Proxy port 8000 security issue

[Yvonne Garcia]

Hello Everyone,

I have a client configuration running Webstar with Web Server Connect one one iMac, FMPro Server on one iMac, and FMPro 5.5 Unlimited on two other iMacs. All iMacs are running OS 9.x.

Recently, I was informed that the Webstar server constitutes a security breach for my client because it has an open proxy on port 8000. I reconfigured Webstar (and restarted it) to limit to and from access on the proxy to only the IPs used by the four iMacs. However, the proxy is still coming up as open to the public on the security tests and so we are having to shut down Webstar and go back to using a single iMac as our web server.

I can't find any other way to limit the proxy and don't understand why setting allow privileges did not work.

Any input as to what to try next would be greatly appreciated.

Thanks,

Yvonne

[Steve T.]

Hi, Yvonne! I'm out of my depth on this one since I know very little about proxy servers, load balancing, FMP Server, or the mythical Web Server Connector, but if you decide to go to Mac OS X Server, it runs Apache and comes with a firewall. (I thought you needed MacOSX for the WSC... didn't know you could use it with OS9.) Web Companion has a configuration to restrict db access to specific IP addresses, though, if that helps any.

Sorry, this one's out of my league. Maybe one of the pro's will chime in, though... --ST

[Yvonne Garcia]

Steve, thanks for the reply. You can run WSC on OS9, no problem. We are running it using the OS9 version of WebStar. It's been working great until this pesky proxy port problem was discovered. I can't restrict db access to specific IP addresses since it is a public website. For now, I've had to disable the Webstar server and go back to serving up the website using just one iMac.

Still looking for a solution... Will post it if I find one.

- Yvonne

[Anatoli]

Yvonne, how do you protect the WebCompanion/FM against unauthorized hacking?

[Yvonne Garcia]

Anatoli,

I've followed the procedures outlines in FileMaker's "Web Publishing Security Guidelines", from where not to store the databases to limiting which databases get shared via the web to using the security databases for password protected access to more sensitive information.

Your question has me worried that I've missed something, however?

- Yvonne

[Anatoli]

Check http://www.fmforums.com/threads/showflat.php?Cat=&Board=UBB21&Number=19032&page=&view=&sb=&o=&vc=1

[Jeff Spall]

Hi, if you're worried about the Webstar proxy server, I guess there's two actions to minimise any problems:

- just remove the webstar proxy extensions from the plug-ins folder and restart the server - no proxy server!

- or, keep proxy server active and:

In the Webstar admin, set all the proxy values (connections and cache size etc) to zero and make a "*" deny entry in the incoming and outcoming connections allow/deny tables.

The proxy server is still active so you'll still be able to check the log to see any hack attempts. The server would still show a proxy server on the port, but any attempt to connect will return an error. On a Webstar server we have, this has been solid since 1999.

regards, jeff

ps: proxy server's disappeared from Webstar 5, so I guess it was regarded as a security problem

[Jeff Spall]

Hi, if you're worried about the Webstar proxy server, I guess there's two actions to minimise any problems:

- just remove the webstar proxy extensions from the plug-ins folder and restart the server - no proxy server!

- or, keep proxy server active and:

In the Webstar admin, set all the proxy values (connections and cache size etc) to zero and make a "*" deny entry in the incoming and outcoming connections allow/deny tables.

The proxy server is still active so you'll still be able to check the log to see any hack attempts. The server would still show a proxy server on the port, but any attempt to connect will return an error. On a Webstar server we have, this has been solid since 1999.

regards, jeff

[Yvonne Garcia]

Sorry for the late reply. Thanks, Jeff. That worked perfectly. Now I can get my RAIC back online.

- Yvonne