I'm running a Minecraft server on one of my old computers. I'm planning on opening it to the public but I want to first secure everything. I bought a domain for the server and tried to use Cloudflare but apparently Cloudflare only protects ports 80 and 443 https://i.stack.imgur.com/mxQOw.png. I haven't been able to find a free or at least cheap proxy that could protect port 25565 which is the port that the server runs on.
I don't believe there are any free services for that. The closest is Cloudflare, but that's only for HTTP traffic like you said.
However, just quite recently they've released Spectrum, that allows you to proxy any TPC/UDP port, which means you can proxy your game server ports through it (source). It's not cheap though. Spectrum is only available for paid plans, and it's charged on usage basis.
There is a Cloudflare product but I think there are also other cheaper alternatives you can find by Googling.
Related
Why do SSO providers like Ping Federate run on ports that aren't well-known like 9031. Does this enhance security? It seems like it just increases connectivity issues in organizations with strict firewall rules.
That's just a default semi-random port so that it doesn't clash with existing services on the same machine and is a high port so that the server can run under a non-privileged user account.
For production usage one would typically change it to 443 and/or run a reverse-proxy/loadbalancer in front of the SSO server (on port 443).
Generally security is managed at the perimeter of a network. For deployments I have been involved, port 443 is predominately used for SSO (e.g. PingFederate) at the perimeter. For the internal network, I have seen two models, mainly (i) change the HTTPS port in PingFederate to 443, or (ii) utilize load balancer port forwarding from 443 to 9031. I usually see item (i) for Windows deployments and item (ii) for Linux deployments where reserved ports are avoided. There really isn't a true security enhancement for either pattern.
As Hans points out, PingFederate utilizes 9031 as a default so that conflict with other processes on a server are avoided when first deploying the technology. As the SSO capability matures into an environment, the proper port for the service can be managed. The default port avoids issues when first installing that can be frustrating to folks new to the technology.
I have been asked to take over a project where the previous developer had used socketio4net,
hence I learnt of the socketio4 project only now.
the problem my employer is facing is clients having proxy servers.
we have installed our product(client side) on clinics which uses socketio4net and websocket.
They all connect to our main azure server for sending data. In clinics without proxy,we are not facing any issues. but those with proxy server, our service is not even starting.
if we have to implement the ssl process, it will be a big overhead for us
how do we achieve ssl and proxy settings for sockets in general? does socketio4net provide any other options?
do I have change to http classes like webclient?
In my experience with proxies and school's in particular, the vast majority turned out to be a firewall based issue.
What port are you using, 80, 443 or something else? If that is the issue, the clinics would need to either whitelist your server ip, or allow the ip:port combo you've set.
For a quick test at the clinics that have issues - I would try these two sites (probably others sites you can find too):
http://websocketstest.com/ - tests for ports 80, 8080, 443 with and without ssl - do all or only some work?
(this site is also great for a end-user at the site to run for you, as you can get a results link - double bonus points!)
http://www.websocket.org/echo.html
Are both of the sites above able to connect?
Hope that helps...
After Enable telnet service in Windows XP PRO SP2, how affect the security level of system?
Will it be easier to infected virus or worm attack?
First and foremost if you need remote access you should always consider SSH over telnet in almost every situation. If you can't because of automated robots connecting over telnet only then you have to live with that, but other than that you should always use SSH.
By enabling telnet service you've provided yet another vector of attack for outside attackers. Telnet has to known weakness because of the way it's architected, but there could be implementation defects specific to the windows service that could allow attackers to gain access. You'll need to do some research to figure out what vulns exist on the telnet service for windows.
SP2 is pretty old so you'll want to apply all security patches so you're up to the latest. Not doing so could allow an attacker thru another vector whether you're running telnet service or not. In the big picture this question only makes sense to ask after you've upgraded your machine to the latest security patches. Does turning on telnet service expose you to any known vulnerabilities for which a patch doesn't exist? That would have to be researched.
Now there are some concerns you should have about using telnet. One telnet doesn't encrypt passwords so if someone were to get behind your firewall they could potentially sniff the traffic going to that machine and get the root password because telnet sends passwords in the clear. That could mean any computer on your network could see admin passwords. Telnet should not be accessible to the internet because of this. You should also be very careful about wifi access as well. Make sure you are using WPA or some sort of protection from random people connecting into your network. Otherwise anyone could see your passwords in the clear just by driving by. So I'll assume telnet is turned on and is behind a firewall or VPN, not accessible to a public wifi. If that's the case the potential threats are much lower since telnet can't be reached but by someone with access to your internal network. At this point you've lowered your exposure to just the people who have access to that network. That means how well does your VPN/firewall protect you? If your telnet port is open on the firewall then you're not protected. But, if it's safely behind one or both of those you could get away with running it. But bear in mind that your security is hinging on the security of your firewall/VPN in that case.
