5 Replies Latest reply on Aug 12, 2012 11:30 AM by jbertram

Are the IP addresses of clients to a HornetQ server safe from unauthorised discovery?

johnr Aug 12, 2012 12:48 AM

Assuming that a VPS and HornetQ server are properly set up, what is the likely risk that a client IP address could become known to an outside party? I.e. is it possible for a user to modify a client application, or for an intruder to view logs, or query the server, or in some other way obtain information about the IP addresses of any past or present clients of the HornetQ server?

I realise that no computer system is perfectly safe and there are many factors involved, I'm just asking for some indication of the likely risks. Thanks.

1. Re: Are the IP addresses of clients to a HornetQ server safe from unauthorised discovery?

ataylor Aug 10, 2012 5:07 AM (in response to johnr)

HornetQ discovery just uses UDP for discovery so this is really a question for your network administrator
Actions
2. Re: Are the IP addresses of clients to a HornetQ server safe from unauthorised discovery?

johnr Aug 12, 2012 1:06 AM (in response to ataylor)

Thanks for your reply!

Are you certain that this is the only way that HornetQ interacts with client IP addresses?

For instance, this feature request https://issues.jboss.org/browse/HORNETQ-18 is asking for the logging of client IP addresses by HornetQ and it is marked as 'done'. So has this feature been removed or disabled? If not, how does one disable it? And could threre be other such 'features' that may present a security leak?
Actions
3. Re: Are the IP addresses of clients to a HornetQ server safe from unauthorised discovery?

ataylor Aug 12, 2012 3:44 AM (in response to johnr)

yes of course the server has access to the client IP addresses and yes in some cases they will be logged, but if an intruder has access to the server or the machine then obviously this info will be available, i dont see how this is different to any other piece of sofyware, its yor responsibilty to configure security on HornetQ and the network itself as to not allow this.
Actions
4. Re: Are the IP addresses of clients to a HornetQ server safe from unauthorised discovery?

johnr Aug 12, 2012 4:40 AM (in response to ataylor)

I'm sorry that I seem to have annoyed you - but thank you for finally answering it.

So your first answer was wrong.

The correct answer is that the HornetQ server may in some instances log the IP address of clients.

BTW yes I do realise that there are many other ways that an intruder could learn the IP addresses (which I am considering and dealing with in turn). I wasn't asking about the security of the WHOLE setup, but ONLY about the HornetQ related aspects. Of course the rest is my responsibility - I wasn't asking about that - only about HornetQ! Thank you for your answer...
Actions
5. Re: Are the IP addresses of clients to a HornetQ server safe from unauthorised discovery?

jbertram Aug 12, 2012 11:30 AM (in response to johnr)

I believe it is also possible to get the IP addresses of current clients via the various management interfaces (e.g. JMX, core API, etc.) so you'll certainly want to secure those appropriately.

To be fair to Andy, I don't believe his answer was wrong. He was just answering your question from the perspective of client discovery. I think that perhaps signals got crossed because you both used discovery in different contexts.

Also, it's important to note that we haven't performed any kind of audit against this kind of attack vector.
1 of 1 people found this helpful
Actions

Go to original post