Subject Re: RES: [ib-support] Where I find a really good security specific IB/FB group?
Author William L. Thomson Jr.
On Tue, 2002-07-16 at 21:38, Edwin Pratomo wrote:
> If you're using Firebird on Linux, you don't need to develop such
> things, just use ipchains/iptables to allow access to port 3050 on the
> machine only from trusted hosts.

That's one way to do it.

> In an article on ibphoenix I read about /etc/gds_hosts.equiv to do
> similar task, but it didn't work when I tried it.

You should have been using hosts.allow and hosts.deny

I do
in the hosts.deny file on my DB server

And then in the hosts.allow file
ALL: 192.168.0.

Which allows anyone in or an IP starting with 192.168.0 to
access the server.

or for specific ip's

You could be specific on what services, but denying all is the best in
that file, and they in the allow file you could use specific services.

To use specific services use

instead of ALL

Of course you could do both ipchains/iptables, and then dial in
hosts.allow and hosts.deny. If you are really paranoid, but usually one
or the other is good enough.

> We should also worry about a kind of DOS attack which simply open
> excessive socket connections (and do nothing) until the server hits max
> number of socket. That's why restricting access and accepting
> connections only from trusted hosts is necessary in several cases, web
> hosting environment as an example.

I could not agree more. I also recommend running a dedicated DB server.
So the machine itself is only be used by those who are allowed to, not
the public.

I do not recommend running other public services on a machine that will
also run the db server. As that is asking for further problems. If there
is an exploit in some other software, then everything else on that
machine is vulnerable as well.

William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone 707.766.9509
Fax 707.766.8989