for the user_IP see functions messenger (there may be other files also)Alison V wrote: ↑Tue Jun 22, 2021 12:12 pm I just noticed in sent emails from the board that the email headers contain the origin server IP and sender's IP. This is not something you want to have when you sit behind something like CloudFlare or have your user's IP exposed. So I'm asking, what code do I need to strip out to prevent this?
Thanks.
$this->headers('X-AntiAbuse: User IP - ' . $user->ip);
My mistake, I'll move this to custom coding.
If you are trying to protect your site from DDOS attack it's a very big deal. Cloudflare only protects the domain, it cannot protect the origin IP. Anything that will expose that needs to be eliminated. There is lot of sources to identify it including outgoing email. Specifically in phpBB the upload avatar from URL and image dimension check for offsite images can expose it.As to the server's IP, surely that shouldn't worry you.
Code: Select all
* Adds X-AntiAbuse headers
*
* @param \phpbb\config\config $config Config object
* @param \phpbb\user $user User object
* @return void
*/
function anti_abuse_headers($config, $user)
{
$this->headers('X-AntiAbuse: Board servername - ' . mail_encode($config['server_name']));
$this->headers('X-AntiAbuse: User_id - ' . $user->data['user_id']);
$this->headers('X-AntiAbuse: Username - ' . mail_encode($user->data['username']));
$this->headers('X-AntiAbuse: User IP - ' . $user->ip);
}
Code: Select all
* Send the email
*
* @param \messenger $messenger
* @param string $contact
* @return null
*/
public function send(\messenger $messenger, $contact)
{
if (!count($this->recipients))
{
return;
}
foreach ($this->recipients as $recipient)
{
$messenger->template($this->template, $recipient['lang']);
$messenger->replyto($this->sender_address);
$messenger->to($recipient['address'], $recipient['name']);
$messenger->im($recipient['jabber'], $recipient['username']);
$messenger->headers('X-AntiAbuse: Board servername - ' . $this->server_name);
$messenger->headers('X-AntiAbuse: User IP - ' . $this->sender_ip);
if ($this->sender_id)
{
$messenger->headers('X-AntiAbuse: User_id - ' . $this->sender_id);
}
if ($this->sender_username)
{
$messenger->headers('X-AntiAbuse: Username - ' . $this->sender_username);
}
$this->headers('X-AntiAbuse: Board servername - ' . mail_encode($config['server_name']));
, $this->headers('X-AntiAbuse: User IP - ' . $user->ip);
, $messenger->headers('X-AntiAbuse: User IP - ' . $this->sender_ip);
Remote avatars and Gravatars have been disabled since I knew that would be a cause for concern. Remote images are something I have been wondering about. I think the server that hosts them will just show the CloudFlare IP address from my website. Can you explain the image dimension check functionality? I'm not sure what this entangles in an effort to keep an origin IP address hidden.thecoalman wrote:Specifically in phpBB the upload avatar from URL and image dimension check for offsite images can expose it.
$config['some_thing']
can be looked up in the config table in the database. To reiterate you will not be able to hide the IP other than using different IP to send/receive email. Even if that was the IP it would only be a concern if you have taken steps to send/receive email on different IP.Don't delete, comment it out.
Code: Select all
//My Mod - Removed for privacy
//$this->headers('X-AntiAbuse: User IP - ' . $user->ip);
Under post setting there is an option to limit the size of images in posts, phpBB checks the size of the image by making a request for it. As long as you have it set to 0 it's not a problem.Can you explain the image dimension check functionality?
If you have access to the firewall close all unnecessary ports for the origin IP and whitelist Cloudflare IP's for ports 80 and 443, drop all other traffic to them. That assumes every domain on that IP is proxied through CF. Presumably you are eluding to someone using custom DNS and running a bot across the hosts range. If they run a bot across the range they get "server not found" for all blocked ports.
You are preaching to the choir as far as I go. It's been a few years but my site was hit twice. The first one was sustained for a week with requests coming in at two thousand per second. I was completely unprepared for that, the second one was about a week later when I was behind CF. Unfortunately I wasn't prepared enough as they did exactly what you eluded too above and identified the origin by scanning my hosts IP range.Alison V wrote: ↑Sat Jul 10, 2021 8:00 pm I realize some people may be of the opinion that it may not be something to worry about. But when you go through so much effort trying to stay hidden behind a reverse proxy (CloudFlare in this case) and they are your WAF provider you pay for, you kinda wanna cover all bases and stay ahead of the possible hack potential. It could be as simple as not liking your content or retribution, etc
You usually get 2 dedicated IP's with a VPS, managed packages start around $40 per month. Additional IP's are a few bucks. A VPS gives you all the flexibility of a dedicated server with less resources. It can host as many domains as you want within the allotted resources. You can actually host other people if you wanted and they get their own control panel etc. There is other benefits like root access, install whatever you want, configure things how you want.