it is you're working on. So your organization needs to make a choice: change the tradeoff so that your machine can look up names, or keep the current tradeoff and accept that your task will not be done.
I'm sorry that I can't give you a straight up "Sure, do this" kind of answer, but your problem really is not technical.
This is a very generic question that popped up in my mind. The reason has been that I came across a website dev server which leaked sensitive information about a database connection due an error. I was stunned at first and now I wonder why someone puts a development server out in the internet and make it accessible to everyone?
For me there is no reason for doing this.
But it certainly did not happen by accident that a company created a subdomain (dev.example.com) and pushed development code to it. So what could be the reason to ignore the fact of high security risk?
A quick search did not bring up any information about this. I'm interested in any further readings about this specific topic.
Thank you in advance
There is no reason for your dev servers to be accessible by the general public.
As a customer I just had an experience with a private chef site where I spent time interacting with their dev server because it managed to get crawled by Bing. Everything was the same as the live site but I got increasingly frustrated because paying a deposit failed to authorise. The customer support team had no idea I was on the wrong site either. The only difference was the URL. My e-mail address is now in their test system sending me spam every night when they do a test run.
Some options for you to consider, assuming you don't want to change the code on the page:
IP Whitelisting is the bare minimum
Have a separate login page that devs can use that redirects to the dev site with the correct auth token - bonus points for telling stray users that this is a test side and the live site is at https://.....
Use a robots.txt to make sure you don't get indexed
Hide it all behind a VNET - this really isn't an issue anymore with VPNs or services like Bastion.
Also consider the following so your devs/testers don't accidentally use the wrong site:
Have a dev css to make it obvious its a test system (this assumes you do visual testing later in your pipeline)
Use a banner to make it clear this is a dev site
Note that this would be a dev server. If you are using ringed/preview/progressive deployment then these should work just as well as the live site because they are the live site.
It's extremely common for a development environment or any "lower level" environment for that matter to be exposed to the pubic internet. Today, especially with more and more companies working in the public cloud and having remote team members, it's extremely more productive to have your development team or UAT done without having the need to set up a VPN connection or a faster more expensive direct connections to the cloud from your company's on premise network.
It's important to mention that exposing to the public internet does not mean that you shouldn't have some kind of HTTP Authentication in these environments that hides the details of your website. You can also use a firewall with an IP address whitelist. This is still very important so you don't expose your product and lose a possible competitive advantage. It's also important because lower level environments tend to be more error prone and important details about the inner workings of your application may accidentally show up.
I want to check a particular website from various locations. For example, I see a site example.com from the US and it works fine. The colleague in Europe says he cannot see the site (gets a dns eror).
Is there any way I can check that for my self instead of asking him every time?
This is a bit of self promotion, but I built a tool to do just this that you might find useful, called GeoPeeker.
It remotely accesses a site from servers spread around the world, renders the page with webkit and sends back an image. It will also report the IP address and DNS information of the site as it appears from that location.
There are no ads, and it's very stream-lined to serve this one purpose. It's still in development, and feedback is welcome. Here's hoping somebody besides myself finds it useful!
Sometimes a website doesn't work on my PC and I want to know if it's the website or a problem local to me(e.g. my ISP, my router, etc).
The simplest way to check a website and avoid using your local network resources(and thus avoid any problems caused by them) is using a web proxy such as Proxy.org.
Well, DNS should be the same worldwide, wouldn't it? Of course it can take up to a day or so until your new DNS record is propagated around the world. So either something is wrong on your colleague's end or the DNS record still takes some time...
I usually use online DNS lookup tools for that, e.g. http://network-tools.com/
It can check your HTTP header as well. Only a proxy located in Europe would be better.
Besides using multiple proxies or proxy-networks, you might want to try the planet-lab. (And probably there are other similar institutions around).
The social solution would be to post a question on some board that you are searching for volunteers that proxy your requests. (They only have to allow for one destination in their proxy config thus the danger of becoming spam-whores is relatively low.) You should prepare credentials that ensure your partners of the authenticity of the claim that the destination is indeed your computer.
DNS info is cached at many places. If you have a server in Europe you may want to try to proxy through it
It depends on wether the locatoin is detected by different DNS resolution from different locations, or by IP address that you are browsing from.
If its by DNS, you could just modify your hosts file to point at the server used in europe. Get your friend to ping the address, to see if its different from the one yours resolves to.
To browse from a different IP address:
You can rent a VPS server. You can use putty / SSH to act as a proxy. I use this from time to time to brows from the US using a VPS server I rent in the US.
Having an account on a remote host may or may not be enough. Sadly, my dreamhost account, even though I have ssh access, does not allow proxying.
The only thing that springs to mind for this is to use a proxy server based in Europe. Either have your colleague set one up [if possible] or find a free proxy. A quick Google search came up with http://www.anonymousinet.com/ as the top result.
I was wondering about the best practices regarding this? I know there are two ways to use IIS and host multiple websites.
The first is to have an IP for every website
The second is to use host headers, and a single IP Address for IIS
I was wondering which was the best practice, and why one should be preferred over the other?
Thanks!
It's easier to implement and manage SSL if each site has its own IP address/domain name. You simply get a cert for that name and install it on that site. Doing SSL with Host Headers requires a wildcard server certificate that is implemented and synchronized across all sites that share the IP. You also don't have the restriction that all the sites be in the same domain.
I personally separate sites based on the relation to each other. For example all of my business sites share a single IP adddress (1 domain currently). All of my personal/community sites share a second IP address.
The differences can come over time when it comes to sending e-mail as I know that IP comes into play in some blacklisting systems, so if one site with a shared IP address causes problems it CAN cause issues for the other sites using that IP.
I am sure there are other items, reasons, and justifications, but those are at least mine...
Personally I find host header configuration makes life very easy for standard web hosting.
I have literally hundreds of sites running of off single IP addresses on a number of servers - both IIS and *nix Apache, all configured as virtual hosts. In a live web hosting environment it makes life easier both in terms of DNS configuration and server configuration.
The only time I used IP based separation is where I want to run sites on different networks and thus serve the traffic of a different network interface.
I've not seen any performance loss with the host header methodology but would like to hear anyone's horror tales - there have to be some out there :-)
Virtual hosting is usually better than separate IP addresses, but your mileage will vary.
This is really a network vs. systems deployment connection. You want to look at the total number of sites and services you will have on a system. You might want them to live on separate network interfaces (hence multiple IP addresses). You might want them to live off bonded physical interfaces.
You might want web applications to run that need to run separately from others because of security reasons.
The other answers above mention other factors, like SSL, organizational boundaries. (Some software does make associations by IP-address, like spam control). There are probably many other factors I have not thought of.
Host headers are prefered because they conserve IPv4 address space. They have been mandatory since HTTP/1.1.
With https things are a little more complex; you need a modern browser that supports the TLS/SSL server_name extension (RFC 4366 and previously RFC 3546). This includes:
Opera 8.0 or later
Firefox 2.0 or later
IE 7 on Vista
Google Chrome
Of course your server has to support it. If you want to support earlier browsers and use SSL/TLS, you need to us an IP address per virtual host; as those browsers become obsolete you'll be about to share IP addresses for TLS/SSL.
Host Headers versus multiple IPs when hosting several websites