Re: Not scanning production

[Nick Drage <nickd () funkyjesus org>]

On Wed, Oct 31, 2012 at 11:20:18AM -0600, Jason Wood wrote:
> To keep it simple, I'd add an entry in my hosts file for the prod site
> and point it to the the dev server IP.

Seconded, not only is a mass search and replace on a site time
intensive, but you might just change something you shouldn't.

Bear in mind not all software will refer to the hosts file ( depending
what platform you're on, the software in question, the phase of the
moon, and so forth ) so you might want to run a local DNS server
instead, set it up so it thinks it's authoritative for the domain in
question.

> To be really certain scanning traffic never hits the prod site, you
> could add a static route for the IP of the prod site to an invalid
> gateway so that traffic to the site can't leave your network.
>
> For example:
> Prod site IP - 10.10.10.3
> Default Gateway IP - 192.168.1.1
>
> route add -host 10.10.10.3/32 gw 192.168.1.<unassigned IP> dev eth0

Agreed, although in my experience specifically blocking the IP to be
avoided using IPTables is better, and then watching the logs - that way
you'll spot any weirdness rather than just having the packets hit the
floor.

If you're going to route traffic to the prod IP then it's best to "null
route" it ( http://en.wikipedia.org/wiki/Null_route ), otherwise your
testing box will suffer a minor performance hit as the OS arps for a box
that isn't there when it tries to contact the genuine prod IP.

-- 
"The song is characterized by its strongly addictive beats and lyrics,
 and is thus certain to penetrate the foundations of modern philosophy."
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com