Saturday, January 8. 2011
FA Technical Exposé
2011-01-13: Updated, based mostly on information provided by net-cat.
Here's a quick technical summary of FA's network layout, along with some reasons why I think it's fucked. Unqualified hostnames should be assumed to be under .furaffinity.net. Some of this information was derived from the WikiFur page, the rest of it is educated guesses from NMAP results.
Observations: It's really bad practice to expose half of these things to the world. There are very few situations where the RPC portmapper, NFS daemon, SQL server, or SNMP agent need to be open from some guy's home DSL line, let alone the whole world. And Webmin/Usermin should never be exposed to anyone who hasn't already authenticated. Those things have a long history of being insecure.
A lot of these seem like they could be consolidated. I don't see why FA:U, the Wiki, their ad server, an IRC server, and the URL shortener each need an individual IP address — even SSL doesn't strictly require this any more. Not that they're serving SSL anyway...
WikiFur says that Trogdor is their "primary data server", Novastorm is their "primary database server", and "Neo Bahamut" is their "primary backup server". Leaving aside the fact that a "primary backup server" is somewhat of a contradiction in terms, they shouldn't be calling their only data/database server the "primary". Over in the real world, that's termed "standalone".
The /admin results on the IRC server state that they're run by "Dax", who is apparently a donator. Dax's email address is dax@furaffinity.net. People who volunteer for administrative positions, on the other hand, are using their Hotmail/Gmail/ISP accounts.
*.facdn.net always resolves to 70.33.186.221. I've said before that FA doesn't have a content distribution network, so much as a content distribution node.
They own their own router, in addition to their hosting provider's boxes. Dragoneer claims that it's for "Internally managed VLANs, packet smoothing, custom ACLs and port control for third party servers". They are doing EXACTLY none of this:
- Internal VLANs would keep their RAC/ILO from hanging out in public.
- Packet smoothing is a buzzword that seems relegated to the IPTV industry. If he meant packet shaping, I could see that as being relevant and useful, but it would be putting the cart before the horse.
- If they had any ACLs at all on their network equipment, this writeup would be about 1/10th the length...
- Port control. Third party servers. Again, cart before the horse.
As I mentioned in the thread, they have two virtual machines (on the same physical host) running DNS, but those boxes aren't actually pointed to by the real DNS.
IP | Names, both official and DNS | Exposed services | Observed purpose |
---|---|---|---|
66.231.180.81 | — | — | Switch1 |
66.231.180.82 | cr1.iad2.inforelay.net | — | Router1 |
66.231.180.83 | — | — | Switch1 |
66.231.180.84, 70.33.186.193 | routezilla | SSH, Telnet, HTTP, HTTPS | Router2 |
66.231.180.85, 70.33.186.206 | switchthulu | SSH, Telnet, HTTP, HTTPS, TCP 4786 | Switch |
66.231.180.86 | — | SSH, HTTP, HTTPS, VNC | Dell Remote Administration Console |
66.231.180.87 | — | SSH, HTTP, HTTPS, Unknown TCP 8890, 9000 | Sun embedded Lights Out Manager |
70.33.186.194 | localhost.localdomain | SSH, CentOS HTTP, HTTPS | Bandwidth graphing server ("Cacti") |
70.33.186.196 | Trogdor, www | FTP, FreeBSD SSH, HTTP, SNMP-MUX, HTTPS, | Web server |
70.33.186.200 | Bahamut | Debian 5.0 SSH, | Officially, "Primary backup server". Appears to do |
70.33.186.202 | Novastorm | FreeBSD SSH | "Primary database server"4 |
70.33.186.204 | Figment | SSH | WikiFur claims it is "an application server". Net-cat informed me that this is their VM host. IP's .210 through .220 are all virtualized on this. |
70.33.186.210 | mail, mail-beta5, irc3 | Debian SSH, Postfix SMTP (25, 465, 567), BIND DNS, Dovecot IMAP, POP, Roundcube Webmail, Unreal IRCD (6667, 6697, 8067, 12227), Webmin, Usermin, unknown on TCP 10010 | Sure seems to host mail! No HTTPS, but thank god the IRCD and webmin/usermin servers speak SSL! |
70.33.186.211 | — | SSH, CentOS Apache | ??? (only serves CentOS test page) |
70.33.186.212 | pss.ms | Debian SSH, HTTP | "A URL-shortening service for furries." |
70.33.186.213 | irc1 | Debian SSH, IRC, (6667, 6697, 8067, 12227), Webmin | The head node for a network consisting of 3 servers, 9 users, 6 of whom are operators. |
70.33.186.214 | tf2 | SSH, HTTP, 27015, 27016, 27018, 27019 | vidy'a games! |
70.33.186.215 | ox | SSH, HTTP, HTTPS | "OpenX Ad Server" |
70.33.186.216 | — | SSH, BIND DNS, HTTP (80, 8080), MySQL | "ASKCOW - project management tool" |
70.33.186.217 | — | SSH, identd | ???6 |
70.33.186.218 | faunited.org | SSH, HTTP, MySQL | FA:United has its own IP, and shows off its database port! |
70.33.186.219 | wiki.furaffinity.net | SSH, HTTP | The wiki burns a public IP addres too! |
70.33.186.220 | ferrox | SSH, HTTP | "403 Forbidden" |
70.33.186.221 | Trogdor's secondary IP, a.furaffinity.net, d.furaffinity.net, *.facdn.net | SSH, HTTP, SNMP-MUX, | "CDN" |
70.33.186.222 | Sirkain, sparkz, www.sirkain.net7 | SSH, Oracle Virtual Service Agent (8002), Paster WSGI Server (8081), Unknowns on 6900, 6901, 8006 | Virtualization; the Paster returns "Welcome to ConVirt 2.0". Not FA's box, but it's sitting in their rack. |
208.115.128.10 | irc2, kevindproductions.com, mail.kevindproductions.com, default-208-115-128-10.nsihosting.net | FTP, Debian SSH, Postfix SMTP, HTTP, Various Sun RPC services, "3Ware 3DM2 Serial RAID" (888), Dovecot POP, IMAP, and SSL variants, MySQL, IceCast (8000, 8001), Webmin, usermin, 27041, 27042 | IRC, storage administration8, and video games. Wow. Not FA's box, but is in some kind of trust relationship with the IRC servers. |
Hostnames listed in italic are what the machine seems to think its own name is, when I could figure that out (like when a Cisco device signs its own certificates). Reverse DNS entries, when they exist, are in bold. Any other names came from service banners or SSL CommonNames for the certs that are signed by known authorities.
If you're the kind of kid who likes saying "Too long, didn't read", allow me to give you an executive summary: Out of all of these boxes, the only ones that do anything directly related to the site's stated purpose of serving furry artporn are likely to be arranged somewhat like this:
Click here to discuss this article on our forums.