Protecting my domain from scanners


#1

Hello everyone,
I just noticed that anyone can see my origin server IP by using a tool like censys.

How can I fix this? Because now cloudflare is just useless :frowning:

(i’m french, sorry if my english isn’t perfect)


#2

Is it snowing current or historical information? Without seeing the report we are really just guessing as the situation will vary from one environment to the next.


#3

Current informations, I paid attention to directly use cloudflare when i registered my domain


#4

You can only contact that service and ask for your information to be removed. The best approach would be however to change IP address.


#5

They will scan again my domain, or another similar website will do so. :confused:


#6

Assuming your configuration does not leak the data any longer they will only find Cloudflare.


#7

My configuration isn’t leaking any data, all the subdomains are under cloudflare, everything is secured. The censys tool is just bypassing the cloudflare security to reveal the origin server. Just take a look here https://censys.io/ with any cloudflare domain.

Also some cloudflare domains seems protected from this but IDK how did they do.


#8

Well, I am not quite sure what I should respond. You are suggesting Cloudflare leaked your address and - while not impossible - that is quite improbable. The more realistic explanation is you had at some point some misconfiguration and leaked your address yourself (maybe via MX).


#9

Seeing the actual report would be useful as it could easily provide some clues as to where/how they’re finding the data displayed.

It could be an error message that causes the server to disclose an IP, an MX or other unrelated-to-Cloudflare record, or it could be memory of a historical configuration mistake.

I’m not familiar with this particular tool, but it could be that it tries to get your server to make outbound connections. e.g. an attempt to post a blog comment could trigger a callback, a post to a discussion group might check if URLs are valid and/or try to retrieve a Content-Type.


#10

I double checked historical data and there’s no misconfiguration :confused:
Here’s what censys is saying about cloudflare :
" If you are a Cloudflare user and do not want your origin web server to be accessible to the public, there is information available here on how to set up your firewall."

I know how to set it up, but i’m pretty sure i’m missing a step on protecting my website from this tool.


#11

No offence, but we can believe this now or not and there have been way too many people already who were absolutely convinced about their setup.

Whats your domain to begin with?


#12

sparksmc.fr


#13

If there is no misconfiguration then they would not be able to detect your IP. Since it is far more likely that you have made a mistake than Cloudflare, the only remaining step is to see what you are seeing.

Let me comment that I don’t think Cloudflare is perfect, but the reality is that they have teams of expert developers, but also hundreds of thousands of customers and an internet full of people who would love to find a generalized way to bypass Cloudflare and get to customers’ servers directly. The likelihood of Cloudflare, every single Cloudflare customer and every single malicious actor going after a Cloudflare customer all having missed something (but some random scanner site knows about it and you stumbled across it?) just isn’t likely.

The information is posted publicly now, post the details and a curious individual here will give a stab at figuring it out or don’t, but without more information we’re left to guess and based on my previous paragraph, my guess is that it isn’t Cloudflare.


#14

Thanks. I’m not familiar with Censys, are you scanning your IP? Or do they scan domain names in some fashion that isn’t obvious from their front page?

EDIT: Disregard, my web browser was filtering the drop down.


#15

I guess that OVH IP is yours, right?

Your server is publicly accessible and my assumption would be they simply crawled your IP address, found your site, and hence the association with your site. Cloudflare didnt need to leak anything for that. It was not even involved. You needed to lock down your server.

I am afraid I have to quote myself

At this point, lock down your server so that it responds only to Cloudflare and have your IP changed as I suggested earlier.


#16

Do you have any guides / tutorial about doing this?


#17

Any search engine will be your friend in this regard. I would even recommend to get a book about system administration from your favourite book shop. System administration is not a five minute thing.

Though locking it down itself would involve closing the web server on a network level to all IPs except Cloudflare’s -> https://www.cloudflare.com/ips/


closed #18

This topic was automatically closed after 14 days. New replies are no longer allowed.