Discourse Performance Reports


(Ibrahim) #1

Hello,

I installed Discourse yesterday on a fresh DigitalOcean droplet, enabled site performance reports and just got the first report a short while ago. I’m a bit confused about it, hence the post.

The image above shows the end of my logs and what looks like a request for a perfectionchocolates domain and other wordpress files. Thing is, Discourse is the only thing I installed on the droplet and since the community is new, all posts are mine and have nothing to do with the listed items. I also can’t find any indication that someone or a bot has posted anything.

Has my server/droplet been compromised?


(maiki) #2

You can check the web server’s access and error logs and compare them to those requests to see if it has a user-agent; without more monitoring that is the the closest you are gonna get to discovering if it was a bot, and maybe not even then.

However, there are lots of reasons those could be requested. Anyone can send a GET request to any server. Because those are for specific products (as opposed to WooCommerce-specific files), they probably just had that IP address prior to you, or something similar.

Milk Chocolate Pretzel Spiders do look delicious, ne?

I would take this opportunity to review security practices, and DigitalOcean has a bunch of tutorials about it:


(Michael - DiscourseHosting.com) #3

Don’t worry, this happens a lot on a new server. The IP address has previously been used by this perfectionchocolates domain, the hostname is still pointing to your box. Compare this to getting a new phone number and getting calls for the previous owner of that number.

No security issue, nothing to worry about.

BTW Just make sure your server only responds to your own host name, otherwise your forum could end up in Google under that other domain as well, and that could have some SEO consequences if you’re unlucky.


(Ibrahim) #4

Thanks @maiki and @michaeld

Mind at ease. First server. Good to know I didn’t do something wrong :relieved:

I’ll definitely read up on those.


(Kai Liu) #5

Sooner or later you gonna notice some more strange URLs in your report and web server logs. This is very common on a public server as there are so many crackers/hacker scanning websites all day to try to find a vulnerable one.

I do recommend you to get a CloudFlare free plan and turn on protection, although that requires you move your DNS to CF too.


(Michael - DiscourseHosting.com) #6

All those security scanners and hackers will approach your server directly anyway, so that is only useful if you combine it with firewall rules that only allow access for Cloudflare. Otherwise it’s just a false sense of security. It’s less complicated to just focus on protecting your server in the first place.


(Kai Liu) #7

Nope. If you turn on protection (the cloud icon in DNS setup), your server is behind CF proxies and the DNS record for your server is pointed to CF servers instead of yours. Unless your real server IP got leaked in some other ways(there are discussing about that and workarounds, both on meta and other places), the hackers won’t be able to know what your real server IP is thus they won’t be able to approach your server directly.

And CF also help filter out some well known hacking behaviors, which is not quite easy for a normal website operator to setup.


(Jeff Atwood) #8

I don’t agree. Finding out the real IP is trivial, and getting your server right in the first place is important. Cloudflare adds variables of its own.


(Kai Liu) #9

I didn’t say setup the server right in the first place is not important, nor did CF said so I believe. It’s just another extra protection that is easy and free to get.

As long as set up is done correctly, the real IP could be hidden well. If the setup is done incorrectly, the real IP could be leaked easily. That is the same as setup the server - correctly done - safe, not correctly done - in risk. So they both are the same in some way - no perfect setup that prevents absolutely all hacks exists, all we can do is just try to minimized the risk as much as possible.

One key point in security is to minimize attack surface. Introducing CF adds extra variables but it minimize the attack surface on your own server as it is less exposed. The extra variable could cause extra problem but that is gonna happen on CF’s servers not yours.


(Jeff Atwood) #10

Not without cost of its own, in terms of complexity, and centralized risk. Cloudflare was leaking https data all over the place for months.


(Kai Liu) #11

Yes that one is a serious problem and a no go for many people. But to me, I trust it as much (or as little) as other cloud service providers so jump into one is just like anything - a trade off.


(Michael - DiscourseHosting.com) #12

You are making one huge mistake in the way you are thinking.

Because it’s not. Your regular visitors will go there. But hackers are not targeting your hostname, they’re just scanning IP blocks. They don’t go through the DNS and (thus) they don’t go through CF proxies.

To extend on the metaphor I mentioned previously, getting an unlisted phone number will not prevent people from calling you up when they’re dialing a random number.


(Kai Liu) #13

Your metaphor indeed proved what you said is wrong. Yes unlisted phone number still cannot prevent people from calling you if they just dial randomly. But you still won’t publish your number every where. Because you know publishing the number everywhere gets trouble for you in the next minute. If you get it unlisted you may only get such calls occasionally.

Let me give another metaphor. Someone is going to a battle field and he has a bullet-proof vest. Since the vest can only cover his body but not arms legs etc, he thought OK I’m going to die anyway if I get shot so I just don’t need the vest. A veteran probably will chose to do so to save weight for other stuff. But a newbie or normal soldier still wants to put it on for a free protection.

