Calibre Content Server Security?

[Chilipops]

Howdy folks. I'm getting a lot of bad actors accessing my calibre content server via Telnet. I shut off all incoming IP's from China via the Windows 10 firewall which cut out about 85% of the problem but I am still getting regular (up to 20 a day) hits from US IP's and a few other countries. I think some of these jackwagons are trying to use the calibre server as a proxy to hide their activity with an access log entry as follows:

61.82.154.150 port-10168 - 20/Apr/2018:01:05:43 -0400 "GET http://m.search.yahoo.com/ HTTP/1.1" 200 1612563

I already use the username and password protections on the calibre content server but doesn't appear to be doing anything to stop the telnet sessions like the one above.

Anyone have any suggestions on how to keep these bad actors out?

[kovidgoyal]

There is no security implication to that, if you try it yourself, you will see that all it returns is the root server page, which is public anyway. It does not actually proxy out. The only issue is perhaps that it wastes your server's bandwidth. I suppose I could add some code to the server to reject GET requests that dont start with /

[kovidgoyal]

I looked up the spec and apparently absolute URIs in request lines are perfectly valid, so i cannot change the server to reject them. But, as I said, there is no security implication, from the server's point of view:

GET http://whaterver.com/some/path

is exactly the same as

GET /some/path

this is so because the server has no way to know its own domain name, if any, so it cannot tell if whatever.com is actually a valid host name for itself.

[Chilipops]

Thanks for the quick reply. While I have your expertise can you decipher what these unwanted folks may be trying to do in the following access log lines:

31.184.193.154 port-62586 - 20/Apr/2018:07:29:19 -0400 "GET / HTTP/1.0" 200 1612538

192.251.231.111 port-65535 - 20/Apr/2018:07:35:53 -0400 "POST / HTTP/1.0" 405 132

89.248.174.164 port-2505 - 20/Apr/2018:11:53:40 -0400 " /*à Cookie: mstshash=Administr" 400 148

189.63.253.55 port-48408 - 20/Apr/2018:13:49:59 -0400 "GET /cgi/common.cgi HTTP/1.1" 404 123
189.63.253.55 port-48423 - 20/Apr/2018:13:50:02 -0400 "GET /stssys.htm HTTP/1.1" 404 123
189.63.253.55 port-48433 - 20/Apr/2018:13:50:05 -0400 "GET / HTTP/1.1" 200 1612563
189.63.253.55 port-48451 - 20/Apr/2018:13:50:08 -0400 "POST /command.php HTTP/1.1" 404 123

I think the "400" series reply (i.e. 400, 404, 405) from the Calibre server at the end of these commands means the server returned a negative response to the request - is that correct?

Also - do you think if I changed the 8080 Calibre server port to something else (say port 1714 or something similar) do you think it would knock out some of this unwanted traffic?

PS... Thanks for all you have done and continue to do regarding Calibre. Absolutely the best e-book library/cataloging software in the world!

[kovidgoyal]

They are scanning for vulnerabilities in found in common HTTP servers. You can change the port if you like, it might cut down some traffic. Although unless your server is extremely bandwidth constrained, I wouldn't worry about it. This kind of scanning does not typically generate a lot of traffic, because it is symmetric, in that the attacker has to use as much bandwidth as the responder, so attackers dont have a lot of incentive to generate a large number of requests.

And yes, an HTTP code other than 200 means the server replied with some kind of error message, you can see what they mean by looking up the list of HTTP codes on wikipedia.

[Chilipops]

Just as a follow-up to this thread for those that are interested. I went ahead and changed the default Calibre content server port from 8080 to a rather non-standard port number. After running 24 hours on the new port number, I have not had a single hit from these nefarious actors (I was getting several an hour prior to the change). Hopefully this will keep these annoying hackers away from the content server for a while.