Filter X-Forwarded-For Apache

The XFF HTTP field can be used to obtain the remote IP when a http server is located behind a reverse proxy. If the remote proxy does not clean the XFF field you can’t trust it. The worst is that this field can be used for injecting code in your website.

I’ve been a such issue in a security plugging logging and not filtering the remote IP field. As this one came from XFF, it was possible to inject javascript into the database remotely and execute that JS when displaying the dashboard of the “security” pluggin.

One of the option to solve this is to clean the XFF field (or reject the request when the XFF is not clean). This can be done with a simple configuration in the http config file (or htaccess)

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-For} !^$
RewriteCond %{HTTP:X-Forwarded-For} !^[0123456789.\ ,]{7,36}$
RewriteRule ^ - [L,R=404]

Here, empty XFF and XFF container anything else than numbers and some other char, lower than 7 char and higher the 36 chars will be rejected with a 404 as Last operation.

Install GateOne – an HTML5 ssh client

gateone_loginWith the growing firewall constraints accessing a server over ssh is not always a pleasant journey ; I’ve read a korben post on GateOne html5 server side ssh client and I just got an opportunity to deploy it for a test. This post will detail how to install it and secure it a little bit.

 

Continue reading