别让 SSL 证书暴露了你的源站 IP

杂谈

有很多站长(比如我)选择为自己的网站套上cdn,比起加速效果我相信更多人是为了保护自己那脆弱可怜幼小无助的源站ip不被人发现,不过有亿些平台 例如 https://search.censys.io/ 会通过nginx的‘特性’来批量扫描 https://ip 以通过ssl证书获取ip与源站的对应关系

大概的原理就是在使用nginx的服务器上如果你没有给你的ip绑定一个默认站点,那么访问 https://你的ip 就可以访问到你服务器上最新的站点,即使你像百度一样设置了405之类的状态码,也可以通过查看ssl证书来知道你这个ip对应的是哪个网站

别问人家不知道你的域名怎么知道的你的ip,问就是批量扫的,如果扫到了那就是简单的对应关系了

image-1.png
image-3.png
image.png

看到这个证书就能发现 [220.181.38.148] 对应的是 baidu.cn,那么反过来baidu.cn对应的源站IP之一就是220.181.38.148

所以说我就中招了(删库跑路中)

image-4.png

百度就更不用说了

image-5-1536x711.png

至于解决方法也很简单(如果你还没中枪),这里用宝塔面板演示一遍(中枪了就赶紧换ip吧)

首先给你的服务器添加一个站点

image-6.png

添加完成以后把你的ip默认站点绑定为你刚刚新添加的站点

image-8.png

接下来访问 https://myssl.com/create_test_cert.html 来自定义一个ssl证书,这里我把我弄好的放在这,需要的可以自取

密钥(KEY)

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA3JC1fwAf2pFCZsRHBoxNUq2WCZzofhrctHok7c2JXawWOQa9
kvYIKkEnWOIfHfmiF+6CGDr4yCgv17qs6ms2i3iIVS5uxarMp7TWQSRReRq5YH4L
r0sIHo5tWhQ5TDUmcVDKVwQIVZF16mP3a5gdKTf9O9TIGst9TB5teVGfwXCbyBZf
vKa6dW4cq0nLnbc85jI+b9DRq21w/UfrwAbMjF5CwArTlW8WnkUkKiFXEyMz2mr4
A7OiiPuhFcY3tiwkZS1/RpbJcNplLcR//SWELe/fKurAVinaZsR0NsfLM3ADoAZV
2FnYqFP0SlmjopLcrr0dCyBy775jszSzkkdF8QIDAQABAoIBAQCKUM0gaWmQXQtw
+qE3wAA1Wtn+CUHa4umI3BgQcJY2AdalyE5VvKf+J4GPQa4V1BgMPeujWkfs7Raj
iFMrZjR8XgfQsx+QIb3ZZZP+odHdyh56HlEhikH7N4HnvUr5OVN0OB/LVaIMVv3F
EQ91j5yp3oyVWqhp9TYL6ADq1X8DhHqE5RcPP92bDG0vc84oS+SPPcARWvlbs78t
lyh+JVnLbdoZQ4knQNiPQA7OL0PLWmhemn8RxbpcKhnr5+rgeuSvUrFsvE4a257M
i4ufbkVs3dmB4G+QQqrDRKnfkqYjeXyXXGMbTzrM7Wyp0Qi2t0IOxoptdsZ+k+SM
ZWpnLczpAoGBAO4ApaT2Mu7z2TgZZuOkUtRwWwU4olS0SWqKeRX85n6JTnY3IOoL
i4x3w9bxLCwKeb5KvryDJt0R4sHnexp++dQckIdWHXTzXxAs5t2alDjeiGab7SC2
totE0DP0kKjAROwNCVXIRc5tISAZtfqwg6dtgsacLzcKTehlKGvTzWJvAoGBAO0+
gQ/2CUYDQcvdyXTy1selISQqxFQvoYjJ2Z+GOElsLBtGakCT9HV0/9AEjwy+mQQv
1xo///hLbcwx239upg3LNuuPRAEjgviQVIuOS7+GJjalFENkSStw14c0pTP6QMf2
TC44wGvG0HNL0xjIZmJtaauvAadmjU1x8JTBgI2fAoGAKYURYKLWpdsCdQfxbBsZ
nBfxuQp1P0OoXx7DGvPgngiEGJlrc4kKEjo+fvvZ0eEN9gWCGs7ic8SQA3XHgwrN
uJQ3HnUGdIWUevTqXZR+8SDZONVQ29kkJU2e6MFsjxPjsi5gB4gFrYpaMghqN86d
WRMAsndCwV5Z0wX6tDzh4p8CgYAz8nG0Gv1g1Sm9B+0qrFmXEXM2Rh8DCALovrnm
Ei+U9BicSEjPpxXp+hphY/4mnj1HC2qgFs9ngKyj/26+cm3tq0d1QMN1NF9jKcc5
X4j6gNcxM+hB8V2MI4Mt2bsqrGsu3aFEpayMbNYLyNiKHqc8ehSfQQytqOjbwk0Z
ZV1OpQKBgGtVyv7IC27BM+fcst6kP0RXzRfdvg1dOFl9DpMK12eyjOG2BUzRQY1A
TYF70H58arJ167onabe2E5wi0veN3GiMGaTGeDCUcsIST9cFrwuOx0Di9M/wNveb
7N7dGUUJ/XYxbuFeZTy92F6ShF5DWk12/W1adWeR+3rkeKW938pm
-----END RSA PRIVATE KEY-----

