1. Change Your IP Address
Attackers often dig around for a historical record of your origin server IP address, which is likely to exist on one of the many websites that harvest and store domain information and IP history.
In order to make this information irrelevant, we strongly suggest that you relocate your origin to a new IP right after you finish the onboarding process*. That will render any archived IP records obsolete, as new searches will only display Incapsula's IP address. Note that this doesn’t mean that you have to change hosting providers, as you are very likely to have an option to relocate to a different IP address on the same hosting service.
*Please note that Incapsula will not automatically detect your new IP address; you'll need to go to Settings -> Origin Servers -> Server IPs and update it to the new origin server IP address.
2. Set IP Restriction Rules
When using Incapsula as a proxy for all incoming HTTP/HTTPs traffic, there should be absolutely no reason to accept traffic from anywhere but our network. Therefore we strongly suggest setting IP restriction rules - using your firewall or iptables - that will block all traffic from non-Incapsula IP addresses.
These restriction rules will block attempts to circumvent the Incapsula WAF. On top of that, with IP restrictions in place, your origin will also be immune to scanners that may try looking for IP data in SSL certificates stored on your server.
For a full list of Incapsula IP addresses and directions for setting IP restriction rules, please visit here.
3. Avoid Generic Subdomain Names
Subdomains not protected by Incapsula reveal your true origin server IP address and are therefore a target for scanners. Knowing that, if you are using a subdomain to establish FTP connections with your origin server, you should avoid the obvious choice of ftp.mydomain.com; instead, go with something more secure and unique like 4exampleftp.mydomain.com.
4. Don’t Leave a Trace in DNS Records
Onboarding cloud-based security services requires you to change your A and CNAME records, but not your MX record or any other record that you have set to point to your main server. Any of these can be resolved to uncover origin IPs. Our suggestion is to review your DNS records and remove the ones that are not in use.
You might also consider migrating some of your services; In the case of the MX records, for example, if origin exposure is your main concern then the secure thing to do is to migrate your email service to a different server.
5. Lock Down Sensitive Data
Various systems and server logs (phpinfo, for example) might be publicly accessible and used to expose sensitive information, including your origin IP. It should go without saying that files like these should never be made public and not only for concerns of direct-to-origin attacks.
6. Disable Visitor-Triggered Outbound Connections
If your site is running on WordPress using XMLRPC, your origin IP might be exposed by a third party using a pingback request. We recommend disabling pingback – either using server configuration or WAF rules - unless you’re absolutely depending on its functionality.
This can also occur as a result of using a referrer validation mechanisms, which inspect the URLs used in the request’s referrer header. If your web application relies on referrer validations, we strongly suggest having them run on a different server.