Roaders
Posts: 13
Joined: Sun Mar 20, 2016 8:44 am

Dangers of exposing port 80

Sun May 24, 2020 4:20 am

Hi All

I am just going through the learning process of setting up secure certificates for my raspberry pi.

I've got it all working and I've not got a secure password protected website to control things at home when I am away.

I am using certbot and letsencrypt for the certificate and for this I need to expose port 80: https://letsencrypt.org/docs/allow-port-80/

I don't actually need to server my site from port 80 (obviously as it's ssl) but certbot needs access.

Previously when I have opened port 80 my poor pi has been flooded with malicious attacks and drowned under the weight of them. Is this still going to be a problem?

99.9% of the time there won't be anything running on port 80. Only when certbot is renewing the certificate so I suppose it'll be ok.

W. H. Heydt
Posts: 12970
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Dangers of exposing port 80

Sun May 24, 2020 5:18 am

It's what botnets do, so, yes, if you open port 80, you're going to get a flood of attacks. What you might consider (along with other defenses) is using your router to redirect some other port to port 80 on your Pi. You'll still get attacks, but not as many of them.

User avatar
DougieLawson
Posts: 39565
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Dangers of exposing port 80

Sun May 24, 2020 8:26 am

Certbot needs it open for no more than ten minutes as they are checking the public visibility of the site (because their design is that if it ain't visible it doesn't need a cert, a self signed one will do).

Install fail2ban and activate all of the webserver jails for Apache2, Nginx or Lighttpd (whichever you're running) and you'll have enough protection to stop the random scanners.

Renewal doesn't check.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Heater
Posts: 16310
Joined: Tue Jul 17, 2012 3:02 pm

Re: Dangers of exposing port 80

Sun May 24, 2020 8:38 am

DougieLawson wrote:
Sun May 24, 2020 8:26 am
Certbot needs it open for no more than ten minutes as they are checking the public visibility of the site (because their design is that if it ain't visible it doesn't need a cert, a self signed one will do).
Certbot needs port 80 open to verify that you do actually have control of the server at that IP address and that you are not getting a cert for some domain you do not own.

If you have no services, Apache, nginx, whatever running on port 80 then all those attacks cannot do anything. When certbot listens on that port it will not pay attention to anything that is not from letsencrypt.

All in all I don't think this is something you need to worry about.
Last edited by Heater on Sun May 24, 2020 11:10 am, edited 1 time in total.
Memory in C++ is a leaky abstraction .

User avatar
rpdom
Posts: 17426
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Dangers of exposing port 80

Sun May 24, 2020 10:42 am

DougieLawson wrote:
Sun May 24, 2020 8:26 am
Certbot needs it open for no more than ten minutes as they are checking the public visibility of the site (because their design is that if it ain't visible it doesn't need a cert, a self signed one will do).
I use acme.sh with DNS resolution to renew my letsencrypt certificates. I don't have to have any ports on the webservers publically visible at all.
Of course it does help that I run my own DNS servers, which isn't too hard to set up, and using powerDNS I just have acme.sh poke a temporary key value into a MySQL database on a Pi and that replicates to the DNS serves in a second or so.
Unreadable squiggle

User avatar
DougieLawson
Posts: 39565
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Dangers of exposing port 80

Sun May 24, 2020 11:54 am

rpdom wrote:
Sun May 24, 2020 10:42 am
I use acme.sh with DNS resolution to renew my letsencrypt certificates. I don't have to have any ports on the webservers publically visible at all.
I just run a plain open port 80 and port 443 with fail2ban set-up to catch the script kiddies.

I run Bind9 with example.bogus for intranet machines (as example.local is owned by Avahi) where my internet domain is example.co.uk (names changed to protect the guilty).
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

ders
Posts: 2
Joined: Sun May 24, 2020 7:04 pm

Re: Dangers of exposing port 80

Sun May 24, 2020 8:49 pm

With regard to performance concerns when temporarily opening the port occasionally: I don't think you have too much to worry about.

With regard to exposing port 80:

The fail2ban recommendation is good.

For performance (and security?), maybe a NGINX reverse proxy configuration would help by returning error pages at the proxy level for commonly targeted paths such as WordPress resources. This would be especially helpful if your app is heavier.

For larger attack surfaces that have comparatively more potential vulnerabilities (user inputs, databases), a web app firewall (WAF) like ModSecurity could be used for other security concerns.

I found this article about gzip bombs quite fascinating, although if it works it is not robust or even a good solution for the problem.

I have previously used Apache and NGINX on a pi 3 with a port forward from an obscure port number on my router. The request logs looked bad enough of course but I had no performance problems, and I have no basis for comparison since I have never run port 80 on a pi. If you really find this to be an issue (it probably won't be) then w.r.t. pi's I can vouch for the port forward solution.

User avatar
darkskyseeker
Posts: 50
Joined: Wed Sep 12, 2018 5:21 pm

Re: Dangers of exposing port 80

Tue May 26, 2020 5:34 pm

>> It's what botnets do, so, yes, if you open port 80, you're going to get
>> a flood of attacks. What you might consider (along with other defenses)
>> is using your router to redirect some other port to port 80 on your Pi.
>> You'll still get attacks, but not as many of them.

"Security by obscurity"

Heater
Posts: 16310
Joined: Tue Jul 17, 2012 3:02 pm

Re: Dangers of exposing port 80

Tue May 26, 2020 6:17 pm

None of the above makes any sense in the context of our OP's question.

Let's say you want to run a web server on a publicly facing IP address using HTTPS.

That web server will be listening on port 443 unless you want to be weird. There is little point in being weird.

But none of that will do anything unless you have your certificates.

To get certs from letsencrypt.org you need to open port 80. Which is nothing bad as you have nothing listening on port 80.

The letsencrypt certbot will listen on port 80 for long enough to verify you have control of that server and get the certs. Nothing bad about that either.

When all that is said and done, you have your web server answering to requests over HTTPS on port 443. At that point your problems begin. Now the security of the whole thing is dependent on your web server and whatever code you have it running there.

At which point you need to do some home work and keep an eye on the news for the latest security exploits:
https://webflow.com/blog/website-security-checklist
https://www.upguard.com/blog/the-websit ... -checklist
etc, etc.
Memory in C++ is a leaky abstraction .

User avatar
rpdom
Posts: 17426
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Dangers of exposing port 80

Tue May 26, 2020 8:32 pm

Heater wrote:
Tue May 26, 2020 6:17 pm
To get certs from letsencrypt.org you need to open port 80.
Unless, like me, you use the DNS option (which also gives you the option of wildcarded certificates, which is cool). I don't have to expose 80 or 443 to the outside world on my servers if I don't want to.
I appreciate not everyone can run their own DNS servers, but the acme.sh script can handle various other DNS options as well as long as your DNS provider has a suitable API.
Unreadable squiggle

Return to “General discussion”