NYCPHP Meetup

NYPHP.org

[nycphp-talk] Secure (XML-RPC) connection

Faber Fedor faber at linuxnj.com
Wed Mar 24 10:48:23 EST 2004


On Wed, Mar 24, 2004 at 10:03:10AM -0500, Mitch Pirtle wrote:
> Faber Fedor wrote:
> 
> >The client insists that this be done in real-time, so I can't have a
> >copy of the database on the web server.
> >
> >Any ideas?
> 
> I am a unix guy, so I don't know how to implement this in the Windows 
> world - keep that in mind.

What do I care about Windows?  I'm a Linux guy and all the servers
involved are Linux. :-)

> One approach I took in the past was to use ssh and port forwarding (e.g. 
> forwarding port 9876 on the webserver to 80 on the production machine). 
>  Then set tcpwrappers to only allow localhost access to port 9876. 
> That way your xml-rpc calls can go to localhost:9876...
> 
> You are now talking on a ssh-encrypted tunnel to the production machine.
> 
> Does that fit the bill?

Sounds good, but how does that stop crackers?

See, my main concern is that to make this work I have to open a whole in
the firewall via port forwarding.  Okay, so it's only for port 80, but
now that that port is open, the production server is exposed.  What's
stopping a cracker from emulating the Web Server? Putting tcpwrappers or
iptables on the Prodn Server isn't going to work, since all packets will
look like they're coming from the firewall (192.168.1.1) and I know of
no way to differentiate the packets once they've been NATed.


-- 
 
Regards,
 
Faber                     

Linux New Jersey: Open Source Solutions for New Jersey
http://www.linuxnj.com






More information about the talk mailing list