最近接到客户反馈,网站已经在多个方面上做好了源站IP保密工作,并且在接入高防cdn之后源站服务器仍然遭受到多次ddos攻击,通过多方面排查基本确定泄露网站源站服务器IP的原因是因为ssl证书。
市面上很多工具爬虫24小时不停的抓取扫描IP,这类的工具网站通过无差别HTTP/HTTPS请求所有的IP,并将抓取到的IP地址所对应的网站记录到网站,以至于有些攻击者可以通过这类的网站可以直接查询到网站源站IP,因此我们在搭建网站的时候一定要做好屏蔽安全工作。
排查是否属于上述问题:通过https://你的源站IP,如果可以访问并且浏览器左上角锁的标志中显示了你的域名ssl证书那么就存在泄露的风险。
解决方案
宝塔面板用户可添加一个随意的网站1.1.1.1(域名或者IP随意),然后删除宝塔创建网站默认生成的全部文件,然后为这个随意添加的网站配置一个无效的证书(本文下方会为大家提供一个无效的证书使用),配置好证书之后在宝塔面板后台:【网站】-【默认站点】中心选择刚才添加的这个随意的网站作为默认站点。
证书(PEM格式)
-----BEGIN CERTIFICATE-----
MIIFPTCCBCWgAwIBAgISAzflOu8/ulktu4d/cxfxfk2eMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAyMjYwNzEwMjZaFw0yMjA1MjcwNzEwMjVaMBwxGjAYBgNVBAMT
EXhuLS1wYnR4NW91dWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAyZYVloZUfsFXqjQHuBhy10W7Ot4z4eioWlhKhJNTu9RW4WhlyL0eSeFK1xAi
w/Yac/ckEo7mCXYNkqf9M9KRxepXkmC3UbrylaBpdMaDPDBzkY1ZWlT3DcJki123
j4ZasP5aZAPhBVZh2z0IUUt+fJZdJqKV4iWToHnyrjumHodegbpQWLf93ioLd4Lt
56OWzJmADwJT/LgLJguuvNTd7QHYPi/vzHCjDe5zd0/s2a6Ed2Ih42h+gDAXjohx
utR1FtK2dN2C9PcZtYMZ5XE9O7ZUFcPWOAj/w3+rI3OmlUKOKNaJsGlhCBgD70ry
Mj8s0uzEhaeCXvT0xHJ2YO4KTwIDAQABo4ICYTCCAl0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBTkNHej9aQbejNZ4OoLUS7HfWbRDjAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAzBgNVHREELDAqghV3d3cueG4tLXBidHg1b3V1ZC5jb22CEXhuLS1wYnR4
NW91dWQuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgw
JgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYB
BAHWeQIEAgSB8wSB8ADuAHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAF/NRS99wAABAMARjBEAiBaU8H0yH3rxqy81iHKg55BLTijqbdApv8ONwh8
yKibZgIgFupK4iZmY/GfPCbTA/cjwKBeNwnHW2JsN5efUy0XZJ8AdQBByMqx3yJG
ShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAX81FL5fAAAEAwBGMEQCIHqRwPOI
iiiIVrt5ytfc6HvWmwMfQKighM9d9RykoB7UAiAqoPLAHkIucthGStlI4a+fja8M
VU+rE0kyRNsdiVbO7DANBgkqhkiG9w0BAQsFAAOCAQEAP/+lCGyipraiz5gf/Q+0
NmBWo64B7I3rrDyexT9tSpH/7HlfmnZD1iT+vFUQacQBORnCEP0APMEPEsj2kDpq
8yROO7lxC3xBlorPzDSPkFlXlUFIQaC5Dtx+2UfK15LF3dBbZepAs17ly4yQqI6L
OslbU/lTGRqneCPcsfocLkqZ9L5ph9niDuO1KdKYzv6YK9oPU5A1hHbwcEspM7Me
