tags:

views:

120

answers:

4
+3  Q: 

Is this safe on a production server?

I have a database application (or search engine) which is called Solr.

I connect to it via port 8983.

I do this from php code, so I add and remove records from it via php.

On my server I have a firewall.

I have set this firewall to only allow connections to and from this port (8983) from the ip adress of my own server. In other words, only allow servers IP to access this port.

Is that safe? Or am I thinking all wrong here? Will others be able to "simulate" my ip adress and act as the server?

This is because otherwise others may add/remove records as they want from their own ip adresses...

Thanks

+3  A: 

Yes, you are safe as long as no one gains control of your local server.

You can also cause Solr to bind to the "localhost" or "127.0.0.1" adapter as opposed to "0.0.0.0", which would have a similar effect. It never hurts to layer the firewall above that just in case the configuration is messed up.

Yann Ramin  2010-05-30 19:45:18
A: 

You would not be safe if you are worried of tampering from the same network. There are many situations where the real threats are from inside the network, not from some script kiddie a continent away.

I agree with theatrus to use only localhost.

If you are deployed on multiple hosts there are several ways to create a secure tunnel, e.g

ssh -l 8983:localhost:8983 solr.server

this will create a secure tunnel. (Although it takes non trivial CPU when the bandwidth is high). There are also other solutions.

An additional advantage is that for a developer you can use a sample solr server locally and your code in your IDE, and it will just work with the same config as in production. The less that needs to be changed when deploying, the better.

Peter Tillemans  2010-05-30 19:53:00
+3  A: 

It might be a good idea to also block all outgoing traffic from port 8983 on the server to anywhere but your own server's IP address. This, in addition to dropping any packet to that port not from your server, will doubly ensure that, even if someone is somehow able to modify the daemon listening on port 8983 on the server, allowing it to mirror traffic to another host, it would be dropped before it leaves your computer.

amphetamachine  2010-05-30 19:54:01
A: 

This is safe. The ip address used in a TCP connection because of the three way handshake. This is a good firewall rule-set, but you should always test your rulesets with nmap.

What you do have to worry about is running an open proxy server on the server that is executing the PHP.

Rook  2010-05-30 22:38:08

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases