search

gigascience / gigadb-website

Source code for running GigaDB
http://gigadb.org
GNU General Public License v3.0
9 stars 15 forks source link

Figure out if production database server is reachable from the BGI network #636

Open rija opened 3 years ago

rija commented 3 years ago

it will help automating the script if we can.

This task is part of Story #617

pli888 commented 3 years ago

After logging into the BGI VPN using GlobalProtect, it is possible to access the production database server from a terminal without having to go through the smoc website:

$ psql -h xxx.xxx.xxx.xx -p xxxx -U username dbname
Password for user username:
psql (9.4.26, server 9.1.17)
Type "help" for help.

dbname=> \conninfo
You are connected to database "dbname" as user "username" on host "xxx.xxx.xxx.xx" at port "xxxx".

Given its not possible to SSH into the same server without going through the SMOC website, being able to access psql on the production server is surprising which suggests this is a security hole. Its possible they might close the PostgreSQL port in the future. We should report this security hole too. Perhaps we can request specific access for us to complete story #617.

rija commented 3 years ago

Hi @pli888,

I can understand why they'd block the ssh port.

Maybe they will be more inclined in satisfying a request from us for a specific application port instead.

I also wonder whether the PostgreSQL port being open (I guess it's the default 5432 one) is a security hole or the result of such request being made and the knowledge of which got lost (maybe jesse requested it?)

In any case, it seems the next step is to approach BGI tech team and enquire about an application port to be open for PostgreSQL without going through smoc and see what they reply ?

pli888 commented 3 years ago

In any case, it seems the next step is to approach BGI tech team and enquire about an application port to be open for PostgreSQL without going through smoc and see what they reply ?

Ok, I will ask @kencho51 to open a ITSM ticket to inform BGI that port 5432 is open and ask for another application port to be opened to access PostgreSQL with having to go through smoc.

kencho51 commented 3 years ago

Hi @rija and @pli888 ,

For any port or firewall issues, the request should be made in BGI OA systems. And when I logged into that system and selected psql service, the port 5432 would be selected by default and no customised port no. was allowed. So, I think someone has gone through the process and the port 5432 in this issue was then opened.

pli888 commented 3 years ago

I think we can move #636 to the Under Review column now. @kencho51's investigation suggests port 5432 on the production server was opened on purpose and I have shown that this port allows the PostgreSQL server to be reachable from the BGI network.