We have just finished developing a new website for my company using the .NET MVC framework. The sql server supporting our application holds some critical data such as the profiles of other web users and we would like to make sure this data is never leaked due to a reputational risk to the company.
We have a number of ideas on things to do to secure our website but I would like to get the stackoverflow take on them. We will be using SSL for login screens and we prevent against basic attach methods such as sql injection, cross site scripting attacks.
However we are worried about the physical machine being taken over using some exploit. We will be running the webserver (Windows Server 2008 SP2 with IIS7) in a DMZ with only port 80 and 443 open to the internet. Currently the sql server sits on the webserver machine but we are considering if this is a security risk. Would hosting the sql server in a machine in a second DMZ help in security?
We also considered using an Ubuntu box running Apache with mod_proxy in one DMZ that will be "redirecting" the 80 or 443 requests to separate windows machine in a second DMZ that will do the web serving and sql server hosting.
Some other suggestions we are getting is to use a product such as WatchGuard that can apparently filter the http packets for standards compliance thus blocking dodgy packets from reaching the webserver.
What other things should we be looking to secure?
Thanks
Allowing only 80 and 443 is a very good idea. DMZ stands for Demilitarized Zone, this is to define a machine on a NAT that is accessible by all traffic and this should be avoided. Allowing SQL Server and port 445 will get you hacked, after all you are running windows and its only a matter of time before yet another RPC vulnerability comes out.
The most important thing you must do is TEST YOUR SECURITY. Its not enough to say that you are preventing xss and sql injection. All secuirty systems must be proven that they can stop attacks.
How do you test your system? I like Acunetix but it is over priced, however there is a free xss tester. For SQL Injection and other vulnerabilities i recommend using Wapiti which is free. I recommend using OpenVAS which is the new open source version of Nessus which is now a commercial product. OpenVAS will tell you if your server is misconfigured or if you are running old software. You should do a full port scan of the system to test your firewall, this command will work nmap -sT -p 1-65535 domain.com, this can also be done form OpenVas.
After testing your system. Then install a Web Application Firewall, mod_secuirty is a good choice for Apache, you can use a reverse proxy to get mod_security to work with IIS. Aqtronix is an open source WAF built for IIS, but i haven't used it.
1- Critical data must be encrypted in your tables.
2- Take care from all types of SQL Injections.
3- encrypt the connection string in web.config file
Related
I created the 3 necessary containers for NuoDB using the NuoDB instructions.
My Docker environment runs on a virtual Ubuntu Linux environment (VMware).
Afterwards I tried to access the database using a console application (C# .Net Framework 4.8) and the Ado.Net technology. For this I used the Nuget "NuoDb.Data.Client" from Nuget.org.
Unfortunately the connection does not work.
If I choose port 8888, my thread disappears to infinity when I open the connection.
For this reason I tried to open the port 48004 to get to the admin container.
On this way I get an error message.
"System.IO.IOException: A connection attempt failed because the remote peer did not respond properly after a certain period of time, or the established connection was faulty because the connected host did not respond 172.18.0.4:48006, 172.18.0.4"
Interestingly, if I specify a wrong database name, it throws an error:
No suitable transaction engine found for database.
This tells me that it connects to the admin container.
Does anyone have any idea what I am doing wrong?
The connection works when I establish a connection with the tool "dbvisualizer".
This tool accesses the transaction engine directly. For this reason I have opened the port 48006 in the corresponding container.
But even with these settings it does not work with my console application.
Thanks in advance.
Port 8888 is the REST port that you would use from the administration tool such as nuocmd: it allows you to start/stop engines and perform other administrative commands. You would not use this port for SQL clients (as you discovered). The correct port to use for SQL clients is 48004.
Port 48004 allows a SQL client to connect to a "load balancer" facility that will redirect it to one of the running TEs. It's not the case that the SQL traffic is routed through this load balancer: instead, the load balancer replies to the client with the address/port of one of the TEs then the client will disconnect from the load balancer and re-connect directly to the TE at that address/port. For this reason, all the ports that TEs are listening on must also be open to the client, not just 48004.
You did suggest you opened these ports but it's not clear from your post whether you followed all the instructions on the doc page you listed. In particular, were you able to connect to the database using the nuosql command line tool as described here? I strongly recommend that you ensure that simple access like this works correctly, before you attempt to try more sophisticated client access such as using Ado.Net.
I am in the process of evaluating moving a very large Azure Cloud Service (Web Role) microservice architecture to AKS and have been working through the necessary code and build changes to support it.