证书(PEM格式)

-----BEGIN CERTIFICATE-----
MIIEMTCCAxmgAwIBAgIRAIpP63oyckkUvKs4UpxQ+xYwDQYJKoZIhvcNAQELBQAw
XjELMAkGA1UEBhMCQ04xDjAMBgNVBAoTBU15U1NMMSswKQYDVQQLEyJNeVNTTCBU
ZXN0IFJTQSAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w
HhcNMjIwMTEwMDU1MDE2WhcNMjcwMTA5MDU1MDE2WjBNMQswCQYDVQQGEwJDTjE+
MDwGA1UEAww15Yir5omr5LqGLuWKs+i1hOeahOe9keermeS4jeaYr+S9oOiDveaJ
q+W+l+WIsOeahC5jbm0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
kLV/AB/akUJmxEcGjE1SrZYJnOh+Gty0eiTtzYldrBY5Br2S9ggqQSdY4h8d+aIX
7oIYOvjIKC/XuqzqazaLeIhVLm7FqsyntNZBJFF5GrlgfguvSwgejm1aFDlMNSZx
UMpXBAhVkXXqY/drmB0pN/071Mgay31MHm15UZ/BcJvIFl+8prp1bhyrScudtzzm
Mj5v0NGrbXD9R+vABsyMXkLACtOVbxaeRSQqIVcTIzPaavgDs6KI+6EVxje2LCRl
LX9Glslw2mUtxH/9JYQt798q6sBWKdpmxHQ2x8szcAOgBlXYWdioU/RKWaOiktyu
vR0LIHLvvmOzNLOSR0XxAgMBAAGjgfowgfcwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBQogSYF0TQaP8Fz
D7uTzxUcPwO/fzBjBggrBgEFBQcBAQRXMFUwIQYIKwYBBQUHMAGGFWh0dHA6Ly9v
Y3NwLm15c3NsLmNvbTAwBggrBgEFBQcwAoYkaHR0cDovL2NhLm15c3NsLmNvbS9t
eXNzbHRlc3Ryc2EuY3J0MEAGA1UdEQQ5MDeCNeWIq+aJq+S6hi7lirPotYTnmoTn
vZHnq5nkuI3mmK/kvaDog73miavlvpfliLDnmoQuY25tMA0GCSqGSIb3DQEBCwUA
A4IBAQA6SdaUfOx+Ys2tsVAo2zcSaDokV1d9HGyU+k/G2/J8ZvosMlt7pw90uRrK
MkGffMlss69Sxx2KAm0JVPaGZ60erx99LP04VYpw2PLCa1nibFoCeGS7D9uvEVa0
LiA1aLnMvYr5YjrX//TdAVuZdkfI8yLCZSeQr0v2M9QfcxCxQ1Bf7JDiEduGIYne
pLmPMQ+H9eq+rpAWP+aW2slXN719Tv3MatePPqXK6vGKXMtyzkxCS79pCke/+5y/
JWfEeHaPPw+ASuubQyhl9scyiEPyN8zn/ChLTSVseh+0cTXDGR7j+zz4bKYHs5zz
iaxHSWDqoFZh9d4rCPPHNKTgRBRi
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl
c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w
HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO
MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl
c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup
q7G7lwXkCyViTYAFa3wZ0BMQ4Bl9Q4j82R5IaoqG7WRIklwYnQh4gZ14uRde6Mr8
yzvPRbAXKVoVh4NPqpE6jWMTP38mh94bKc+ITAE5QBRhCTQ0ah2Hq846ZiDAj6sY
hMJuhUWegVGd0vh0rvtzvYNx7NGyxzoj6MxkDiYfFiuBhF2R9Tmq2UW9KCZkEBVL
Q/YKQuvZZKFqR7WUU8GpCwzUm1FZbKtaCyRRvzLa5otghU2teKS5SKVI+Tpxvasp
fu4eXBvveMgyWwDpKlzLCLgvoC9YNpbmdiVxNNkjwNsCAwEAAaN0MHIwDgYDVR0P
AQH/BAQDAgGGMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
HSMEGDAWgBSa8Z+5JRISiexzGLmXvMX4oAp+UzAdBgNVHQ4EFgQUKIEmBdE0Gj/B
cw+7k88VHD8Dv38wDQYJKoZIhvcNAQELBQADggEBAEl01ufit9rUeL5kZ31ox2vq
648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0
wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk
Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD
ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk
URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8=
-----END CERTIFICATE-----

