closing ports on Leopard

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

closing ports on Leopard

beaniite
My Merchant Account provider wants me to close port TCP/3306 which is  
MySQL. I have no problem with this since MySQL is only accessed  
internally.

I am running MacOS10.5.6 client and have found a software solution  
called NoobProof which is a cocoa frontend for the MacOSX firewall.

Is there any downside to this solution?
Is there another way?

Gordon



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

Marc Pope
You don't really need an app to do it:
http://davidtse916.wordpress.com/2008/01/01/setting-up-the-firewall-in-mac-os-x-105-leopard/

-Marc


On Feb 23, 2009, at 11:26 AM, Gordon Nord wrote:

> My Merchant Account provider wants me to close port TCP/3306 which  
> is MySQL. I have no problem with this since MySQL is only accessed  
> internally.
>
> I am running MacOS10.5.6 client and have found a software solution  
> called NoobProof which is a cocoa frontend for the MacOSX firewall.
>
> Is there any downside to this solution?
> Is there another way?
>
> Gordon



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

stevepiercy
In reply to this post by beaniite
There's lots of other ways.  You could use a cheap hardware firewall between your computer and the Internet, which is usually the best way to go.  Then you could shut off port 3306 to the outside world, while your Mac chats away over 3306 on localhost.

But other than that general suggestion, could you provide more information about your current network architecture and a budget limit?

--steve


On Monday, February 23, 2009, [hidden email] (Gordon Nord) pronounced:

>My Merchant Account provider wants me to close port TCP/3306 which is  
>MySQL. I have no problem with this since MySQL is only accessed  
>internally.
>
>I am running MacOS10.5.6 client and have found a software solution  
>called NoobProof which is a cocoa frontend for the MacOSX firewall.
>
>Is there any downside to this solution?
>Is there another way?
>
>Gordon
>
>
>
>--
>This list is a free service of LassoSoft: http://www.LassoSoft.com/
>Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Steve Piercy               Web Site Builder               Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

Mark Palmer
In reply to this post by beaniite
Is MySQL running locally or remotely in a data-centre somewhere.

If it's remotely you'll need to consider how your going to administer  
it, unless you set your firewall up so that port 3306 is only allowed  
from your local IP range.

I've not had many dealing with merchant account providers but I would  
be a little prickly with them telling me how they want my hardware set  
up.

Presumably payment is being passed off to a payment gateway, and you  
aren't storing credit card details in MySQL.


On 23 Feb 2009, at 16:26, Gordon Nord wrote:

> My Merchant Account provider wants me to close port TCP/3306 which  
> is MySQL. I have no problem with this since MySQL is only accessed  
> internally.
>
> I am running MacOS10.5.6 client and have found a software solution  
> called NoobProof which is a cocoa frontend for the MacOSX firewall.
>
> Is there any downside to this solution?
> Is there another way?
>
> Gordon
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



Regards

Mark Palmer
E: [hidden email]
T: 01902 620500
W: www.pageworks.co.uk



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

Jim VH-2
Navicat has a nice option to connect remotely to MySQL through SSH.  
That way you can close 3306 to the world while still getting in as  
long as you leave the SSH port open.

---
Jim Van Heule
Heunox Corporation



On Feb 23, 2009, at 11:48 AM, Mark Palmer wrote:

> Is MySQL running locally or remotely in a data-centre somewhere.
>
> If it's remotely you'll need to consider how your going to  
> administer it, unless you set your firewall up so that port 3306 is  
> only allowed from your local IP range.
>
> I've not had many dealing with merchant account providers but I  
> would be a little prickly with them telling me how they want my  
> hardware set up.
>
> Presumably payment is being passed off to a payment gateway, and you  
> aren't storing credit card details in MySQL.
>
>
> On 23 Feb 2009, at 16:26, Gordon Nord wrote:
>
>> My Merchant Account provider wants me to close port TCP/3306 which  
>> is MySQL. I have no problem with this since MySQL is only accessed  
>> internally.
>>
>> I am running MacOS10.5.6 client and have found a software solution  
>> called NoobProof which is a cocoa frontend for the MacOSX firewall.
>>
>> Is there any downside to this solution?
>> Is there another way?
>>
>> Gordon
>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
>
>
> Regards
>
> Mark Palmer
> E: [hidden email]
> T: 01902 620500
> W: www.pageworks.co.uk
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

Brad Lindsay-2
In reply to this post by beaniite
You can you tell MySQL to startup without listening for any TCP/IP  
connections with the --skip-networking option (or, if you put it in  
the my.cnf, skip_networking option.) (http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_skip-networking 
)

This will, however, create problems if local programs such as Lasso  
want to access it via a network connection.  Other than that,  
NoobProof and WaterRoof work well.

