| Author |
Message
|
| PullMeOut |
 Posted: Wed Nov 05, 2008 9:00 am Post subject: IP Level Blocking |
 |
|
Novice
Joined: 03 Apr 2007
Posts: 11
Location: India
|
HI All,
My queue manage should not take any messages coming from a particular IP address. I would like block that IP address
How can we acheive this.
please come out with ur ideas. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Nov 05, 2008 9:16 am Post subject: Re: IP Level Blocking |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| PullMeOut wrote: |
My queue manage should not take any messages coming from a particular IP address. I would like block that IP address
|
Queue managers don't take messages from anything. They accept connections, either from applications or other queue managers.
I'm assuming you want to prevent connections from a given IP address or address range. You might want to consider something like BlockIP or a similar security strategy to control access.
If you want to prevent a connection from another queue manager at that address, secure the channel!
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Nov 05, 2008 9:49 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
This is what firewalls are for.
MQ Security of any kind starts with the basics of computer security: network firewalls and proper OS user management.
After you have secured both the network layer and the OS layer, then you should look at security in the MQ layer. |
|
| Back to top |
|
|
| rajn27 |
| Posted: Thu Nov 06, 2008 8:45 am Post subject: |
|
|
Newbie
Joined: 28 Oct 2008
Posts: 7
|
| You can use BlockIP2 software pretty good to allow/deny based on IP of the machines, user id and tons of etc stuff |
|
| Back to top |
|
|
| hopsala |
| Posted: Sat Nov 08, 2008 4:25 am Post subject: |
|
|
Guardian
Joined: 24 Sep 2004
Posts: 960
|
It may be worth noting that IPs are very easily forged, and as such blocking IPs is a very poor way of protecting yourself from break-ins.
If you want to secure your servers, you need to use OAM and SSL channels with certificates. There's no other way. |
|
| Back to top |
|
|
| JosephGramig |
| Posted: Sun Nov 09, 2008 6:49 am Post subject: |
|
|
Grand Master
Joined: 09 Feb 2006
Posts: 1244
Location: Gold Coast of Florida, USA
|
And SSL will only restrict the group of folks that can hack at your QMGR unless you cleverly use Peer Filtering. You need to secure every inbound channel whether you think it is being used or not.
QMGRs by default are open to anonymous administration and it is up to the MQ administrator to implement security measures.
imho, self signed certificates with SSL are better then nothing.
Search on the topic and you will get an idea of what you need to do. Here is one: http://www.mqseries.net/phpBB2/viewtopic.php?t=44542&highlight=ssl |
|
| Back to top |
|
|
| jeeth_m |
| Posted: Tue Nov 11, 2008 3:26 am Post subject: |
|
|
Voyager
Joined: 21 Jan 2002
Posts: 93
|
Cant channel security exit be used for this purpose. I remember using it in my previous project but do not know the exact detail.
it used to be a C program which refers to a hash file which has the list of allowed IPs and its Qmanager. We used it to secure cluster channels rcvr channels. This had to be put on both queuemanagers for it to communicate to eachother.
Jeeth |
|
| Back to top |
|
|
| Vitor |
| Posted: Tue Nov 11, 2008 4:04 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
If you're going to use a channel exit, you'd be better off using SSL. Easier to maintain and use.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jeeth_m |
| Posted: Tue Nov 11, 2008 8:13 am Post subject: |
|
|
Voyager
Joined: 21 Jan 2002
Posts: 93
|
| I agree with you. It used to be a pain. |
|
| Back to top |
|
|
|
|
