I need to set up a secure website to transfer data between 5 computers located in different states. The data is sensitive.
I am planning to use drupal. However, I read many articles about drupal 7 getting hacked . So I want to restrict website access using web.config . As far as I understand nobody can even try to hack the website because it will be not accessible from any IP not listed in the web.config Does this guarantee 100% protection ?
<security>
<ipSecurity allowUnlisted="false"> <!-- this line blocks everybody, except those listed below -->
<clear/> <!-- removes all upstream restrictions -->
<add ipAddress="127.0.0.1" allowed="true"/> <!-- allow requests from the local machine -->
<add ipAddress="83.xxx.xx.53" allowed="true"/> <!-- allow the specific IP of 83.116.19.53 -->
<add ipAddress="83.xxx.xx.0" subnetMask="xxx.255.255.0" allowed="true"/> <!--allow network 83.116.119.0 to 83.116.119.255-->
<add ipAddress="83.xxx.0.0" subnetMask="2xx55.255.0.0" allowed="true"/> <!--allow network 83.116.0.0 to 83.116.255.255-->
<add ipAddress="83.xxxx.0.0" subnetMask="255.0.0.0" allowed="true"/> <!--allow entire /8 network of 83.0.0.0 to 83.xxx.255.255-->
</ipSecurity>
</security>
As long as your web server is exposed to the Internet, it is vulnerable to hacking attempts. There could be a flaw, current or future, that allows the hacker to bypass application level IP restrictions.
You should explicitly deny access for most IP addresses to the web server (typically Port 80 for HTTP, and Port 443 for HTTPS... which I'm sure you are using as your website deals with secure data). Explicitly allow access only for the IPs you have listed.
Related
Is there a way to configure snowflakes connection pooling in websphere application serve.
I tried below config inside server.xml file. But not working.
<dataSource id="SnowflakeDataSource" jndiName="jdbc/BM_SF" type="javax.sql.DataSource">
<properties db="abcd" schema="_TARGET" URL="jdbc:snowflake://adpdc_cdl.us-east-1.privatelink.snowflakecomputing.com" user="****" password="****" />
<jdbcDriver libraryRef="DatacloudLibs" javax.sql.DataSource="net.snowflake.client.jdbc.SnowflakeBasicDataSource"/>
</dataSource>
To clarify, the configuration that you have configures WebSphere Application Server Liberty's connection pooling for a Snowflake data source, rather than Snowflake's connection pooling.
The configuration that you have looks mostly pretty good.
When I looked up the SnowflakeBasicDataSource class that you are using, I can see that it has a property called "databaseName", not "db", so you'll need to switch that in your configuration.
You will also need to configure one of the jdbc-4.x features in Liberty if you haven't already, and if you plan to look it up in JNDI (vs inject it), you'll need the jndi-1.0 feature.
Here is an example with some corrections:
<featureManager>
<feature>jdbc-4.2</feature>
<feature>jndi-1.0</feature>
... your other features here
</featureManager>
<dataSource id="SnowflakeDataSource" jndiName="jdbc/BM_SF" type="javax.sql.DataSource">
<properties databaseName="abcd" schema="_TARGET" URL="jdbc:snowflake://adpdc_cdl.us-east-1.privatelink.snowflakecomputing.com" user="****" password="****" />
<jdbcDriver libraryRef="DatacloudLibs" javax.sql.DataSource="net.snowflake.client.jdbc.SnowflakeBasicDataSource"/>
</dataSource>
If this still doesn't work, look into your definition of the DatacloudLibs library to ensure that it is properly pointing at the Snowflake JDBC driver, and if it still doesn't work, post the error message that you see in case it helps to determine the cause.
I was able to work with dbus as client, but if I compile https://github.com/bratsche/glib/blob/master/gio/tests/gdbus-example-server.c
on_name_acquired callback is called and intermediately after on_name_lost callback is called.
The only changes that I made is that I use G_BUS_TYPE_SYSTEM instead of G_BUS_TYPE_SESSION
I only guess that this is some authentication issue.
Unlike the session bus, the system bus has a security policy which prevents arbitrary processes from claiming arbitrary well-known names on the bus. You need to install a configuration file for the system bus to allow your service to own a name:
Rules with the own or own_prefix attribute are checked when a
connection attempts to own a well-known bus names. As a special case,
own="*" matches any well-known bus name. The well-known session bus
normally allows any connection to own any name, while the well-known
system bus normally does not allow any connection to own any name,
except where allowed by further configuration. System services that
will own a name must install configuration that allows them to do so,
usually via rules of the form <policy user="some-system-user"><allow own="…"/></policy>.
This means installing a configuration file like the following in /usr/share/dbus-1/system.d/org.mydomain.MyService1.conf:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE busconfig PUBLIC
"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<!-- Only my-service-user can own the service -->
<policy user="my-service-user">
<allow own="org.mydomain.MyService1"/>
</policy>
<!-- Anyone can send messages to the service -->
<policy context="default">
<allow send_destination="org.mydomain.MyService1"/>
</policy>
</busconfig>
You must then run your service’s process as the my-service-user user.
The D-Bus API design tutorial section on security policies is relevant reading.
I have a SOAP/REST service implemented in CXF inside Red Hat JBoss Fuse (in a Fabric).
I need to protect it with Basic Authentication, and credentials must be checked on a LDAP server.
Can this be done without a custom interceptor?
Can I maybe use the container JAAS security (configured with LDAP) to protect the service the same way I can protect the console?
Yes the container JAAS security realm can be used to protect a web service.
An example is here.
