Jump to content
sjordi

Securing RAD Server

Recommended Posts

Anyone here with RADServer setup experience?
I'd like to find some advice or resources on how to secure the Server besides the SSL certificates and usual Apache/NGinx stuff.

It would be more on how to avoid anyone being able to hack into the server and change/get data just by using the URL.

 

Using DataSource parameters is a good way to avoid escaping all URL characters and avoiding SQL injection.

Found that: https://blogs.embarcadero.com/tech-tip-how-do-i-secure-rad-server-for-production-deployment/

 

But besides that? It seems to me, without practicing, that passing everything via the URL is a wide open door to guess what could be other URL keywords, variables, etc...

I want to make sure that calls are, in a way, logged in with credentials before accessing anything and get answers from the server.

That kind of things. I read David I hands on RadServer document, but it's more focused on how to use it for Rest than actually securing it.
Thanks for any help and lights on RadServer deployment.

Edited by sjordi

Share this post


Link to post

My Delphi web servers have an IP blocked list which hackers get automatically added to based on several criteria, any path with filers ,php, .pl., /,,, ;echo, mysel, etc,since there is no CGI or Perl or MySQL on the site, also if they access pages by IP address instead of the correct domain name using SSL.  I also block Tor exit nodes, to try and stop IP blocked users using alternate access. 

 

Blocked IP addresses are cleared from the list 24 hours after their last access, and any accesses have a response delayed by one minute, so try and slow down the avalanche of requests hackers make, often hundreds a minute.  Currently 179 IP addresses blocked on my main site.

 

Angus

 

Share this post


Link to post

Thanks, that sounds like a beefed up fail2ban feature. 
I'll see what I can do with filtering and the good idea of the IP address instead of the name.
 

Share this post


Link to post
2 hours ago, Angus Robertson said:

My Delphi web servers have an IP blocked list which hackers get automatically added to based on several criteria, any path with filers ,php, .pl., /,,, ;echo, mysel, etc,since there is no CGI or Perl or MySQL on the site, also if they access pages by IP address instead of the correct domain name using SSL.  I also block Tor exit nodes, to try and stop IP blocked users using alternate access. 

 

Blocked IP addresses are cleared from the list 24 hours after their last access, and any accesses have a response delayed by one minute, so try and slow down the avalanche of requests hackers make, often hundreds a minute.  Currently 179 IP addresses blocked on my main site.

 

Angus

 

How do You get it is Tor client?

Share this post


Link to post
13 hours ago, Angus Robertson said:

I also block Tor exit nodes

Those who use it to break through blocks on their side will say many "thanks"

Share this post


Link to post

This particular web site is aimed at the UK market and has little interest for those outside the UK, it contains information about UK telephone and broadband networks. Some information is free but limited, businesses pay for access. 

 

But some users try multiple IP addresses to get around my counting accesses against IP addresses, and Tor is easy for them (I assume).  I just went through the 50,000 accesses sequentially to my database to find Tor exit nodes.

 

I did accidentally block access to British Telecom at the same time, got a phone call from their network people asking why their staff could no longer access my site (for free)...

 

Angus

 

  • Haha 2

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×