Listen to this Post
DNS is the DNA of the Internet, and while many organizations secure their domains (URLs) with HTTPS, they wrongly assume this protects all access points to their servers. A crucial oversight lies in the direct use of or access to IP addresses.
TLS certificates are issued for domain namesānot IPsāso accessing a server via `https://
Organizations relying solely on domain-level security may unknowingly expose their infrastructure. To mitigate this, businesses should:
– Restrict direct IP access
– Enforce domain-only connections
– Consider internal PKI if secure IP-based access is essential
True security demands more than just a padlock iconāit requires complete endpoint awareness, Internet-connected asset security, and DNS security controls.
You Should Know:
1. Restricting Direct IP Access
To prevent unauthorized access via IP, configure your web server to reject requests not using the domain name.
For Apache:
<VirtualHost :80>
ServerName yourdomain.com
ServerAlias www.yourdomain.com
Redirect permanent / https://yourdomain.com/
</VirtualHost>
<VirtualHost :443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
Deny IP-based access
RewriteEngine On
RewriteCond %{HTTP_HOST} ^[0-9]+.[0-9]+.[0-9]+.[0-9]+$
RewriteRule ^(.)$ - [F,L]
</VirtualHost>
For Nginx:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
if ($host ~ "^[0-9]+.[0-9]+.[0-9]+.[0-9]+$") {
return 403;
}
}
2. Enforcing Domain-Only Connections with Firewalls
Use firewall rules to block direct IP access:
Linux (iptables):
iptables -A INPUT -p tcp --dport 80 -m string --string "Host: 192.168.1.1" --algo bm -j DROP iptables -A INPUT -p tcp --dport 443 -m string --string "Host: 192.168.1.1" --algo bm -j DROP
Windows (PowerShell):
New-NetFirewallRule -DisplayName "Block Direct IP Access" -Direction Inbound -LocalPort 80,443 -Action Block -Protocol TCP
3. Monitoring & Detecting IP-Based Attacks
Use tcpdump to detect suspicious IP-based requests:
tcpdump -i eth0 'port 80 or port 443' | grep -E 'Host: [0-9]+.[0-9]+.[0-9]+.[0-9]+'
4. Implementing Internal PKI for IP Security
If IP-based access is necessary, deploy an internal Certificate Authority (CA) and issue certificates for internal IPs.
OpenSSL Command to Generate IP SAN Cert:
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr -subj "/CN=192.168.1.1" echo "subjectAltName = IP:192.168.1.1" > extfile.cnf openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -extfile extfile.cnf
What Undercode Say:
Ignoring IP-based security is like locking the front door but leaving the back window open. Attackers exploit overlooked weaknesses, and unsecured IP access is a prime target. By enforcing domain-only connections, restricting IP access, and monitoring traffic, organizations can close this gap.
Key Takeaways:
- Always bind TLS certificates to domain names, not IPs.
- Use web server configurations to block direct IP access.
- Deploy internal PKI if IP-based HTTPS is unavoidable.
- Monitor logs for unusual IP-based requests.
Security is a layered defenseānever assume HTTPS alone is enough.
Expected Output:
A hardened web server configuration that rejects IP-based requests, ensuring all connections are domain-authenticated and encrypted.
Further Reading:
- Mozilla SSL Configuration Generator
- Letās Encrypt Documentation
- Nginx SSL Termination Best Practices
References:
Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ā