WkwfyW83WCYNvwK1iPkndM5DUNe5q5okobjQVPCYA1FzD/wBF6iK/xEcN1wBop3k
3H/5EMSe5A2CvmR5Lug6DsTB7IDpg27StSqmBR+A6GBv/bEuau13YtBqKUP0OQU5
ew==
-----END CERTIFICATE-----
密钥(KEY)
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJlhWWhlR+wVeq
NAe4GHLXRbs63jPh6KhaWEqEk1O71FbhaGXIvR5J4UrXECLD9hpz9yQSjuYJdg2S
p/0z0pHF6leSYLdRuvKVoGl0xoM8MHORjVlaVPcNwmSLXbePhlqw/lpkA+EFVmHb
PQhRS358ll0mopXiJZOgefKuO6Yeh16BulBYt/3eKgt3gu3no5bMmYAPAlP8uAsm
C6681N3tAdg+L+/McKMN7nN3T+zZroR3YiHjaH6AMBeOiHG61HUW0rZ03YL09xm1
gxnlcT07tlQVw9Y4CP/Df6sjc6aVQo4o1omwaWEIGAPvSvIyPyzS7MSFp4Je9PTE
cnZg7gpPAgMBAAECggEAbQacNGYAivGcrTQovJuUePOA2MzWuKbxbrNz0hIwZlTo
jE6/Rftqx0BvDrPuaZfQJMoUm2jn51QO8TOkEQQgzS76H/PpEe4PR3eTsZGv5ry5
tI4DNoTffXSWln2gSqK6qCFY1+D1McLPeBihR/6RsWZNiRjEAaSbHF74Lt2Z8cYE
3IggnilUUEvupsaq1q0rJYcVEJhLE7sG3Dnc/l8EAv+q1/VDjHRDA0lYwfLMdZ09
nfHNqXxdGPvNA5FCOyEEZ6rMJUd4MgoZCALoJr0um0mXxLrOIt0v2IkU6Vs/LMPR
FWUoR/9v5hRJGse6k/DLEg4/onmeFI/XLAvwoQzkYQKBgQDxVSl6mzryWDHItb6/
cNkVu+c+rscLslJaAlbDi4cqS4nlJG7sA+OYRaESzVq++hubx2REt8b/nXhoiRuf
299f/CUoGQOkRA0JKz2gqoQ1vsMZh3jL7/0pmBOopHwgzC9/PG1bbz20YDHvet+X
ML7dLLY3podky+pAO9BB0hE/3wKBgQDV1oR56WpzczCJ3TWZOVIV3U6PPH/ehH5y
Ppc36Gg9z4kj5Bj5MoNTFR4imz3XZVfZZ0XeEjb/DYaXuAjTizJccy40L5SGDauT
TUrpMCPuj1vUyCfCacP7gwCAD/xHQrNgU4YuYiox0ASmt12SjIflBnUOP9x5I6/B
Nb91Zr7DkQKBgBQTjZvRhhnbFGkqFXA/pw+Tziz8xTpH32n1f9pMpTXziskxOrkP
qcNlJ3008DOrAtj2wXSmBTwGkZnArjeiRvbpNv4a9p6Xuq3klv/ir5T5Ban+ByKQ
GHN5X0lMRbdExT7EfCR7IJr81aqigi9FstsbeR0wEVtlS1uEnlKbcyvpAoGBAJ/i
98bX2jpchIxwlCTvEQs8IANFby6HzqvJVPP+mAKvbJEjefDJ7htvDMs/XCvzoI3z
g/AZmnl2OY6zkhXqXEt367IlaV4aVpGbF0noLtWu5zDgP6pDvsAOIY+fZDg8DTcW
/Jst1vLL4M5vCE4NOYbrHxb6dPU207EZaQB1RGmhAoGBAJHgiLVKhAQ+FbNYLvwt
PUKrC2oz9+rPHBN50QLmFRL7fE/Zn7wRk9uGC8oB9Xw41mTWBKkb2zi/A28De2Cq
hk6axZjivHPbXEyo1WVUJhxgNftmwmm9q4saHtPNtoGbo0rwj2MGtp7DdiVS+NQE
qjftTCi7FUabGJKvw2qYOVaw
-----END PRIVATE KEY-----
以上证书为随意生成的一个无效域名ssl证书,可用于预防ssl证书泄露IP所导致的风险问题,证书过期也可以继续使用,不影响预防IP泄露风险的效果(有动手能力的朋友也可以自行生成ssl证书)。