I have an iPhone app which relies on connecting via the local network to a server running on a user's mac/pc.
The server is running an http service on port 8080
I already add exceptions to the default windows firewall, or the default mac firewall to ensure traffic is allowed to reach my app.
However the most common customer issue is that the iPhone can't communicate with the server.
Normally this is the network router blocking traffic - though sometimes the user is running their own firewall which blocks the traffic.
Is there a protocol which will let me say something to the effect of
'will all the firewalls on this network, please allow communication to <an ip> on <a port> if the traffic originates within this network?'
I have looked into upnp - but that seems to concentrate on opening a port to the outside world which I don't want to do.
suggestions?
thanks in advance.
No, there is no such way or protocol aside from UPnP. And I wouldn't recommend it anyway because in company networks it would cause all sorts of problems and security issues if this were possible.
I'd suggest that you set up a FAQ entry or installation section for your software where you describe this common issue and give details to the customers how they can detect and solve this problem.
In general, higher ports (above 8000 or 16000) are not blocked or firewalled. I would seriously consider allocating a random port in that range.
Also, consider to advertise your service with Bonjour. Using Bonjour has the nice side-effect that your iPhone app does not have to know the port number. It can simply browse the network for available servers. If there is just one then connect to that, otherwise present the user with a list to choose.
Is there any way to run the server on port 80? You're likely to encounter fewer issues on a standard port.
Does anyone have experience deploying GWT apps to EC2?
If I were to install tomcat or apache on a ec2 instance, could I have users connect directly to a url pointing there?
Would that be cost effective, or would java hosting services be best?
Is there any downside to hosting the edge HTTP server on a regular hosting service and have that direct requests to EC2? Performance ever an issue here?
Other answers are correct but I just wanted to share the fact that we are are developing a product that is 100% EC2/S3 based and also have a pure GWT front end.
We use maven2 for builds and the excellent gwt-maven plugin. This makes it easy to produce a WAR package of our web application as output. We use Jetty but Tomcat would work just as well.
We have pound (a http accelerator/load balancer) running on the VM listening for http & https, which then forwards to requests to lighttpd (static) or jetty (app). This also simplifies SSL certificates because pound handles SSL. I've found Java servers have always been a pain to configure with SSL certs.
Yes, you can host pretty much whatever you want, as you effectively have a dedicated Linux machine at your command.
As I last recall, the basic rate for an EC2 instance, on their "low end box" worked out to around $75/month, so you can use that as a benchmark against other vendors. That also assumed that the machine is up 24x7 (since you pay for it by the hour).
The major downside of an EC2 instance is simply that it can "go away" at any time, and when it does, any data written to your instance will "go away" as well.
That means you need to set it up so that you can readily restart the server, but also you need to offline any data that you generate and wish to keep (either to one of Amazons other services, like S3, or to some other external service). That will incur some extra costs depending on volume.
Finally, you will also be billed for any traffic to the service.
The thing to compare it against is another "Virtual Server" from some other vendor. There is a lot of interesting things that can be done with EC2, but it may well be easier to go with a dedicated Virtual hosting service if you're just using a single machine.
Others have given good answers. I would have to add that you need to spend programmer time getting to know EC2's quirks and addressing them (e.g. with EBS). It's not completely trivial, and though it is useful knowledge to have and may be worth it for that reason alone, if you want to get up and running quickly with just a few servers, you should probably look at other hosted options.
On the other hand, if you plan to scale up massively enough (eventually hosting many servers on EC2) then I would highly recommend it. You have to architect a few things, but you need to do that anyways. The flexibility of on-demand computing, and the generally low price, makes this a killer platform once you reach a certain scale of operation.
You definitely can host an http server in EC2, but you need to take into consideration the following:
As mentioned before the cost can be much higher than alternative hosting solutions
Your instance (the machine you've started in EC2) can go off unexpectedly. There is no guarantee from Amazon for 24x7 availability. This mean that the data you've stored in local storage will be lost and when you've start a new instance, it will get a new IP.
To successfully host a server in EC2, you therefore need to employ some other services from Amazon. You need Elastic IP, so that you can circumvent the new IP address problem. You can also use Elastic Block Storage. This is a service that will allow you to mount in your machine a disk, that will not go away when your instance is lost.