General website security guidelines

dewberryeventΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

67 εμφανίσεις

1
General website security guidelines
General website
security guidelines
The following website security guidelines are
appropriate for all CloudFlare customers, at any
plan level.
• Do not rate-limit or throttle requests from CloudFlare IP addresses.
• Make sure you are seeing original visitor IP addresses in your logs.
• Remove all DNS records you are not using.
• Run email on separate server/service.
• Customize the challenge page.
• After moving site to CloudFlare, change server IP address(es).
• Review Threat Control settings.
Do not rate-limit or throttle requests from CloudFlare
IP addresses
CloudFlare acts as a reverse proxy so all connections come from one of our IPs. It is important to ensure
that your server accepts connections from CloudFlare at all times. CloudFlare IP ranges are listed at
http://www.cloudflare.com/ips and that page includes links to simple text files intended for machine parsing.
CloudFlare will add any new ranges to the public list at least one month before the new range is used, and will
use many methods to publicize any new ranges.
Make sure you are seeing original visitor IP addresses in your logs
CloudFlare operates as a reverse proxy, so requests to your server(s) are made from our global network. The
requests will therefore come from CloudFlare IP addresses (see above), but CloudFlare always include the
original visitor IP address in the request, as an HTTP header.
CloudFlare offers several tools, such as mod_cloudflare for Apache webservers, for pulling the original visitor
IP address from the header. See the full list here:
https://support.cloudflare.com/entries/22055137-why-do-my-server-logs-show-cloudflare-s-ips-using-cloudflare
2
General website security guidelines
Remove all DNS records you are not using
CloudFlare provides authoritative DNS service to its direct customers.
If you’ve enabled CloudFlare via a hosting partner or CNAME, then your DNS is controlled elsewhere, and this
only applies for those records delegated to CloudFlare.
Within the CloudFlare DNS Settings, you have a choice of enabling CloudFlare security and acceleration and
other services on a per-record basis. Security is ON when the cloud is orange. Some services will add default
records whether you use them or not, such as webmail, FTP or wildcards.
Review your DNS records and: (1) remove any records that are not in use and (2) enable CloudFlare security
(orange cloud) on the web records you use.
When you signed up for CloudFlare, we automatically added a ‘direct’ subdomain record. This record has a
gray cloud and is meant to perform tasks such as FTP and SSH. While ‘direct’ is simple to remember, it is also
a vector that can be used by potential attackers. Rename the subdomain to something more secure.
If there is no cloud, the record cannot be proxied, but that means it’s pointing to another service, so should
not be a concern.
Edit the ‘direct’ subdomain
to something more secure.
If you are not using the
wildcard subdomain,
you can remove it.
3
General website security guidelines
Run email on separate server/service
If you are running your mail on the same server as your website, then the attacker can always find your origin
server IP. To close this possible security gap, you can use an email service on a separate server than your
website, whether through your hosting provider or an outside service (e.g., Google Apps).
For Mac users:
You can run this command in Terminal to see what IP is being reported with your MX records:
dig +short $(dig mx +short WEBSITE)
For example, if I was concerned about example.com, I would enter:
dig +short $(dig mx +short example.com)
The output will be an IP address. This is the IP address that an attacker can always find. You want to make
sure this IP address is different that the IP address for your web server. Otherwise, no matter how many
times you change your web server, if your email is also on the same server, then the attacker can always find
the new IP.
For PC users:
You can run this command in command prompt to see what IP is being reported with your MX records:
nslookup -q=mx WEBSITE
For example, if I was concerned about example.com, I would enter:
nslookup -q=mx example.com
The output will be an IP address. This is the IP address that an attacker can always find. You want to make
sure this IP address is different that the IP address for your web server. Otherwise, no matter how many
times you change your web server, if your email is also on the same server, then the attacker can always find
the new IP.
Customize the challenge page
Free customers can modify the language on the challenge page, which is shown to potentially suspicious
visitors who meet the CloudFlare Basic Security threshold you set.
All paid customers can fully modify the entire HTML page, using the Custom Errors feature within their
CloudFlare Settings.
While the security works whether the page is customized or not, it’s useful to make that page reflect your
brand and site language.
After moving site to CloudFlare, change server IP address(es)
Once you’ve enabled CloudFlare for all web records, CloudFlare helps mask the server IP address(es)—
especially if you’ve followed the steps above about removing unused records and keeping email on a
separate server.
4
General website security guidelines
As an extra security measure, you may contact your hosting provider and ask them to change your web
server IP address to something new. Note: this task is rarely automatic, and may incur a charge, so discuss
with your hosting provider, based on the risk of attack on your site.
Review Threat Control settings
CloudFlare’s Threat Control lets you block IP addresses and set entire countries to be challenged. The beauty
of the Internet is that your site is available to all, but you may choose to increase the friction from visitors in
certain countries, based on your audience characteristics.
Threat Control is an easy place to act pre-emptively, as well as during an attack, so it’s smart to take a look
before a crisis.
www.cloudflare.com
info@cloudflare.com