Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section General Discussion
  • Search

Open proxy warning from DigitalOcean Topic is solved

General questions about VestaCP
Post Reply
  • Print view
Advanced search
8 posts • Page 1 of 1
SCelik

Open proxy warning from DigitalOcean
  • Quote

Post by SCelik » Wed Apr 23, 2014 10:33 pm

Hi,

I've recently had a warning from DigitalOcean about my Vesta server.
Hi there,

During a recent review of our IP Space, we detected what appears to be a potentially open proxy on one or more IPs in use by your account. Open proxies are often used by malicious entities to SPAM, commit fraud, and engage in other illegal activities while attempting to mask their original location.

Here's the IP address in question:

x.x.x.x

To replicate our tests and check to see if your server is currently a potentially open proxy, see:
https://www.digitalocean.com/community/ ... open-proxy
Do i have to block port 8080?

While waiting for firewall module, do you suggest iptables rules for quick fix this issue?

Thanks...
Top

SCelik

Re: Open proxy warning from DigitalOcean
  • Quote

Post by SCelik » Wed Apr 23, 2014 11:05 pm

Is it ok with this rule?
iptables -A INPUT -p tcp --dport 8080 -j DROP
Does this rule breake anything?

Edit: It breakes everything. :(
Top

demlasjr
Posts: 74
Joined: Thu Feb 27, 2014 8:50 pm

Re: Open proxy warning from DigitalOcean
  • Quote

Post by demlasjr » Thu Apr 24, 2014 5:44 pm

SCelik wrote:Is it ok with this rule?
iptables -A INPUT -p tcp --dport 8080 -j DROP
Does this rule breake anything?

Edit: It breakes everything. :(

You can try something like:

iptables -A INPUT ! -s 127.0.0.1 -p tcp -m tcp --dport 8080 -j DROP

This will block 8080 from external access, but will leave it for localhost (nginx need to read from that port, if you close it, nginx will have no access.
Top

imperio
VestaCP Team
Posts: 7000
Joined: Sat Dec 01, 2012 12:37 pm
Contact:
Contact imperio
Website

Re: Open proxy warning from DigitalOcean
  • Quote

Post by imperio » Thu Apr 24, 2014 5:59 pm

8080
this port for apache (backend)
Top

SCelik

Re: Open proxy warning from DigitalOcean
  • Quote

Post by SCelik » Thu Apr 24, 2014 10:15 pm

Thank you demlasjr,

But it didn't worked becouse of vesta's apache config.

Vesta configures apache with external ip. So i changed 127.0.0.1 with server's ip and i think it's ok now.

It is good idea for vesta to listen 127.0.0.1 on apache?
Top

demlasjr
Posts: 74
Joined: Thu Feb 27, 2014 8:50 pm

Re: Open proxy warning from DigitalOcean
  • Quote

Post by demlasjr » Fri Apr 25, 2014 7:47 am

SCelik wrote:Thank you demlasjr,

But it didn't worked becouse of vesta's apache config.

Vesta configures apache with external ip. So i changed 127.0.0.1 with server's ip and i think it's ok now.

It is good idea for vesta to listen 127.0.0.1 on apache?

I forgot that Apache is configured with external ip. I'm using CSF as firewall and it blocked that port automatically.

What do you mean with "vesta listening 127.0.0.1 on apache"? If you refer to listening on external ip or directly on localhost, there is no difference. Of course...normally the firewall doesn't affect localhost (you can't block localhost port from localhost). Otherwise you need to always use the firewall and take care not to block the ports you need.
Top

SCelik

Re: Open proxy warning from DigitalOcean
  • Quote

Post by SCelik » Fri Apr 25, 2014 9:54 am

Normally on Nginx + Apache configurations, nginx listens on port 80 with external ip and apache listens on port 8080 with localhost.

So you don't need to block any connection on port 8080 because it listens only from 127.0.0.1

For example: https://www.digitalocean.com/community/ ... for-apache

On vesta, apache and nginx both are configured to listen on external ip. So the connection from nginx to apache is not going on loopback interface as you can see from logs.

I changed your rule from 127.0.0.1 to my servers external ip and it worked. (because the source ip for nginx -> apache connection is not on loopback interface)

And for a feature request, i suggest that next releases apache configs can be set to listen on 127.0.0.1
Top

demlasjr
Posts: 74
Joined: Thu Feb 27, 2014 8:50 pm

Re: Open proxy warning from DigitalOcean
  • Quote

Post by demlasjr » Fri Apr 25, 2014 4:12 pm

I don't know if you can't access domain.com:8080. There are servers which let you access website bypassing nginx by adding 8080 to the link. I haven't tried with VestaCP, because I already set the firewall before
Top


Post Reply
  • Print view

8 posts • Page 1 of 1

Return to “General Discussion”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password