4
« on: June 10, 2020, 04:55:28 AM »
If [error-page] is present, that content will be a response, to ban/disconnect/scanner
Next,
No matter if [error-page] section is present or not, contents of [overload] will be a response to banned/disconnect/scanner
This is unintentionally verbose/pingable.
Also, if you do the hide-root thing, throwback14 is rigged not to leak at / but, if you ask for url/File, the overload section is the response even if you don't have a folder named file. Apparently, /file has a special meaning and exists always.
Here is a patch:
Delete the [error-page] section (if any). Throwback14 doesn't have it.
And also,
The [overload] section should start off with 3 filter macros:
{.if|!%user%|{:{.if|{.%url% = /.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /file.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /File.}|{:{.disconnect.}:}.}:}.}
Does: Don't send extra messages to strangers seeking /, /file, /File.
Pseudocode: If stranger caused overload at / then disconnect; and, if stranger caused overload at /file then disconnect; and, if stranger caused overload at /File then disconnect.
If there are more built-ins, then the filter which starts the [overload] section should be revised to:
{.if|!%user%|{:{.disconnect.}:}.}
Pseudocode: Don't send overload message to strangers.
I updated my home server to that, because I don't know how many built-ins there are (such as /file which exists always).
The question is:
Should the security update be done at the template or at hfs.exe?
If it was a good idea to put the security update into a template, then I'd need to ask a moderator to unlock the Throwback template thread.
Severity:
Least Impact. Almost none. Hideroot style security effort is not expected to succeed on port80; and common scanners don't check every uncommon port to see if web servers respond to /file, because it is unfeasible to use a scanner in that way.
In my opinion:
A template could not be fully effective at hideroot security efforts (not a total means of security, but it lasts until a change). A template could do either least or more verbose response. Only hfs.exe could do zero response. Perhaps an option could be added for make no response to / nor to any folders which don't exist? I'm glad that Throwback and Takeback have better inbuilt security than any other templates; however, I think it would be a bit more effective if the .exe did the job. Again, the security-gap reported is least-impact (of least concern). But, it could be improved.