重新验证 IP 地址 [英] Recaptcha IP addresses

问题描述

好的，所以我们在生产中实施了 Recaptcha.我们收到错误，因为它无法访问使用服务所需的 IP 地址.我们为 IP 地址打开一个端口以访问 Google.没问题.我们这样做并明确配置该 IP 地址以使其正常工作.它工作得很好.然后，第二天，我们又开始收到错误消息，因为 Recaptcha 使用了不同的 IP 地址.我也可以允许来自该 IP 地址的请求，但现在我很不安.这些地址来自哪里?我如何配置它才能可靠地工作?

Okay, so we implement Recaptcha in production. We get errors because it can't reach the IP address it needs to use the service. We open a port for the IP address to reach Google. No problem. We do that and configure that IP address explicitly to work. It works great. Then, the next day, we start getting errors again because Recaptcha is using a different IP address. I can allow requests from that IP address, too, but now I'm unsettled. Where are these addresses coming from? How do I configure this to work reliably?

推荐答案

Recatpcha from Google 可以使用任何 Google IP 地址，而且有很多.

Recatpcha from Google can use any Google IP address and there are lots of them.

从 Windows 运行:

Ran this from Windows:

_netblocks.google.com 文本 =nslookup -type=TXT _netblocks.google.com"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/18 ip4:209.85.128.0/10.16.16/16.04/160.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 全部"

_netblocks.google.com text = nslookup -type=TXT _netblocks.google.com "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"

这就是 Google 当前使用的所有网络.这些可能会发生变化，因此请经常检查.

That's all the network Google uses currently. These can change so check them often.

Google 建议允许所有 IP 出站使用端口 80，这非常不安全.他们建议通过代理服务器，但如果您的 Web 服务器是 DMZ，这也是非常不安全的.代理感知木马确实存在.所需要做的就是利用漏洞执行任意代码，您可以通过代理服务器在端口 80 上创建反向连接以下载有效负载.然后提升权限并拥有盒子就很简单了.我的意思不只是 Windows 服务器，还有 Linux.我已经在实验室环境中完成了安全性.这真的很容易做到.

Google suggest allowing port 80 to all IPs outbound, this highly insecure. They recommend going through a proxy server but again that is highly insecure if your web server is an DMZ. Proxy aware trojans do exist. All that need to be done is exploit a vulnerability to execute arbitrary code and you can create reverse connection on port 80 through a proxy server to download the payload. Then it is trivial to escalate privileges and own the box. I don't mean just Windows servers but Linux as well. I've done it in lab environment on security was on. It's really easy to do.

这是我从 Google 网站获得的:

This is the Google website I got this from:

http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha

这篇关于重新验证 IP 地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！