Critical. Vesta serves first uploaded domain to all unauthorized domains
-
krzysztofek
- Posts: 19
- Joined: Fri Jan 09, 2015 2:29 pm
Critical. Vesta serves first uploaded domain to all unauthorized domains
Hello,
I have a problem with DNS, and looking for a solution. Found that topic, that shows the problem, but not solving it: viewtopic.php?t=7011
This is an issue for all last 3 years versions. Tested on 5 servers with vestaCP with Debian 7 and 8. The same issue.
Using default-created zones by VestaCP, default configuration.
And for example: for mail.mydomain.com it shows my first uploaded domain, and for other not-www subdomains. Also default-page is shown for my pure IP-adress. It's not that big problem, as this: my "default" website was found on not-authorized, not-configured domains... Servers gives default(first uploaded) domain for all domains which point to my dns... They are not added in DNS configuration, but someone can use own domains to point to my server... How to solve this?
Thanks you, Christopher.
UPDATE:
VestaCP outputs for all non-ww and not configured websites website from the top-virtual host record form /home/admin/conf/web/apache2.conf
What to do with this?
UPDATE2:
added to the top of virtual hosts "404" message and now it serves Not found page. Also for sapache2 for https. Is it correct solution? VestaCP should automatically add default to top of virtual hosts... It's not safe and google can find you website on hacker bad-reputation adresses...
I have a problem with DNS, and looking for a solution. Found that topic, that shows the problem, but not solving it: viewtopic.php?t=7011
This is an issue for all last 3 years versions. Tested on 5 servers with vestaCP with Debian 7 and 8. The same issue.
Using default-created zones by VestaCP, default configuration.
And for example: for mail.mydomain.com it shows my first uploaded domain, and for other not-www subdomains. Also default-page is shown for my pure IP-adress. It's not that big problem, as this: my "default" website was found on not-authorized, not-configured domains... Servers gives default(first uploaded) domain for all domains which point to my dns... They are not added in DNS configuration, but someone can use own domains to point to my server... How to solve this?
Thanks you, Christopher.
UPDATE:
VestaCP outputs for all non-ww and not configured websites website from the top-virtual host record form /home/admin/conf/web/apache2.conf
What to do with this?
UPDATE2:
added to the top of virtual hosts "404" message and now it serves Not found page. Also for sapache2 for https. Is it correct solution? VestaCP should automatically add default to top of virtual hosts... It's not safe and google can find you website on hacker bad-reputation adresses...
Code: Select all
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
//listen-v6 { ::1; };
//listen { 127.0.0.1; };
allow-recursion { 127.0.0.1; ::1; };
version "Microsoft DNS 6.0.6100";
allow-transfer {my-second-dns;};
}-
krzysztofek
- Posts: 19
- Joined: Fri Jan 09, 2015 2:29 pm
Re: Critical. Vesta serves first uploaded domain to all unauthorized domains
It's nginx configuration failure? I have got Debian + default Apache2+nginx, so everything starts from nginx. There is default ngingx record which path to IP-adress, which serves default apache2 page... Found this in /etc/nginx/conf.d/111.111.111.111.conf :
The code above passes everything not-configured for my IP to my-IP adress, so I removed "location" section and added "return 444;". Seems to everything works ok. For HTTPS I needed create new file in /etc/nginx/conf.d/: https-default.conf (it included automatically to nginx config).
Code: Select all
server {
listen 111.111.111.111:80 default;
server_name _;
#access_log /var/log/nginx/ 111.111.111.111.log main;
location / {
proxy_pass http:// 111.111.111.111:8080;
}
}
Code: Select all
server {
listen 111.111.111.111:443 default;
server_name _;
#access_log /var/log/nginx/111.111.111.111.log main;
ssl on;
ssl_certificate /path/to/any/cert;
ssl_certificate_key /path/to/any/cert;
}
Re: Critical. Vesta serves first uploaded domain to all unauthorized domains
You can use something like this for unauthorized domains:
viewtopic.php?t=10188#p44251
viewtopic.php?t=10188#p44251
-
krzysztofek
- Posts: 19
- Joined: Fri Jan 09, 2015 2:29 pm
Re: Critical. Vesta serves first uploaded domain to all unauthorized domains
Thank you for your reply. My solution worked perfectly also for SSL. I read a lot of documentation and forums, and found that above solution is one of the best solutions.
It's good to think about changing default nginx configuration in future releases, because some russian(bot?) used my top nginx file website to show it at past download-scam RU websites... It indexed in google also... So it's very bad for reputation of the websites.
After returning 444, his websites changed DNS configuration after few minutes, so it may be a bot. It's bad for Vesta I think.
It's good to think about changing default nginx configuration in future releases, because some russian(bot?) used my top nginx file website to show it at past download-scam RU websites... It indexed in google also... So it's very bad for reputation of the websites.
After returning 444, his websites changed DNS configuration after few minutes, so it may be a bot. It's bad for Vesta I think.