I am trying to use DisableAddressSharing registry to disable port sharing between sockets but it's not working.
DisableAddressSharing is set to 1.
socket server1 = bind(INADDR_ANY,Port)
socket server2 = bind("127.0.0.1",Port)
If I use SO_EXCLUSIVEADDRin server1 socket then address sharing is disabled. Is there any reason that registry is not working ?
A reboot is required for this setting to take effect.
As a workaround, Microsoft provides a registry setting that will globally (system-wide) prevent all sockets from reusing any port that is already in use. This is done by setting to 1 the "DisableAddressSharing" value of the "HKLM\System\CurrentControlSet\Services\Afd\Parameters" key. (Reboot required for the setting to take effect).
The administrator should first confirm that disallowing socket reuse globally does not break the functionality/correctness of existing legitimate servers on the system. If it's safe, the setting described above should be used to apply this security measure.
Please refer to Microsoft article on SO_EXCLUSIVEADDRUSE before implementing this feature.
Related
So today I was in my MongoDB and I type in show dbs. Other than my usual dbs there is an additional hacked_by_unistellar. Anyone might know what I can do here? It sounds like I have been hacked unless this is some terrible easter egg I have come across. Please advise. Thank you.
you should close your default mongoDB Port 27017. Got the same problem
I had the same on an old backup server as well.
All I can say is that it is not related to an open, public mongodb port. The mongo server is running on localhost only, but has no access password (under FreeBSD 12).
Obviously, running with a public default port and no password is just what it is, but that's not the answer.
The only ports open on the server is SSH, 80/443 (running Apache 2.4.x) and a node service at port 3xxx, along with Mongo Express (also password protected).
There is also a MySQL server installed with no password, bound to localhost only, but that remained untouched.
It seems more likely that this is a vulnerability somewhere else, that is exploiting a non-protected local connection to mongodb.
Password protecting mongo might protect the database, but does not identify the point of access, which is worrisome.
All of my data is gone!
Well, my only action now is to close any more open connections to my DB instance. My database required a password to access (so, being passwordless was not the issue).
However, I just added a Basic Firewall to bump up the security a bit, at least, now I can assume no remote access can connect directly to my DB instance.
I followed this thread
Jump to Step Seven — Set Up a Basic Firewall part of the post.
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04
Also, you can allow only some IP addresses to your DB instances. By following the instructions at https://www.linode.com/docs/security/firewalls/configure-firewall-with-ufw/#advanced-rules
I use this personally on my main instance where I trust connections would come only from one IP.
Hope this helps someone temporarily till a better fix emerges.
Are your MongoDB password protected? if so, you can access the Database with only an IP address and the port.
If your MongoDB isn`t password protected, please do it asap! your info is exposed to everyone...
Even big companies do this mistake from time to time as well...
I am working on a project need to send periodic alive message to https server.
Because of security issue, we need to use minimal number of ports (blocking unused ports as many as we can).
I am using c++ libcurl easy interface to send https request in linux.
I have tried to use the same curl handler object (CURL object) and set CURLOPT_LOCALPORT to a port number. The first request is ok. But in the second, libcurl verbose mode said address already in use.
However, when I comment out the port set through CURLOPT_LOCALPORT, it works on second connection also, and by setting VERBOSE to 1, I can see "Re-using existing connection" print out, which is missing in version setting up local port.
And I check with linux netstat, find out that it is using the same port.
I cannot figure out why setting up local port will make it failed.
And also, I have tried to close the connection using curl_easy_cleanup, but due to tcp time_wait state, we cannot reuse the port in a while, that's not what I want.
Could anyone provide a solution or suggestion to us? Thanks a lot.
Edit
My reason using one port is not to keep opening and closing connection too much.
Because of the security issue ...
There is no security issue. You need to get over this phobia about using multiple local outbound ports. There is zero security benefit in using fewer, or in constraining them in any way.
I am using the sample of given link for ping the given list of IP
http://www.boost.org/doc/libs/1_40_0/doc/html/boost_asio/example/icmp/ping.cpp
when ever i try ping a IP i am getting this exception at the initialization time itself
Exception open: An attempt was made to access a socket in a way forbidden by its access permissions
What causing this problem?
i am running it on windows 7 64 bit
For security reasons, some systems limit the use of raw sockets to users with administrator permissions. Boost.Asio's ICMP socket implementation uses raw sockets, and thus requires the application to run with administrator permissions. The Windows documentation states:
Raw sockets offer the capability to manipulate the underlying transport, so they can be used for malicious purposes that pose a security threat. Therefore, only members of the Administrators group can create sockets of type SOCK_RAW on Windows 2000 and later.