In order to replicate the production environment locally for the developers, we run nginx on the host with SSL offloading and DNS (hosted in Azure) A records pointing to 127.0.0.1. When running in the Azure Emulator, the net affect is the ability for both the developer to visit the various web front ends in their browser (i.e. https://myapp.mydomain.dev) as well as hit the various API's in the solution (Web API 2) in Postman/cURL, etc.
Additionally due to how the networking of the Azure Emulator works, the apps themselves can resolve each other through nginx on the host (i.e. MVC app at https://myapp.mydomain.dev can obtain a token from the IdP web API at https://identity.mydomain.dev and then use that token at the API at https://api.mydomain.dev). This is the critical piece and the source of my question.
All attempts at getting the containers themselves to resolve each other the same way the host OS can (browser/Postman, SSL offloading via nginx) have failed. Many of the instructions out there are understandably for linux containers but having adapted the various networking docker-compose settings for the windows container equivalent have not yet yielded an success. In order to keep the development environments aligned with the real work systems, which are tenantized and make sure of the default mapping in nginx to catch all incoming traffic and route it to a specific user facing app/container, it is not as simple as determining a "static" method of addressing these on startup and why the effort was put in to produce the development environments we have today.
Right now when one service (container) attempts to communication with another, it ultimately results in a resolution error as all requests resolve to https://127.0.0.1 due to the DNS A records hosted in Azure for the domain. Since this migration will be a longer term project, the environments need to co-exist so changing the way that DNS is resolved (real DNS A records pointing to 127.0.0.1), host running nginx and handling SSL offloading to the various webroles normally running in the Azure Emulator is not an option.
Is there a way (with Windows containers) to either:
Allow the container to utilize nginx on the host OS transparently (app must still call the API at https://api.mydomain.dev), which will cause the traffic to be routed properly to the correct container/port defined in the docker-compose file?
OR
Run nginx on each container, allowing each container to then resolve and route appropriately without knowing the IP of the other container, possibly through an alias which could be added to the containers nginx.conf before the service starts?
The platform utilizes OAuth2/OIDC and it is critical to maintain the full URL to the other services from the applications perspective. Beyond mirroring production and sandbox environments, this URL's are utilized for redirect URL and post logout redirect URL validation among other things so using "https://myContainerNameForOtherContainerAlias" is not a workable solution.
Will I have the same problem when setting up the AKS environment as well?
I am running standalone neo4j database server at localhost:7474 on a linode instance.
Is there any way to view this in the browser?
If you have SSH access to the Linode instance then you can run ssh -L 7474:localhost:7474 youruser#123.123.123.123 which will tunnel the remote port 7474 to localhost 7474. In your browser you can now use http://localhost:7474 to see the remote server without opening anything to the world.
You want what's called a "reverse proxy". Outside of your box, you can't talk about localhost:7474 as a hostname. So you want an external facing web server that "proxies" requests and sends them to localhost:7474.
One such option is Apache mod_proxy used as a reverse proxy. Examples on how to use it are behind the link. In general it's going to boil down to a configuration directive that looks something like:
ProxyPassReverse /neo4j http://localhost:7474
You also really want to read the documentation on securing the neo4j server.
WARNING - neo4j's web interface will let you do just about anything without authentication, including delete all of your data, change it, put new data in, and so on. It is a very bad idea to expose that functionality to the entire internet. So if you use a reverse proxy as suggested above, make sure you add some authentication layer (again you can do this with apache and mod_proxy) to permit just any random person from connecting to your instance and optionally deciding to trash it.
Chicago Boss is a great Erlang Framework. It ships with many dependecies including mochiweb, yaws, and misultin. After installation, Chicago Boss runs a development server very well.I need to know which of the web servers it ships with, does it use by default ? and how can i change from one web server to another without compromising my Chicago Boss project ?
From CB Wiki:
All configuration takes place in boss.config in your project directory....
Webserver
port - The port to run the server on. Defaults to 8001.
server - The HTTP server to use. Valid values are:
mochiweb - The Mochiweb Web Server
misultin - The Misultin Web Server
So check in boss.config for which web server you use.
Hope this helps!
Is it feasible to have a Ruby on Rails app, which is:
a) deployed on Heroku, and
b) working with a remote SQL Server database?
I take it that I'll need unixODBC installed on Heroku, but I cannot find a way to do so. Is this possible?
Or, is there any other way (without ODBC?) to accomplish this?
Thank you very much for any guidance or tip.
Updated:
Some info on the subject:
1) Heroku pre-installs both unixODBC and FreeTDS by default, so you already have them.
