We have an application (written in PHP) that fetches data from several remote Progress databases.
The way it is working now, we ask our clients to open a port in their firewall to our IP, then we're able to run queries using ODBC connection from the PHP code.
The problem is that the data transferred over the internet is unencrypted.
We thought about two solutions but we've issues with both:
Updating Progress DB to use SSL. Problem: this requires our clients to change the way they connect with other vendors to have them all using the SSL.
Creating a VPN connection between us and the clients. Problem: we have many clients and the IPs/subnets may be overlapping.
What else can we do to have the data transferred to us encrypted?
Thanks.
Create an SSH tunnel between your systems - this'll allow them to work as they were, the comms will be encrypted, as long as the client systems support SSH connections.
https://en.wikipedia.org/wiki/Tunneling_protocol
This document looks fairly complete:
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-tunneling-on-a-vps
You can find a windows version of Open SSH here:
http://www.mls-software.com/opensshd.html
Related
There are the following parameters:
I use the FirebirdSql.Data.FirebirdClient library in asp .net
Now, at the test level, I connect to the remote database using the line:
string workbase = "Server="public ip";Port="port";User=sysdba;Password=masterkey;Database=C:/path/db.FDB";
Further are connection methods, requests, transactions, commits, etc.
string sqlcardpin = $"SELECT.....";
var connection = new FbConnection(workbase);
Question: is it safe? Is traffic encrypted? where can I read about it? How should I connect?
From my modest brain efforts, the following goes: I need to have a service in a local network with a database, to which a secure connection goes, and this service has credentials for connecting to the database and performs operations with it, maybe I'm wrong, please correct me.
If 'public ip' is a publicly routed IP address, and port 3050 is open to the whole world, that is not safe. Don't expose your database server to the world, it will create a very wide attack surface to get at your data.
For example, Firebird 2.5 and earlier have a very weak authentication system (max 8 character passwords), and while Firebird 3 introduces a new, more secure authentication mechanism that allows much longer passwords, for various reasons, a lot of servers are still configured with the weak authentication (also) enabled. Also consider bugs that might allow people to circumvent authentication, or that could allow people to remotely crash your database server, etc.
As to encryption, Firebird 2.5 and earlier have no encryption of the connection. This was introduced in Firebird 3, and only for connections authenticating with the new SRP (Secure Remote Password) authentication mechanism, and only if the WireCrypt setting of the server is Required or Enabled and the client actually requests authentication. For C#, this requires Firebird ADO.net provider version 7.0.0.0 or higher. However, the wire protocol encryption offered in Firebird 3 is the relatively insecure RC4 encryption; Firebird 4 will introduce ChaCha-20 as an alternative wire protocol encryption.
So, your database should be on the same network as your application, preferably on an IP address that is not routable over the internet (ie in one of the private ranges), or at least shielded from the internet by a firewall. If for some reason you need to connect to a remote database over the internet, do not expose the database directly to the internet, but use a VPN solution, or maybe something like an SSH-based tunnel.
And as corradolab points out in their answer, don't use masterkey as a password for SYSDBA. In fact, don't use SYSDBA for your application to connect, but create a specific user and assign it the necessary but minimal rights for it to do its work.
You didn't say if the web server and the database server are on same or different site, but, anyhow,
do not expose a database server to the public Internet.
If web and database server are in different sites, consider using a firewall (on the database) to allow connection only from the web server address or a VPN between the two sites.
If they are in the same site, expose only the web server to the Internet (put it in DMZ) and keep the traffic to and from the database server on the private LAN.
BTW Having Firebird on the Internet using sysdba/masterkey is like going around with "kick me" written on your back. Don't be surprised if it hurts. :)
I'd like to install asterisk on a friend's computer but wish to do so without the computer being permanently bombarded with scammers. Locking down all the ports would be the obvious answer but this would mean that the remote client installed on a Android phone would then no longer work.
I do not want to have to use something like OpenVPN I would rather the remote extension reaches the asterisk box without the need for a VPN. Apopse from anything else not having to use a VPN would mean I could continue to benefit from push notification.
Security iptables particularly using something like m string matching - matching on keywords which may include the name of the client I am currently using on my Android and accepting incoming connections on detection of that word maybe one way of doing things blocking all IP addresses outside of the UK maybe another but of course nothing beats a VPN connection...
