It's not a secret anymore!*
The moose likes Security and the fly likes Networking Safety Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Networking Safety" Watch "Networking Safety" New topic
Author

Networking Safety

Len Padson
Ranch Hand

Joined: Nov 21, 2011
Posts: 40
Hi guys! Okay I'm fairly new to networking, and I just found out that I can open certain ports of my computer to the internet (I have a 2WIRE router, if thats significant). Anyways, I have heard that there are safety concerns about opening a port of the computer. My question is, should I be worried about opening a port or two? Does safety depend on the program I make to run on that port? For example, I know I made a web server capable of displaying files on my system, it would give hackers access. But what if I made sure in my code that this wasnt a possibility? Is just having the port open dangerous?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41087
    
  43
But what if I made sure in my code that this wasnt a possibility?

That's the problem - making software attack-proof is hard. Quite hard. Witness the repeated security issues even with servers like Apache httpd and IIS, which have been hardened for years by a number of very experienced folks, and still new holes are being found. So, yes, any open port constitutes a possible attack vector.

Whether you think that your personal computer makes for a compelling and visible enough target to be attacked either by the usual malware or by a determined attacker is a question that only you can answer. I generally keep all ports closed on my machine excepts for those where I have server processes running that for some reason need to be visible elsewhere.


Ping & DNS - my free Android networking tools app
Len Padson
Ranch Hand

Joined: Nov 21, 2011
Posts: 40
Hmm Okay Here's my idea. I know most servers are meant to transmit files from the computer to a browser, but what if I made it so my server created the file it was going to send each time. for example, if my server created a text file saying "Hello" and sent that. That way, hackers couldnt request a file, they could just send requests, and my server would respond accordingly.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41087
    
  43
I know most servers are meant to transmit files from the computer to a browser

I'd disagree with that, but it's not germane to the question.

That way, hackers couldnt request a file, they could just send requests, and my server would respond accordingly.

Limiting what a client can send is good, but assuming that you can foresee all the ways in which your code would respond to random input is dangerous. There may be buffer overflows or other bugs in the underlying software as well (in Tomcat or any other server you build upon, in the JVM, in the OS).

Implementing a non-standard protocol (i.e., one that is not widely known such as FTP, SMTP, HTTP etc.) on a non-standard server (i.e., yours) help, because the known attacks would not work against it.
Len Padson
Ranch Hand

Joined: Nov 21, 2011
Posts: 40
I see. Thank you, by the way, for all your replies. Would it be unsafe, for example, to make a web server that gets the HTTP request and processes it, and then uses whatever was typed after the ip address and responds accordingly? For example: "http://123.123.123.123/COMMAND" could cause the web to read in "COMMAND" and maybe use a switch or something to process that command. Maybe "COMMAND" causes the web server to put the current date and time in a text file and send that text file. Who knows? But I'm not seeing the danger here. If the web server is not configured or programmed to send files over the network, except maybe for ones that it creates on the spot, is there any danger at all of hackers doing anything? I really dont understand how there could be any danger. Thanks again, for your help.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41087
    
  43
If the web server is not configured or programmed to send files over the network, except maybe for ones that it creates on the spot, is there any danger at all of hackers doing anything?

Yes, there is. Unless you're an accomplished hacker or security professional you should never assume that you can foresee how people might use or abuse your systems, and even then someone might come up with a new form of attack.

Check the security updates for Apache httpd, IIS, Tomcat, PHP/mod_php etc. over the last 15 years to see what people have put into URLs that was not processed correctly and lead to security breaches. I'm not trying to discourage you, by the way, I'm just trying to build awareness that you should never feel safe, no matter how much you've done to make sure that your code is correct. The interplay of all involved components can still lead to unforeseen consequences. Obviously that does not -and should not- stop anyone from running servers that accept requests from the internet at large. But it should give you pause to make sure you're following the usual best practices for security precautions.
Len Padson
Ranch Hand

Joined: Nov 21, 2011
Posts: 40
I feel like it does mean that... if I create a server, then my computer becomes vulnerable, right? I'm sorry. Maybe I am too novice to be trying this but I am really excited at the prospect of making a server. Lets say for example all my program ever did was send an html page with the date and time or something. the program would NEVER access a file on my computer. Shouldnt this imply that no hacker could do anything to gain access, since my server has absolutely no way of getting access? I realize that such a server would be quite limited, but just using it as a hypothetical, wouldnt that be perfectly safe, since it never accesses my computer?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41087
    
  43
You're way too focused on files - security is a much broader topic than that. If you read the thousands of CERT security alerts - for all of them the server developers didn't think of the way in which their servers were vulnerable. Sometimes the consequence was to give the attacker root access - which can then be used to get at the files, even though the server would never hand out files directly.

It's quite possible that a simple server that doesn't do fancy stuff is secure from an attack. It's also quite possible that even if a successful attack were theoretically possible, nobody would ever bother with the server because it's low-value or little-known. But you should never assume that it is "perfectly safe".

And yes, the prospect of building and running a server is exciting. I shudder when I think at the first server codes I've written, though - full of concurrency issues and security holes. But there's no better way to learn than educating yourself about it and doing it.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Networking Safety
 
Similar Threads
Database Selection Question
sockets: How to receive server response in client
MQJMS2005: failed to create MQQueueManager for 'WAS_localhost_server1'
applet not running
Remote file access