• Welcome, Guest. Please login.
 
October 25, 2021, 08:43:09 PM

News:

Welcome to the SQLitening support forums!


Security

Started by D. Wilson, February 06, 2016, 07:08:09 PM

Previous topic - Next topic

D. Wilson

One question I have and maybe those who have studied the code. Is security. How secure is SQLitening we are not utilizing a User Name/ Password.

Does the server just accept calls from the dll or can other query the port.

Any Insight or suggestions in securing the server would be appreciated.

Bern Ertl

I'm not entirely sure I understood your question, but SQliteningServer will respond to any correctly formed request.  Bad ones are supposedly logged and ignored:

http://www.sqlitening.com/support/index.php?topic=2581.msg12950#msg12950

cj

February 08, 2016, 12:35:17 PM #2 Last Edit: February 08, 2016, 12:37:51 PM by cj
There is no login with SQLitening which is probably the question.
This information will probably be of no benefit to you.
That does not mean SQLitening is not secure.

If somebody has a login dialog it would make a nice addition.

Addresses/ports can be greatly restricted with firewall/router.
SQLitening  just ignores invalid attempts with
LogConnDcon=No in [FACT] to not fill log.

If someone knows SQLitening they need:
IP address, Port, Database location/name, database password if used.


CreateDatabaseAllowed=no               do not allow creating databases
[FACT]
something/something/sample.db3=Goffy   bizare location and set password

Client needs to know how to pass location and password to server.
Packets sent over the internet can be encrypted/compressed using slExeBind
which is a topic in its own.

D. Wilson

That answers most of my questions/concerns. I wanted to know if there was measures to prevent unwanted users to send sql commands to the server.

cj

Suggestions:
Do not compile encryption key into program.
Do not compile open password into program
Modify accepted ip address ranges in firewall/router

Some Select statements with where= will not work with encryption and compression so I am going to add a few
equate statements to enable safe packets between client and server without encrypting database.