然后把这个生成好的证书绑定到新建的站点

image-10.png

现在你就可以访问 https://你的ip 来查看证书效果了(下图是上面的证书的效果)

image-12.png

当然,如果你想当一个文明好市民,那你可以用下面这个证书

密钥(KEY)

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqeaBTP1WqVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF7
3birFJDCtiut5puIVzICH3A1VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSo
SlRf1ntWU0oamfLRNAft07Cu1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//
Bv6T+IU1tN4nafeaELKEZnVMMbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFc
Cz5x7ZCinNm63iGHvUScAiTk5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHI
ktY09hh6gt6Q2dF+BAPQ51cvuXqALu2X5gxc7QIDAQABAoIBAGnMGfRBRXfMiCPV
zMre9IJ4V6Qt8WublD6tjwOAivqV0OaofwOAfTgfNMCPzohtjacOgvfkvbF/DpEG
U/EqK8bLcy0FruvTmtBt8loR3SBYWdSi13EBvXQn9YeD+7Cl3dQSo+xQd24J3uhH
7gnOsZ6ynVHoDlPXdrkuOD3jEl+lIQQx1kCjHBZCL9QqP511uOfWwZvAhKer+L9T
/ZEg6fxn1kug54YxIbYNSSaZKDuGWiENm67bRPQm+SUstS2tg8Pzfou89IDAajEF
kadX03zZLIVXqeHTX8Gd/gse+EyTHYEPbfVgSQy4IpCYokY7wqFTgqvJCrjc/myz
1hl1lMECgYEA4M3PYbO4sVn2UDWqgaZrYzB1MSzsnxeUv2+SzAn9eAje+mN731BQ
bKMLWSgIZ7rZTH1gEez8p1oGcfrsq5bRZ2AGN3FxXuXhc0+RQQ3YU1DCvw6hxGOa
CbW64BaXfPxwsHlSTuBDZ+TdD/IOjQ2c8VUFGZUWK3SvEBgxhmah63UCgYEAwXo9
WVkvpjbwhBNOXytuqpcGBqqMBf0ilv1Cp5nQpWxLwOS6t6Qj/2Vc1VzwA8VyL9Su
GPKdwRhgcQRzQu2EbxfoLIo0odubrUHt1UlvGaPxN7kljHM1hP8vyMhAKAoFCtRW
V+gBTZToKna/QrKWE4h6Yal5pVjBzplsknyrlJkCgYEAgo2Dnk3tOLHyJerEtr6b
JuOBa6mXUV00eWima/BxT0B3nhogWjQeQLj/YiuplfQhNhapsD9dCyNxEsiSoaPY
wJw3gANVv7LpFzpiNNGBjAEe2C37LD5bur/bY0A7gc5o81PBxSTggHmdGCGO6cO6
HT0u1QiL83i0Ijiqqk74QfECgYBwZIl0+PlULkAkCW8SnBFqqdbHUpWK+RT571+k
KxdosXOEN5s8CO8ccw6tp5KKLk35+Su1tGLuBDIqFTK742x2eMXX8eVHTWKvEEiQ
CVuv4mvDOhvU7ixd+TwSADo8yC1LsDQEVvNC1UjVOiw7G7FQ4YxuZVwUMG5NjRTk
N+YYqQKBgFUeXmYGRpLMCI1HXiQGu+d6IeVKxcDJ8cjZq1NHDPxItsmDdOhkPEY9
bcvsTU7Izg0fvnC+6xF587hRKNR1SC04+HTzIZoxwgzspqiOgtAgOxLiU3HZ2ItQ
gZ7Cn66y//ZPIWKK/E07g3MMyrF72RSNA+MSXxZwnDvIHnzl4gRa
-----END RSA PRIVATE KEY-----

证书(PEM格式)

-----BEGIN CERTIFICATE-----
MIIDyDCCArCgAwIBAgIQZ46RvqIBRD+3viHTPlXJLTANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRl
c3QgUlNBIC0gRm9yIHRlc3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTAe
Fw0yMjAxMTAwNjA0MjBaFw0yNzAxMDkwNjA0MjBaMBkxCzAJBgNVBAYTAkNOMQow
CAYDVQQDEwEgMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqeaBTP1W
qVuSjS3b/1Io1VyW+y4EGYZUGNovQTLQaGMihFF73birFJDCtiut5puIVzICH3A1
VZSh19vMaGus2f5Uydg0M1qV8whCmA7mSDlF+ZSoSlRf1ntWU0oamfLRNAft07Cu
1LZMaxW7SMIuutXu/bAImxqtHOygHKz8MMgqQz//Bv6T+IU1tN4nafeaELKEZnVM
MbBNTMIpYy8aKpe8MdBPT9fyyKEvfBb8r+XZSEFcCz5x7ZCinNm63iGHvUScAiTk
5ugTJAGoOxwvWNLiwqLKJ7o6ClPuOAmvz9f98tHIktY09hh6gt6Q2dF+BAPQ51cv
uXqALu2X5gxc7QIDAQABo4HGMIHDMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUKIEmBdE0Gj/Bcw+7k88V
HD8Dv38wYwYIKwYBBQUHAQEEVzBVMCEGCCsGAQUFBzABhhVodHRwOi8vb2NzcC5t
eXNzbC5jb20wMAYIKwYBBQUHMAKGJGh0dHA6Ly9jYS5teXNzbC5jb20vbXlzc2x0
ZXN0cnNhLmNydDAMBgNVHREEBTADggEgMA0GCSqGSIb3DQEBCwUAA4IBAQABhU3D
U706jy/N+oRyJvC9xzZmvl1wGkDdhJzElfUS4IKJSft2qH0TJgXhPt41Hn1wkKhs
xGBNoPhLIuVooA7ZYzvJKrB44OOUTG9mTFxYCQqcRONXIOe4kd+ZwnCRd5hIwN6w
HelDY5Ymndg5h20/WuGh/TuFpltIiQCPFvVE2sTQuTGaDrGNcCL6iWBiSHAGVbbM
CiI7LkR+W9lP6PtcFu3F+9Z+TjQBggQ4Oaa1ES0pKlEG2w4/YXoyjmyxnbHXHldk
s3p1j/DWVKxh35kRyK/YD9pRChcNQcnfeODcYUE+HluwvzZMbkGvbNwlEoZdBS0B
wC7Sg8q4fegxTekf
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIQSEIWDPfWTDKZcWNyL2O+fjANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJDTjEOMAwGA1UEChMFTXlTU0wxLDAqBgNVBAsTI015U1NMIFRl
c3QgUm9vdCAtIEZvciB0ZXN0IHVzZSBvbmx5MRIwEAYDVQQDEwlNeVNTTC5jb20w
