У меня есть установка с Amazon EC2, на которой запущено мое веб-приложение, а домен размещен в cloudflare. У меня нет какой-либо настройки балансировщика нагрузки в моей инфраструктуре. Тем не менее, когда мы запустили тест безопасности в Qualys, отчет показал нам уязвимость Уровня 1 как "Обнаружено наличие устройства балансировки нагрузки".
В отчете хорошо то, что в нем также упоминается, как решить эту проблему. Следующий фрагмент является частью отчета
THREAT :
The service detected a load-balancing device in front of your Web servers. This information can provide an attacker with additional information about your network.
Different techniques were used to detect the presence of a load-balancing device, including HTTP header analysis and analysis of IP Time-T o-Live (TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers (ISN). The actual technique(s) responsible for the detection can be seen in the Result section.
The exact number of Web servers behind a load balancer is difficult to determine, so the number reported here may not be accurate. Furthermore, Netscape Enterprise Server Version 3.6 is known to display an erroneous "Date:" field in the HTTP header when the server receives a lot of requests. This makes it difficult for the service to determine if there is a load-balancing device present by analyzing the HTTP headers. Also, the result given by the analysis of IP ID and TCP ISN values may vary due to different network conditions when the scan was performed.
IMP ACT :
By exploiting this vulnerability, an intruder could use this information in conjunction with other pieces of information to craft sophisticated attacks against your network.
Note also that if the Web servers behind the load balancer are not identical, the scan results for the HTTP vulnerabilities may vary from one scan to another .
SOLUTION:
To prevent the detection of the presence of a load-balancing device based on HTTP header analysis, you should use Network-Time-Protocol (NTP) to synchronize the clocks on all of your hosts (at least those in the DMZ).
To prevent detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may use hosts with a TCP/IP implementation that generates randomized numbers for these values. However, most operating systems available today do not come with such a TCP/IP implementation.
COMPLIANCE: Not Applicable
EXPLOIT ABILITY :
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
Number of web servers behind load balancer: 100 - based on HTTP headers
Проблема с этим отчетом и решением заключается в том, что у меня нет настройки балансировщика нагрузки, поэтому я не могу синхронизировать часы моего сервера (с чем мне следует синхронизировать их, если нет балансировщика нагрузки / хостов для меня, чтобы настроить NTP в теме)