The example page doesn't explain the implementation, but a quick look at the blueprint.xml file reveals the following configuration:
<jaxrs:server id="customerService" address="/securecrm">
<jaxrs:serviceBeans>
<ref component-id="customerSvc"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref component-id="authenticationFilter"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="authenticationFilter" class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
<!-- Name of the JAAS Context -->
<property name="contextName" value="karaf"/>
</bean>
So it's just a matter of configuring a JAAS authentication filter.
"karaf" is the default JAAS realm for the container: users are defined in etc/users.properties
To define more realms, info is here.
To have users on LDAP, see here.
The answer above is correct, but please note that for more recent versions of Fuse (past 6.1), the "rank" in the LDAP configuration must be greater than 100 in order to override the default karaf realm.
Also, with current patches applied, in Fuse 6.2.X, connection pooling for the LDAP connections can be enabled:
<!-- LDAP connection pooling -->
<!-- http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/pool.html -->
<!-- http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html -->
context.com.sun.jndi.ldap.connect.pool=true
</jaas:module>
</jaas:config>
This is very important for high volume web-services. A connection pool is maintained to the LDAP server. This both avoids connection creation overhead and having closing sockets lingering in TIME-WAIT state.
We have a silverlight application which interfaces with an RIA service to get a list of contacts to display in a grid, this normally works however we are getting the following error:
load operation failed for query x. the remote server returned an error: notfound
Tracing this through we have determined it is due to the amount of data that is being passed as it will work if the we pass roughly 3,800 records or less. We need to load at least 15,000 records from the database.
I have searched all over the internet to find a solution and have changed the following settings but nothing seems to have worked.
Settings changed are:
In IIS7 changed the ASP setting 'Response Buffering Limit' to 67108864
In IIS7 changed the ASP setting 'Maximum Requesting Entity Body Limit' to 2000000
In IIS7 changed the ASP setting 'Client Connection Test Interval' to 00:00:10
In our application web.config changed 'maxItemsInObjectGraph' to 2147483647
In our application web.config binding attributes 'maxReceivedMessageSize', 'maxBufferSize' and 'maxBufferPoolSize' are all set to 200000000
In our application web.config readerQuotas attributes 'maxArrayLength', 'maxStringContentLength', 'maxBytesPerRead', 'maxNameTableCharCount' are all set to 200000000
This is setup on Server 2008 R2 with IIS7 and using .Net 4.
This error also occurs when running in the debugger using the ASP.NET Development Server.
Any help would be appreciated.
Maybe your number of items is too limited in your Web.config, you can also enable detail in your faults like this to get more detail if this isn't the fix.
<services>
<service name="Service.Class.Full.Name"
behaviorConfiguration="Service_Behaviour_Name" />
</services>
<behaviors>
<serviceBehaviors>
<behavior name="Service_Behaviour_Name">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="65536" />
</behavior>
</behaviors>
Service.Class.Full.Name needs to be you fully qualified service class name.
Service_Behaviour_Name can be anything, but the default looks like the full service class name with - rather than .
I developed a program in a mobile device (Pocket PC 2003) to access a web service, the web service is installed on a Windows XP SP2 PC with IIS, the PC has the IP 192.168.5.2.
The device obtains from the wireless network the IP 192.168.5.118 and the program works OK, it calls the method from the web service and executes the action that is needed. This program is going to be used in various buildings.
Now I have this problem, it turns that when I try to test it in another building (distances neraly about 100 mts. or 200 mts.) connected with the network, the program cannot connect to the webservice, at this moment the device gets from an Access Point the IP 192.168.10.25, and it accesses the same XP machine I stated before (192.168.5.2). I made a mobile aspx page to verify that I can reach the web server over the network and it loads it in the device, I even made a winform that access the same webservice in a PC from that building and also works there so I don't understand what is going on. I also tried to ping that 192.168.5.2 PC and it responds alive.
After that fail I returned to the original place where I tested the program before and it happens that it works normally.
The only thing that I look different here is that the third number in the IP is 10 instead of 5, another observation is that I can't ping to the mobile device. I feel confused I don't know what happens here? What could be the problem?
This is how I call the web service;
//Connect to webservice
svc = new TheWebService();
svc.Credentials = new System.Net.NetworkCredential(Settings.UserName, Settings.Password);
svc.AllowAutoRedirect = false;
svc.UserAgent = Settings.UserAgent;
svc.PreAuthenticate = true;
svc.Url = Settings.Url;
svc.Timeout = System.Threading.Timeout.Infinite;
//Send information to webservice
svc.ExecuteMethod(info);
the content of the app.config in the mobile device is;
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="UserName" value="administrator" />
<add key="Password" value="************" />
<add key="UserAgent" value="My User Agent" />
<add key="Url" value="http://192.168.5.2/WebServices/TWUD.asmx" />
</appSettings>
</configuration>
Does anyone have an idea what is going on?
It was a network issue, we configurated a proxy server and that was the problem, I need to learn more about network.
This looks like a network issue, unless there's an odd bug in .Net CF that doesn't allow you to traverse subnets in certain situations (I can find no evidence of such a thing from googling).
Can you get any support from the network/IT team? Also, have you tried it from a different subnet? I.e. not the same as the XP machine (192.168.5.x) and not the same as the one that's not worked so far (192.168.10.).
#Shaun Austin - that wouldn't explain why they can get at a regular web page on the XP machine from the different subnet.
Not an expert with this stuff but it looks like the first 3 parts of the address are being masked out. Is it possible that the mobile device is being given a network mask of:
255.255.255.0
As to reach beyond the range of the first 3 parts you need the mask to be:
255.255.0.0
This may be an oversimplification or completely wrong but that's was my gut response to the question.