2) Also, it is possible to run shell commands via Heroku Console in backticks, e.g.:
heroku console
`odbcinst`
(runs "odbcinst" command in Heroku shell and shows the result)
3) You do not have access to filesystem outside of your slice where the packages are installed. If you only need a driver path, Heroku support can provide it (/usr/lib/odbc/libtdsodbc.so in my case).
4) You cannot run sudo commands in Heroku shell.
At the moment, to connect to MS SQL Server you at least need to append ‘freetds.conf’ file. Even when using tinyTDS (there is an open ticket#2 in tinyTDS gitgub issue page). DSN-less connection instructions from "wiki.rubyonrails.org SLASH database-support SLASH ms-sql" didn’t work for me, I guess this connection requires some extra-configuration either.
‘freetds.conf’ cannot be modified without sudo. Therefore, I conclude that currently there is no way to make MS SQL and Heroku work together.
I’ve managed to set up this connection with EngineYard and activerecord-sqlserver-adapter.
I followed these instructions:
https://github.com/rails-sqlserver/activerecord-sqlserver-adapter/wiki/Platform-Installation---Ubuntu
(there are only some filepath differences, e.g. ‘odbc.ini’ is located in ‘/etc/unicodbc’, not in ‘/etc’ - this is easy to work out).
I installed 'unixODBC' and 'freetds' packages using EY Unix Packages feature, and made all configurations manually through SSH. Sudo is available in EY (no password required). There is also Chef Recepes feature to automate those configurations (seems to be pretty easy, I'm going to try it tomorrow).
Hope this is helpful.
It is possible.
Because Heroku copies/symlinks its own config/database.yml over whatever you supply in your repository, you may need to take additional steps (e.g. in config/environments/production.rb or in config/initializers/remote_mssql_from_heroku.rb) to set up your application appropriately.
You will face the challenge, however, that traffic from Heroku to your MSSQL database will traverse the public internet. By default, this traffic will not be encrypted. Potentially everyone in the world will be able to monitor your traffic between your Heroku application and your database, and even alter the traffic in-flight, whether for benign or malicious purpose, without you being able to detect it. MS SQL offers the capability to connect over SSL. This capability requires explicit configuration in the MSSQL server, so you must be able to access and modify that configuration. Additionally, this configuration requires that your client library be up-to-date and capable of talking with MSSQL over SSL. Note that MSSQL server will enforce that your server certificate list a Common Name or Subject Alternative Name exactly matching or wildcard-matching the server's FQDN (at least, the FQDN that the server knows about), and that the client use an FQDN for the server exactly matching or wildcard-matching one of the names on the certificate.
I've successfully used the following article which uses Heroku's newer buildpack feature to use TinyTDS and connect remotely to SQL Server 2008 R2. I'm still investigating how I could encrypt traffic. Hope this helps others!
http://blog.firmhouse.com/connecting-to-sql-server-from-heroku-with-freetds-here-is-how-on-cedar#
We're having a similar problem where we're needing to import old data from a SQL Server database into our new app. The data isn't a straight table import, but needs to undergo some processing and conversions. We've built an import layer for this which lives in a private gem, so as to not pollute the new app with the old data conversion issues. This approach is also designed to permit incremental updates, as we get closer to launch we'll keep syncing records up to the moment of switch-over.
Heroku told us that it's not trivial to connect to SQLServer, in particular as they don't support FreeTDS. Their support staff recommended to run an instance with the import gem from a laptop in our office and configure it to connect to their database (which requires a dedicated DB, not the free shared one). This sounded like the most palatable approach to us.
Secondly, regarding security that was mentioned by #Justice, we discussed configuring SSL for SQLServer with the hosting company and they pointed out the complexities of this. They recommended VPN as an easier solution. As we don't have office-side VPN hardware, the simplest and free solution proved to be an SSH tunnel.
We've set up an SSH tunnel from the laptop to the SQLServer Windows box. That was straightforward. We had CopSSH installed on Windows (which comes with a Linux shell, by the way) and we were able to simply set up a tunnel, having the laptop talk to localhost for its SQLServer connection, i.e.:
ssh -L 1433:localhost:1433 user#windows_server_name
I did not know Heroku has FreeTDS on it? I was told they did not. TinyTDS if used with FreeTDS 0.91 can have a zero freetds.conf dependency and be driving by runtime connection args. We are looking into building an Ubuntu 10.4 native gem that statically links 0.91 with OpenSSL so you can just drop it into Heroku and us it to connect to Azure and/or you own outside DB.