Hi Stephan,
thanks. Well, I have moved the WEB-INF folders outside the webroots via the
setting in tomcat web.xml like this:
lucee-web-directory
{web-root-directory}/../WEB-INF/lucee/
Lucee Web Directory (for Website-specific
configurations, settings, and libraries)
Also, I have disabled the access to the Lucee Admin server-wide via the
built-in option in BonCode connector.
If I understand this properly, this could provide a similar level of
security as the approach you are suggesting ?
My main trouble at this moment is, that I can see a lot of requests in
logs, banging the server and trying to access various random (mostly
non-existent) files which could be possibly exploited. Like those in the
log I am attaching.
Yesterday I have installed Dynamic IP restrictions in IIS, which could help
to block concurrent or highly repeatable requests.
But I am not sure if this is effective, as the troublesome requests are
neither concurrent or repeatable ( occuring just every couple of minutes).
Also, I am not sure if these requests are actually harmful, because they
usually end up as 404. Just it is funny to see that someone or something is
constantly testing it.
Well, i have checked some IPs and they come from China or other countries,
completely unrelated to the content of my server.
I am toying with the idea of blocking IP ranges of certain countries, or
even more draconic one, allowing only countries which are related to my
sites.
But from what I could have seen so far, this might be quite difficult to
implement in practice. Looks like I would have to input a dozens of ranges.
Regards
IvanOn Tuesday, July 28, 2015 at 3:13:35 AM UTC+2, Stephan wrote:
Hi Ivan,
It looks like the lucee site doesn’t have any info on their wiki page
about locking down for IIS, at least not here:
https://bitbucket.org/lucee/lucee/wiki/Securing%20IIS
Basic security would be to restrict public access to the /WEB-INF/ and
/railo-context/ or /lucee/ folders (to protect the admin).
We do this in our main iis applicationHost.config file so that it applies
to all our sites automatically.
In the file’s section add a rewrite map with ip’s you want to
allow, and then add a global rule below like this:
This will block access to WEB-INF entirely, and restrict the railo admin
to only authorized ip addresses.
If your server was patched (OS and any web apps like wordpress) and didn’t
have known security vulnerabilities then the next thing to check is user
uploaded content.
Never trust user uploaded content, make sure the user uploaded content is
not in a folder that has any handler mappings enabled.
Also look into maybe moving your sites behind a WAF, using Cloudflare or
Sucuri for example.
A lot of other things to check for probably but at least this should cover
the basics for lucee/railo on IIS.
hope that helps…
On Monday, July 27, 2015 at 4:30:43 PM UTC-4, Ivan Rotrekl wrote:
Thanks. I appreciate the advice and will probably have to follow it.
Currently I am running Lucee on the same machine and IIS install, where I
used to run CF8 for several years and then Railo, so it might be a really
good time to start fresh from the scratch.
But I suspect to truly lock down the new server would involve a bit
more than removing the handlers. Is there some sort of “lock down guide”
for a Lucee server available, which I could follow step by step to do it
properly ?
Regards
Ivan
u_ex150728.log (35.5 KB)