durusmail: qp: Re: http get kills durus
http get kills durus
2005-11-23
mario ruggier
2005-11-24
David Binger
2005-11-25
mario ruggier
2005-11-26
David Binger
2005-11-27
mario ruggier
Re: http get kills durus
2005-11-28
Michael Watkins
Re: http get kills durus
Michael Watkins
2005-11-28
* mario ruggier wrote [2005-11-27 16:18:09 +0100]:
> On Nov 26, 2005, at 4:29 AM, David Binger wrote:

> >It is okay to run the server on a different machine, but it should be on
> >an interface that is not exposed to any non-trusted process.  You might
> >want to do this for a high-traffic site, running server machine with
> >private connections to other machines running the clients.

This is what I do - my Durus (or Postgres or whatever) databases only expose
ports or sockets accessible to either localhost or a private network. But,
perhaps not all users will be so lucky.

> My (a null network administrator) little source of worry would be that
> with a durus db on a separate across-the-net machine, you still need to
> expose at least the one port... and so sustain the additional pain of
> ensuring that only the client machines can physically send messages to
> this port.


Someone running QP/Durus on equipment provided by a hosting service provider
may well have one or more accounts and one or more machines, all on a common
subnet accessible by hundreds of other users and machines. Once your
application has to span more than just localhost, its going to be an issue.

If you've got full control (physical control or $$ to spend on something
equivalent) then you can set up a host to host network and avoid exposing the
address to other potentially malicious users on the hosting provider's
network.

I have experienced a couple of times denial of service or other random,
malicious, attacks originating from my service providers network - its not
unknown; but on the other hand, such attacks don't tend to last long until
the plug is pulled ;-).

At any rate, a firewall rule would go a long way to avoiding this as an issue
- if you allow only traffic to the Durus port from a known machine, you've
  got pretty reasonable protection.

Probably this will surface as an issue sometime, but until it does, is best
ignored in favor of other things?

On another note I've been swamped with other stuff but have been slowly
inching forward a port of Dulcinea to QP, at least the core stuff I
personally use all the time. Coming soon.
reply