Page 1 of 1

[TUTORIAL] Disable Direct IP Access.

Posted: Mon Jan 29, 2018 8:44 pm
by ChrisKnez
If you have ever used VestaCP on your server you may have noticed once you set-up a website on it, accessing your server on it's IP at port 80 will show the latest website you have added to it.

This can be very bad for a lot of reasons and here are some.

1. If you are using Cloudflare hackers may find your server's IP using Shodan.io and DDoS it.
2. If you are hosting a TOR website people may find your server's IP and report it to the police. (In case you are hosting something forbidden)

Fortunately, this can be fixed quite easily, just follow these steps.

1. Download this zip and upload the contents to "/etc/nginx/conf.d"
2. cd "/etc/nginx/conf.d"

Now you will see that there some files in the directory but the file we are looking is [YOUR SERVER IP].conf
In my case it is 92.222.36.xxx.conf
We will need to rename it because we will be replacing it,
we will rename it to 92.222.36.xxx.conf.old in case we ever want to undo this process.

3. mv 92.222.36.xxx.conf 92.222.36.xxx.conf.old

4. Now we will edit DirectAccessConfig.conf.

This is how it looks currently
server {
listen [SERVER IP GOES HERE]:80 default;
server_name _;
return 444;
}

server {
listen [SERVER IP GOES HERE]:443 ssl default;
server_name _;
ssl on;
ssl_certificate /etc/nginx/conf.d/dummy.pem;
ssl_certificate_key /etc/nginx/conf.d/dummy.key;
return 444;
}
Just replace [SERVER IP GOES HERE] with your IP, in my case it looks like this
server {
listen 92.222.36.xxx:80 default;
server_name _;
return 444;
}

server {
listen 92.222.36.xxx:443 ssl default;
server_name _;
ssl on;
ssl_certificate /etc/nginx/conf.d/dummy.pem;
ssl_certificate_key /etc/nginx/conf.d/dummy.key;
return 444;
}
DirectAccessConfig.conf is the replacement for 92.222.36.xxx.conf so we will rename it

5. mv DirectAccessConfig.conf 92.222.36.xxx.conf

Now we need to restart NGINX
6. service nginx restart.

And it's done.

If you have any questions please ask!

Re: [TUTORIAL] Disable Direct IP Access.

Posted: Mon Mar 18, 2019 2:14 pm
by lalamax3d
1- thanks for sharing
2- i am going to test this. one question just pops up in mind.
Q- how to access server then? , my assumption is, http:serverip:8083 will remain working.? right

EDIT > (after 10 minutes)

i tried and wasn't able to restart nginx successfully. plus as a result , all websites on server stopped working. any ideas? hope to hear soon, thanks

Re: [TUTORIAL] Disable Direct IP Access.

Posted: Mon Jun 10, 2019 9:36 pm
by adamjedgar
what is the point of this if one is still hosting mail on the same webserver?

wouldnt the following reveal public ip address?

1. mx records (which are publicly viewable unless you also use an external mail provider such as Zoho or gmail etc)
2. SSL certificate,
3. text in html and headers
4. DNS historical search (chances are you didn't change ip at the time of transferring to say Cloudflare)

Not to say this isnt a nobel idea...just that its a bit more involved than "i can just hide my ipaddress"