Windows provides an IcmpSendEcho() family of functions that can be used to send and handle ICMP echo request/response without requiring administrative permissions, as the raw sockets are not exposed.
I'm developing an application in C++ for Windows 7, that sets up a TFTP server to communicate to an embedded device. The device is supposed to be connected directly to the Ethernet port, and it expects a TFTP server on 192.168.1.19 static address.
To simplify user experience, I want the following scenario:
present a list of all network connections registered in the system to the user (same list as in "Control Panel\Network and Internet\Network Connections")
allow to choose one connection
memorize its IPv4 configuration
set IPv4 configuration to 192.168.1.19 and 255.255.255.0
after TFTP job done, restore original IPv4 configuration
The problem I encountered is a mix of the following:
when no Ethernet cable plugged, neither of GetAdaptersInfo, GetInterfaceInfo, GetAdaptersAddresses list the connection I'm interested in;
even if I get that connection, I'm not sure which API to use to set DHCP on/off, static IP, network mask.
I tried using netsh, and it works fine, but I don't want to run it from my app, because I don't want to deal with non-English characters in the connection names.
Suggestions welcome,
Thanks!
===== edit #1
Tried WMI query "Select * From Win32_NetworkAdapter Where NetConnectionID = 'Local Area Connection'" -- no IP address in the feedback, although I can see it in the Control Panel connection properties.
Queries involving Win32_NetworkConnection don't return anything at all.
I ended up using:
"Select * From Win32_NetworkAdapter Where PhysicalAdapter='True' AND AdapterTypeID=0" query to list adapters/connection names/guid - works pretty good
registry to read configuration via guid
netsh to do configuration via connection name. Yes, I had much fun with locales.
I frankly didn't find a more reliable way to work with disconnected connections. Hope this helps. If anyone has better solutions - I'd be glad to see them!
Is there an existing Linux/POSIX C/C++ library or example code for how to rebind a socket from one physical interface to another?
For example, I have ping transmitting on a socket that is associated with a physical connection A and I want to rebind that socket to physical connection B and have the ping packets continue being sent and received on connection B (after a short delay during switch-over).
I only need this for session-less protocols.
Thank you
Update:
I am trying to provide failover solution for use with PPP and Ethernet devices.
I have a basic script which can accomplish 90% of the functionality through use of iptables, NAT and routing table.
The problem is when the failover occurs, the pings continue being sent on the secondary connection, however, their source IP is from the old connection.
I've spoken with a couple of people who work on commercial routers and their suggestion is to rebind the socket to the secondary interface.
Update 2:
I apologise for not specifying this earlier. This solution will run on a router. I cannot change the ping program because it will run on the clients computer. I used ping as just an example, any connection that is not session-based should be capable of being switched over. I tested this feature on several commercial routers and it does work. Unfortunately, their software is proprietary, however, from various conversations and testing, I found that they are re-binding the sockets on failover.
As of your updated post, the problem is that changing the routing info is not going to change the source address of your ping, it will just force it out the second interface. This answer contains some relevant info.
You'll need to change the ping program. You can use a socket-per-interface approach and somehow inform the program when to fail over. Or you will have to close the socket and then bind to the second interface.
You can get the interface info required a couple of ways including calling ioctl() with the SIOCGIFCONF option and looping through the returned structures to get the interface address info.
I do't think that's quite a well-defined operation. the physical interfaces have different MAC addresses, so unless you have a routing layer mapping them (NAT or the like) then they're going to have different IP addresses.
Ports are identified by a triple of <IP addr, Port number, protocol> so if your IP address changes the port is going to change.
What are you really trying to do here?
I'm not at all sure what you're trying to accomplish, but I have a guess... Are you trying to do some kind of failover? If so, then there are indeed ways to accomplish that, but why not do it in the OS instead of the application?
On one end you can use CARP, and on the other you can use interface trunking/bonding (terminology varies) in failover mode.