HhcNMTcxMTE2MDUzNTM1WhcNMjcxMTE2MDUzNTM1WjBeMQswCQYDVQQGEwJDTjEO
MAwGA1UEChMFTXlTU0wxKzApBgNVBAsTIk15U1NMIFRlc3QgUlNBIC0gRm9yIHRl
c3QgdXNlIG9ubHkxEjAQBgNVBAMTCU15U1NMLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMBOtZk0uzdG4dcIIdcAdSSYDbua0Bdd6N6s4hZaCOup
q7G7lwXkCyViTYAFa3wZ0BMQ4Bl9Q4j82R5IaoqG7WRIklwYnQh4gZ14uRde6Mr8
yzvPRbAXKVoVh4NPqpE6jWMTP38mh94bKc+ITAE5QBRhCTQ0ah2Hq846ZiDAj6sY
hMJuhUWegVGd0vh0rvtzvYNx7NGyxzoj6MxkDiYfFiuBhF2R9Tmq2UW9KCZkEBVL
Q/YKQuvZZKFqR7WUU8GpCwzUm1FZbKtaCyRRvzLa5otghU2teKS5SKVI+Tpxvasp
fu4eXBvveMgyWwDpKlzLCLgvoC9YNpbmdiVxNNkjwNsCAwEAAaN0MHIwDgYDVR0P
AQH/BAQDAgGGMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAfBgNV
HSMEGDAWgBSa8Z+5JRISiexzGLmXvMX4oAp+UzAdBgNVHQ4EFgQUKIEmBdE0Gj/B
cw+7k88VHD8Dv38wDQYJKoZIhvcNAQELBQADggEBAEl01ufit9rUeL5kZ31ox2vq
648azH/r/GR1S+mXci0Mg6RrDdLzUO7VSf0JULJf98oEPr9fpIZuRTyWcxiP4yh0
wVd35OIQBTToLrMOWYWuApU4/YLKvg4A86h577kuYeSsWyf5kk0ngXsL1AFMqjOk
Tc7p8PuW68S5/88Pe+Bq3sAaG3U5rousiTIpoN/osq+GyXisgv5jd2M4YBtl/NlD
ppZs5LAOjct+Aaofhc5rNysonKjkd44K2cgBkbpOMj0dbVNKyL2/2I0zyY1FU2Mk
URUHyMW5Qd5Q9g6Y4sDOIm6It9TF7EjpwMs42R30agcRYzuUsN72ZFBYFJwnBX8=
-----END CERTIFICATE-----

这个证书的效果如下图,是一个空证书

image-13.png

到这里你那脆弱可怜幼小无助的源站ip就暂时安全了(或许吧

当然,你可以自定义一下IP对应站点的页面,比如

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <title>404 Not Found</title>
  </head>
  <body>
    <center>
      <h1>别扫了,劳资的网站也是你能扫得到的?</h1>
    </center>
    <hr>
    <center>https://search.censys.io/</center>
  </body>
</html>
image-14.png

大家伙学会了以后千万别想方设法来找我的源站打 求求了(要打就打猪头🐷的)

参考链接

© 版权声明
THE END
喜欢就支持一下吧
点赞28 分享
loli的头像-FancyPig's blog披萨会员
评论 共1条

请登录后发表评论