Glad that , we finally have a web programming framework developer who really
understands and cares and responds about Security.
I heard some horror stories of RoR , which have a critical security flaw
that have already patched in past 2 beta versions but re-introduced after a
stable release .
On Thu, Oct 16, 2008 at 11:34 AM, morningovermidnight <
[EMAIL PROTECTED]> wrote:
>
> Thanks for the reply. Sounds like I need to take action...I'm working
> on it now!
>
> On Oct 15, 10:39 pm, mdipierro <[EMAIL PROTECTED]> wrote:
> > This is not a web2py issue.
> >
> > There are two weak points.
> >
> > 1) The connection between the web server(s) and the database server.
> > You can secure it by using ssh, but the most common solution is have a
> > local network behind the firewall and create firewall rules only allow
> > traffic from the web server reach the database server. Even better
> > would be to give your web server(s) a second network card that is ONLY
> > connected to the database server.
> >
> > 2) No matter what you do, the web server needs to connect to the
> > database server. If somebody hacks into the web server, they can talk
> > to your database. Nothing protects you for it. You would have the same
> > issue with Java or PHP. All web applications suffer from this issue.
> > The only thing you can do is to make sure your web server is as secure
> > as possible:
> >
> > a) use a secure framework (web2py i very advanced in this respect,
> > even the http accept-language field gets validated, you can check what
> > other frameworks do)
> > b) disable every other service (do not even allow ssh connections from
> > the internet, only from the internal private network)
> > c) do not run multiple apps on the web server so, if the hack into
> > one, they cannot get into the databases of the others.
> > d) Do not run any PHP or ASP app on the same server running web2py.
> > There are many of them and many have known vulnerabilities that
> > vulnerability scanners know how to exploit.
> > e) store the database on a filesystem that has journaling and you can
> > go back to a previous state and backup your database
> > f) have an intrusion detection system that looks for scans and blocks
> > the IP of the scanner before he can get in.
> > g) setup a honeypot so they want to hack, they hack into that first
> > and you can take action.
> >
> > There is no solution to this problem. Only good practice.
> >
> > Massimo
> >
> > On Oct 15, 8:50 pm, morningovermidnight <[EMAIL PROTECTED]>
> > wrote:
> >
> > > Massimo
> >
> > > I too am concerned about the security of my DB password from prying
> > > eyes. I understand that when the database connection url uses
> > > localhost as in -> db=SQLDB('mysql://username:[EMAIL PROTECTED]:
> > > 3306/mydatabase'), when I upload to a shared webhosting server, to
> > > connect to the DB I am using my domain as in -> db=SQLDB('mysql://
> > > username:[EMAIL PROTECTED]:3306/mydatabase'<http://username:[EMAIL
> > > PROTECTED]:3306/mydatabase%27>).
> Is this secure?
> > > It does make me wonder if I am sending this information in the
> > > clear. :-/
> >
> > > On Oct 15, 8:50 pm, mdipierro <[EMAIL PROTECTED]> wrote:
> >
> > > > In a typical production setting you would have a web server exposed
> to
> > > > the internet and a secure local network. The connection with the
> > > > database should go only over the local network. ssh will protect you
> > > > from employees snooping around (and stealing database password) but
> > > > will make the database connection more of a bottleneck. Nor ssh nor
> > > > password will protect you in case somebody hacks into the web server
> > > > and acquires the credentials of the web server. If your web app can
> > > > access the DB, the attacker can too. To some extend one can also
> > > > configure the db engine to accept only connections form certain IPs
> > > > and limit the roles of the user associated to the web app.
> >
> > > > This is why it is very important to try prevent vulnerabilities in
> web
> > > > apps.
> >
> > > > Massimo
> >
> > > > On Oct 15, 5:50 pm, achipa <[EMAIL PROTECTED]> wrote:
> >
> > > > > Depends of why he needs to hide the connection parameters in the
> first
> > > > > place...
> >
> > > > > Yarko: you can always do mysql over ssh. Not for the faint at
> heart,
> > > > > but it IS paswordless and secure.
> >
> > > > > On Oct 15, 9:44 pm, yarko <[EMAIL PROTECTED]> wrote:
> >
> > > > > > I think the issue is: if the db server is on the same box, and
> the
> > > > > > box is secure, then that's a limited issue;
> > > > > > If the db server is accross a network, then nothing web2py (or
> > > > > > anything else connecting) can help, without the support of the db
> -
> > > > > > this practically means you find an alternate way of
> authenticating on
> > > > > > the db .
> >
> > > > > > On Oct 15, 2:05 pm, mdipierro <[EMAIL PROTECTED]> wrote:
> >
> > > > > > > No that I know of.
> >
> > > > > > > On Oct 15, 11:42 am, Pai <[EMAIL PROTECTED]> wrote:
> >
> > > > > > > > Is there a way to hide password in the connection-string?
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