The world is full of real hackers, regular crackers, and script kiddies. We have a fundamental diversity here:

I believe if a method is easy to implement, I still should put it on. Even if it could only stop some script kiddie type of attack. It can screen out those troubles with low cost. ( = You don’t get spam calls the next minute).

You believe that since a method is not 100% perfect, it cannot stop real hackers so than it should not be used. This is what I learned from your words. Correct me if you didn’t mean so.

Maybe from your hosting business perspective it is appropriate to do so to minimize variables. As you got your own team to worry about all this and may do better than CF in terms of fitting into your own business situation. But from a regular website operator perspective, which probably is the situation of the majority of the visitors here, I believe my approach is more practical.

Don’t over interpret what I said here and in above posts. I never said one should not set his server up right in the first place because there is CF protection. I just said he can use CF as another protection if it does not cost $1000/mo or need one 1 week to set up.

I’d rather appreciate you share some more about how to make the server setup right if CF is not helpful in your opinion.


(Kai Liu) #14

A illustrator I drew sometime ago.

I believe:

  • Block 1 should be implemented for everyone except there is some strong reason against it.

  • Block 2 should be implemented for everyone if he can learn some basic Linux/networking/security knowledge.

  • Block 3 is better to be implemented if one can afford the cost.

  • Block 4 is good for large organizations that can afford the continuing cost and effort, both money and man power.

I see Michael meant block 1 is not necessary if we got 2/3/4. But most people won’t be able to get 4, they hardly can get to 3, only some of them can get 2. So why let 1 go out of choice?


(Michael - DiscourseHosting.com) #15

Every metaphor has it’s flaws and this is indeed where the comparison goes wrong.

You are talking about a directed attack to your server, where people do a DNS lookup to find out your IP address and then attempt to hack it.

But reality is different. Most hackers will not be targeting your specific site. They just want access to a certain amount of servers to use the capacity for a botnet or sending spam.

So if you want to have access to 1000 servers, maybe you need to try to hack a few million.

You said it yourself: they’re scanning websites all day. Now how are people doing that?

a) by making a list of host names (how?) and looking them all up
b) by iterating through the totally sequential and public range of all IP addresses

Indeed, option b is one thousand times easier and that is what people are doing. And option b totally circumvents your CF protection.

Now if you want to mitigate that, you have to set up your firewall in such a way that it will only allow CF to access your server.
But

  • if you know how to do that, you can also use your time and knowledge to implement the same protection as CF does.

  • CloudFlare will only protect http and https, you still have to go directly to your server for SSH, SMTP etcetera.

Now your point is that adding CF does not hurt and it’s free (free as in there is no money to be paid)
But:

  • People will have a false sense of security. And this is where this discussion started, you were recommending this to someone in a way that made him think that this would be the difference between being unable to sleep at night and being totally protected.
  • It does (can) hurt. CF add complexity and complexity will result in new vulnerabilities. For the CF incident that CodingHorror mentioned, a lot of people got off WORSE with CloudFlare than they would have without.

(Kai Liu) #16

I was keep saying that CF is not the silver bullet, while you keep talking in a way that you think I said so. I’d appreciate you quote my original words of that.

If someone get a bulletproof vest and thought he could stand on a high grand as a free target, who’s fault it is, the vest supplier’s or the-man-who-wear-the-vest’s?

I never said CF can protect 100% cases and I even have a picture for that in case you don’t get the point. I guess you can’t get any point you don’t agree.

No matter you use CF or not, chance is high that your own setup still couldn’t be flawless either. Did I ask you to give up doing that? No. Even highly trusted and widely used piece of code have flaws, openssl, Linux kernel, routers, too much. The key is we need to put many things combined together to get a good enough protection in a reasonable cost. If you see a historical problem in a software/service and you stop using it forever, you won’t have anything to use. You won’t even have a computer as it was not designed to be secure since the beginning.

I’ve said a few times and it is going to the last time I repeat it - there are many kinds of risks one can face on the internet, no single solution can solve them all. CF is one of the solution as many others, not perfect, not 100% bullet-proof, but can provide some protection in a very low cost. Some people or hosting provider can do better than that for their own business, and they begin to remove CF from their list of options, which is perfectly fine. But that does not mean using CF is as bad as they claimed.


(Kai Liu) #17

Not true. CF provides more than just banning some certain IPs. It is not as easy as you said “if you know how to do that, you can also use your time and knowledge to implement the same protection as CF does”.

Read that in a reversed way: you have SSH/SMTP/HTTP/HTTPS, now CF protect two of them. It lows the risks, exactly one would expect.

You interpreted my word in that way, not I said it in that way. I’ve clarified my word, you keep interpreting it in your own way.

As mentioned above, probably all software/service had such issue once or more. Name that list and act the same as you did to CF, you end up with nothing to use.


(Jeff Atwood) #18

I tire of this argument. Recommending CloudFlare as step zero is wrong, and if you do that you are a bad person and you should feel bad.