Diese Seite mit anderen teilen ...

Informationen zum Thema:
Forum:
WinDev Forum
Beiträge im Thema:
8
Erster Beitrag:
vor 1 Jahr, 5 Monaten
Letzter Beitrag:
vor 1 Jahr, 5 Monaten
Beteiligte Autoren:
KenKnight, Piet van Zanten, ccc2, GuenterP, Michael Drechsel, iso

Opening a Port

Startbeitrag von iso am 02.06.2016 07:03

Hello,

Probably more an IT question but thought i would get your take on it.

I get asked all the time by clients what are the dangers of opening a port to allow external access to the HyperFileSQL Server.

Is it safe? anything i should be dpoing to increase security if i do this?

Thanks

ISO

Antworten:

Hi Iso,

The risk of opening a port depends on the safety of the listening program.
I'm assuming that the fact that HFSQL is not as commonly used as other database systems makes it less interesting to hackers to find a hack, but it's not impossible.
Read this Help section about security
Can anyone give some tips to properly minimize the rights of the HFSQL service in IIS, so that in case of a hack the damage can be limited?

Best regards,
Piet

von Piet van Zanten - am 02.06.2016 11:08
Hi Piet,

>Can anyone give some tips to properly minimize the rights of the HFSQL service in IIS, so that in case of a hack the >damage can be limited?

HFSQL is pure TCP and has nothing to do with the IIS or do you mean the webservice ?

von Michael Drechsel - am 02.06.2016 12:29
Hi all,

Here's my personal opinion:

First, if you only have known external IP's needing to connect to your HFSQL server, then by all means, lock it down through Firewall rules that only allow those IP's to see it.

If, however, you need any random IP to connect then you have a couple of options ranking from simple to difficult:
1) Just open it up and let anybody connect. If you do this, make sure and use strong passwords.

2) Force VPN connections either through hardware or software.

3) Use something like a BitVise SSH server and client to create an SSH tunnel into your network at which point your HFSQL is secure in much the same way as a VPN.

I personally just make sure strong passwords are used along with insuring users are assigned an appropriate level and not granted rights to everything.

Also, Piet, you mention "HFSQL in IIS". In this case if the only thing that is connecting to your HFSQL is apps written with webdev AND those apps are running on a server that is on the same network as your HFSQL server, then you really don't need to open up any external ports for that since all the HFSQL connectivity is happening on the server side.

Best regards,
Ken

von KenKnight - am 02.06.2016 12:49
Hi guys,

I mistakenly mentioned IIS where I meant Windows Server 2008.
If an attacker succeeds in using e.g. a stack buffer overflow exploit on port 4900 he will have the rights of the HFSQL service.
I'm not saying that HFSQL is vulnerable for that, but we don't know for sure, do we?
So if a hack occurs it's best to minimize the rights of the HFSQL service, because the hacker will have those rights then.
Hence my question on how to limit these rights safely without crippling HFSQL.
Ken, I use an external connection for myself to the server for maintenance only, limited to my own ip on port 4900.

Best regards,
Piet

von Piet van Zanten - am 02.06.2016 16:52
Hi Piet,

Based on your last comments, I would take a 2 pronged approach:

1) IP based restrictions so that you can access it easily from those IP's you know are static.

2) VPN connection for everything else.

That's about the only true safe way that I know of.

Cheers!
ken

von KenKnight - am 03.06.2016 13:57
sometime even with only userID/password/and don't use common port no is enough .

I have a friend did like that for his customer sql-server which is on a dedicate server hosting.

von ccc2 - am 04.06.2016 01:39
Hi,
PC Soft says that a "buffer overflow", one of the most used ways to move alien code code into a computer and let it execute afterwards, is impossible with Manta. Obviously they used WINDEV and fixed length strings to build Manta.

First, this is an unknown environment for hackers who generally believe that C++ with all of its weaknesses is used and second, a fixed length string simply will cut any extraneous characters submitted to it. Of course, one can always add some protective measures to this simple but powerful concept. As they say only the paranoids survive ... however, we have dozens of servers running with no other security measures than port 49xx plus Manta. We never ever had a problem with that.

Problems concentrate around well-known configurations and server setups. In most cases open ports are there for FTP, e-Mail, http, MySQL, SQL Server - hackers can test a certain setup of these components on their kitchen table and find out how to break into such a configuration. They will not take the effort to set up an HFSQL C/S database while there are millions of standard configurations out there open for an attack. In fact, 99 out of 100 hackers are waiting for the publication of a certain weakness and are searching for not timely updated configurations on the web after that.

If some bad boys really want to get at the data in a certain HFSQL C/S database, the most simple way is "social engineering" to get at user names, passwords, encryption keys. Often, a few simple phone calls are enough to get that. Or they intrude the building at night with the cleaning brigade and look under the blotter on each desk .. somewhere they will find what they need. None of the mentioned measures is able to protect against that. Physical access is another danger for specific data. USB-ports are open on most servers ...

von GuenterP - am 04.06.2016 06:24
Zur Information:
MySnip.de hat keinen Einfluss auf die Inhalte der Beiträge. Bitte kontaktieren Sie den Administrator des Forums bei Problemen oder Löschforderungen über die Kontaktseite.
Falls die Kontaktaufnahme mit dem Administrator des Forums fehlschlägt, kontaktieren Sie uns bitte über die in unserem Impressum angegebenen Daten.