-Brad

Brad Lindsay
Programmer / Analyst
North Carolina Hospital Association
P.O. Box 4449
Cary, NC 27519-4449
919-677-4148 (phone)
919-677-4200 (fax)
[hidden email]
http://www.ncha.org


On Feb 23, 2009, at 11:26 AM, Gordon Nord wrote:

> My Merchant Account provider wants me to close port TCP/3306 which  
> is MySQL. I have no problem with this since MySQL is only accessed  
> internally.
>
> I am running MacOS10.5.6 client and have found a software solution  
> called NoobProof which is a cocoa frontend for the MacOSX firewall.
>
> Is there any downside to this solution?
> Is there another way?
>
> Gordon
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

beaniite
In reply to this post by beaniite
Wow, thanks for the quick responses.

We are stuck with our current provider which interfaces with our  
bank. However they now require we follow the PCI Security Standards.  
I am all for security and they scan my IP once a month for  
compliance. Evidently this is being driven by the credit card  
companies or it is just another way to generate income.

Having MySQL port 3306 open is High Severity on the PCI score  
although they couldn't connect to it they could see it.

Initially I thought the Firewall interface in leopard was only for  
applications accessible in the application folder. But after  
selecting "Set access for specific services and applications",  
shutting down and restarting, I was asked if I wanted MySQL to have  
access to the network to which I answered no. Then mysql appeared as  
blocked in the firewall window along with only the webserver, lasso8  
and timbuktu having access. Also it appears that one can toggle the  
ports in this window.

Another problem that arose is Apache Username Probing. This allows an  
attacker to probe a system for user names via requests for user home  
pages such as (http://host/~username). They suggest disabling the  
userdir in apache. My question is will this disrupt the user lasso or  
is it independent from the user directive. I think lasso is  
independent from the userdir.

Gordon



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

Steve Upton
In reply to this post by beaniite
At 11:26 AM -0500 2/23/09, Gordon Nord wrote:
>My Merchant Account provider wants me to close port TCP/3306 which is MySQL. I have no problem with this since MySQL is only accessed internally.
>
>I am running MacOS10.5.6 client and have found a software solution called NoobProof which is a cocoa frontend for the MacOSX firewall.
>
>Is there any downside to this solution?
>Is there another way?

Indeed.

The only reason that port 3306 is "open" is because MySQL is there answering the call.

Alter MySQL to reside on a different port and nothing will be there to respond. It will be as closed as all the other ports on that machine that don't have any services attached to them.

Most SQL clients allow the specification of an alternate port for just this purpose. If not, I have found that including the port in the URL can also work. Something like 123.345.456.567:12345

the -port nn option when launching or port=nn in MySQL's my.cnf file should take care of it.

regards,

Steve


--



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: closing ports on Leopard

Wade Maxfield
In reply to this post by beaniite
On 24/2/09 7:42 AM, Gordon Nord wrote:

>
> Another problem that arose is Apache Username Probing. This allows an
> attacker to probe a system for user names via requests for user home
> pages such as (http://host/~username). They suggest disabling the
> userdir in apache. My question is will this disrupt the user lasso or is
> it independent from the user directive. I think lasso is independent
> from the userdir.
>
> Gordon
>

You'll need to make some changes to your httpd.conf for this.  First
make sure the userdir_module is commented out (somewhere near line 111
on a stock install)

#LoadModule userdir_module libexec/apache2/mod_userdir.so

Then comment out (near line 459)

#Include /private/etc/apache2/extra/httpd-userdir.conf

and lastly add

Include /private/etc/apache2/users/*.conf

at the end of the file, if it isn't already there.

That should disable the ~username while keeping lasso going.

  - Wade




--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/