Author

Topic: Is it possible to Hack a Server with all incoming ports closed? (Read 2862 times)

cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
If you're securing more than $1000 you should get a real security person, not rely on free advice from the off-topic forum.
hero member
Activity: 518
Merit: 500
Trust me!
I guess it depends on what you want to achieve and what is actually running on that server. If it turns out that the server runs something that allows you to execute Turing complete stuff, preferably as root... Well, then you've hacked it I guess.
legendary
Activity: 1120
Merit: 1000
1 - Hire the impossible mission squad to get physical acess to your server. Or just a ISP guy that appears to solve a malfuction in your internet connection.

2 - Go below the network layer.
legendary
Activity: 882
Merit: 1000
It's possible to hack any server. Even servers without internet accessing. Jumping the air gap has been done before and will be done again.
newbie
Activity: 32
Merit: 0
Quote
Hey Guys, Can anyone tell me if its possible to hack a server with all incoming ports closed?

Keep in mind, that there is more in the world of networks besides TCP+UDP, for example ARP, ICMP, DHCP, ...
They don't run over IP, so they don't care about your IP-port-related settings.

In addition: Your machine IS talking to the outside. And you say that you are relying on SSL to provide confidentiality, integrity and authenticity.
Is your SSL-library bullet-proof? Can you trust your domain name resolution? Are you validating SSL certificates at all? How secure is your certificate verification mechanism? When did you update that system and fetched the latest certificates and do you know, that they really were not tampered?
And what about physical access to the machine? Is it a virtual machine? How secure is the host? Is it hosted by a different company? What about their access-restrictions for administration purposes?
And don't limit the meaning of "hacking". Think of an attack that can crash your whole system, or block it due to DoS-attacks. Everything "hurts", what makes your business lose money.

...

legendary
Activity: 1330
Merit: 1001
Allow bitcoind only to one ip address.
full member
Activity: 168
Merit: 100
neha,

What you can do is have a forward facing server, that is connected to the outside for the port you need to receive the blockchain.

Then you have your second server connected via vpn on a non-public ip, 10.0.0.1 then route connections through the outside server.

This is one way to reduce risk.

Yes thats a possibility but I guess we are not that worried about the blockchain connections as they dont pose any risk and moreover its better that our node connects to multiple different nodes. But thanks for your input.
member
Activity: 101
Merit: 10
neha,

What you can do is have a forward facing server, that is connected to the outside for the port you need to receive the blockchain.

Then you have your second server connected via vpn on a non-public ip, 10.0.0.1 then route connections through the outside server.

This is one way to reduce risk.
full member
Activity: 168
Merit: 100
Yeah...thats what I was thinking but all the traffic is SSL routed other than the Bitcoin blockchains. Moreover, I dont even think people using the service in future will be even able to determine the ip address of the main server but again, we want to be sure. Anyways, please let me know if anyone can think of anything.

We will be announcing the service soon now after we get the result of pen testing and will open it to a few testers. Thanks everyone.
sr. member
Activity: 518
Merit: 250
Thats the point. As we have all the ports closed, we really cant figure out what else to do. You specify rules when you have some incoming ports open, but with all the ports closed, we would like some sort of advice. We will be getting a pen testing done next week but we wanted to do whatever we can by then to ensure we can pass. Any advice would be appreciated. We are running jboss, bitcoind, armory and mysql on the server with no requirement for any incoming port.

Thanks.

With all ports closed, there's no much attacking the machine - it has to be connected to the network or at least a router.
An attacker could potentially get access to the router and do some packet sniffing, i.e. a MITM attack - not sure if they'd get anything from that in this case though.
full member
Activity: 168
Merit: 100
Thats the point. As we have all the ports closed, we really cant figure out what else to do. You specify rules when you have some incoming ports open, but with all the ports closed, we would like some sort of advice. We will be getting a pen testing done next week but we wanted to do whatever we can by then to ensure we can pass. Any advice would be appreciated. We are running jboss, bitcoind, armory and mysql on the server with no requirement for any incoming port.

Thanks.
sr. member
Activity: 518
Merit: 250
So that's what I am asking, other than closing ALL the incoming ports, what else can be done to prevent hacking? Anything?

Look for which software stack you are running, look for exploits for your system, if there are updates - install them.
Install a firewall, iptables or something along those lines - monitor every request to your system, FreeBSD style  Smiley
full member
Activity: 168
Merit: 100
So that's what I am asking, other than closing ALL the incoming ports, what else can be done to prevent hacking? Anything?
sr. member
Activity: 333
Merit: 250
Commander of the Hodl Legions
What is the rest of your stack? do you have app servers? web servers?

The best thing you can do is put your bitcoind server in an AWS VPC or similar...

As for "hackable", everything is hackable... you can put smart barriers so the "thieves" desist tho. But definitely there's nothing like a 100% secure system.
full member
Activity: 168
Merit: 100
We have all the incoming ports closed and the bitcoind is still working and we are able to transmit transactions(in testnet). Thus, we want to be sure if we do keep the incoming ports closed, then will it create any problems?

Also, for our application we dont require any ports open. Please advise.
full member
Activity: 210
Merit: 100
★☆★ 777Coin - The Exciting Bitco
bitcoind requires port 8333 (by default) to be open for connecting to other nodes so outgoing TCP connections will need to be allowed for syncing with the blockchain.  Other than that I believe you can close down all the other ports if your not planning on using bitcoin-json-rpc at all.

Only granting exclusive access to a database of whitelisted IP-addresses is always a great way to lock things down. 
full member
Activity: 168
Merit: 100
Hey Guys, Can anyone tell me if its possible to hack a server with all incoming ports closed?

Also, does bitcoind require any incoming ports to be open?

Thanks.
Jump to: