Self-Built Proxy Server Security Protection Guide (Firewall/Log Monitoring)

Hands-on teaching you to wear bulletproof vests for your own proxy server

What is the biggest fear of proxy servers? The hard work of the server was taken as a public toilet randomly on. Today we will nag how to lock their own servers, focusing on fire prevention and log monitoring of the two major guards.

Fire prevention isn't a fence. It's got to recognize people.

Many people think that if they turn on a firewall, everything will be fine, but in fact, it's almost the same as leaving the gate unlocked. Take the Linux system, for example.You can't just open a port. You have to play with the black and white list.. It is recommended to change common ports like 22 and 80 to cold numbers, such as changing the SSH port from 22 to a random number like 52488.

 Example of whitelisting with iptables
iptables -A INPUT -p tcp --dport 52488 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 52488 -j DROP

Here's a pitfall to watch out for:Never use the death combination of default port+passwordI've seen people set the proxy port to 8080 with a weak password. I've seen people set the proxy port to 8080 with a weak password, and it was breached in three days.

Logging is like checking security footage.

Logs are not used to occupy the hard disk, you have to look at it every day. It is recommended to use a tool like GoAccess to analyze it in real time, focusing on these signals:

I've seen the most extreme case: a company's operation and maintenance found that at 3:00 a.m. there was a Vietnamese IP login, check the monitoring and found that it was a competitor crawling data.

Proxy IP should be invisible like a chameleon.

Self-built proxy is the most headache IP blocked, here we recommend using theDynamic residential IP for ipipgoI'm not sure if I'm going to be able to do that. Their IP pool is automatically changed every day, and it has been tested to be used continuously for a week without triggering a blockade. It's easy to configure:

 Python using ipipgo proxy example
import requests

proxies = {
    'http': 'http://user:pass@gateway.ipipgo.io:9021',
    'https': 'http://user:pass@gateway.ipipgo.io:9021'
}

response = requests.get('https://api.example.com', proxies=proxies)

The key is toSetting the automatic switching periodIt is recommended to change a batch of IPs every 5 minutes for large business. ipipgo background can be set up to intelligently switch the strategy, which is much more hassle-free than manually switching.

Practical QA

Q: What if the fire rules are set up or not insured?
A: on the double protection, the cloud platform comes with a security group and system fire set up separately, the rules do not repeat. For example, in the AliCloud security group open 8000-9000 port range, the system fire and then refined to specific ports.

Q: How do I see that the log file is too large?
A: use logrotate automatically split logs, with ELK three-piece suite. Emergency direct grep to catch keywords: "Failed password" to find the blast, "GET /wp-admin" to prevent crawlers.

Q: What if ipipgo's IP is blocked by mistake?
A: They have a black technology function, in the user center point "emergency whitewash", within 30 seconds will refresh the entire IP pool. Last time we had a project triggered the platform wind control, with this trick immediately full blood resurrection.

This guarding thing is like having an electronic pet that you have to watch and feed every day. Remember.There's no such thing as an unbreakable shield, only an unworkable master.. Configure it well as described above to at least defend against 90% normal attacks. Leave the rest of 10% to the pros like ipipgo to pocket.