For an asterisk installation which will only serve one person, what is the ideal way of securing the installation whilst allowing reliable access from a remote extension which will not have a fixed IP but rather a dynamic one issued by the 3G connection it is running from.
You can do via versa:
1) setup iptables open port to provider
2) allow from other ips REGISTER only when UserAgent match your selected android app.
I'm going to be making a fun Python project for myself. This is non concurrent. Only me will use this. I would have a desktop version of the app, with the DB on it. And then my phone would have an app that accesses the information on the DB over network and display the data I want.
For most of the SQLite checklist, seems like a perfect fit for a single user super small project. Except the network part is confusing. Some say no, or yes it's doable but not great. What's the consensus here? If I want to access my DB from my phone from anywhere, is SQLite capable? What problems could I run into with this...
You would have to host your DB somewhere accessible from the internet. By doing this, you open it up for attacks should someone get your server address. You can secure this by setting up a VPN from your phone to the PC, this would allows you to run the SQL server as just a local instance only accessed if you're on the VPN. SQL Lite should work just fine under a VPN setup since it won't require the server to have an open connection out to the internet.
As for problems. If you are somewhere where you cannot establish the VPN connection (firewall, port blocked, etc) you will be cut off from your server.
I have an ASP.NET web application that has been hosted in IIS local Machine.
My Question is :
Is there any free or paid method that allows browsing this web
application from the internet as Host Server ?
Thanks
The easiest way to to publish it directly onto the internet. You do run the risk of attackers then being able to attach your machine, so you will need to brush up on your security skills. It might be worth looking into one of the free hosting options from AWS, Azure or Google Cloud.
To use your local machine as a web server, first, configure it to use a static IP. Its been a while since I've done it on windows, but this looks about right http://www.howtogeek.com/howto/19249/how-to-assign-a-static-ip-address-in-xp-vista-or-windows-7/.
Next you will need to configure port forwarding on your model. You want to send all traffic on port 80 to your machine, using its new fixed IP address. If your using HTTPS as well, configure port 443 to go to your machine. There are too many different modem brands, all of which handle this slightly differently, to consider offering any more help on this. You will need to do some reading up on your particular modem for step-by-step instructions.
If your internet connection is using a fixed IP, then you can stop here.
If not, or if you just want a domain name, then its worth signing up for a dynamic dns service. I use No-ip, its free, it integrates with my modem and I haven't had any problems with it in the last few years. Once this is in place, you will be able to hit your webserver just like a real one. Using something like "http://mypc.no-ip.biz/mydemoapp/
But again, be warned about exposing your machine on the internet. There are nasty people out there who love to hijack other peoples computers.
Update:
This should give you some guidance on port forwarding
http://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/
Try http://www.noip.com I just logged in and it seemed happy. Otherwise, have a click through all the settings in your modem looking for ddns or dynamic DNS. There is usually a drop down of all the providers that it will talk to. And some providers have apps that you run on your PC , which is easier that working with the modem for some. (Or for models that don't support ddns.)
Currently we have a system in place where multiple server backup to a server in house. There are a total of 11 different servers backing up to this one storage server. Without any change(any that we are aware of) one of the servers stopped being able to connect to the storage server. It's weird too because the one that can't connect is actually our DNS server. It can ping the storage server and nslookup returns the appropriate value. However when I tried to browse to the server in windows explore via network I get the following message:
"Check the spelling of the name. Otherwise, there might be a problem with your network. To try to identify and resolve network problems, click Diagnose." - Error Code: 0x800004005 Unspecified error.
If at all possible I would like the solution to not have to restart the server(obviously that's a big request) but we run 24/7 and can't have the DNS server down for the next few weeks.
Thanks in advance!
I am completely guessing here however lets start with this, does it work if you try and connect to the share using IP?
A few things to consider in the mean time? What O.S is it?
-> Is network discovery off?
-> Have any firewalls been accidentally turned on
-> We had a similar sort of problem when the server lost it's trust relationship with AD (required a reboot I am afraid).
Unfortunately this error can relate to a range of problems including network devices, anti-virus, firewalls, shares, user accounts etc etc.