Can you suggest ways to choose a localhost port on which I will be able to run my application?

771    Asked by AnnaBall in SQL Server , Asked on Dec 23, 2021

 What are the best practices for choosing a port on localhost and, if that's possible, how can I secure it? On Wikipedia, I read that In computer networking, localhost is a hostname that refers to the current device used to access it. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses any local network interface hardware.

Answered by Anna Ball

To choose a localhost port, if your server binds to localhost (that's 127.0.0.1 for IPV4, and/or ::1 for IPV6) then only clients running on localhost should be able to access it. If you want to restrict connections to local programs, make sure your server binds to one of those loopback addresses, and definitely not 0.0.0.0 or :: (which denote all interfaces). If someone has unauthorised access run software which can connect to localhost loopback device, you might have a much bigger problem. I'm going to assume this isn't a problem, meaning unless you're sharing your computer with others, you're safe to just bind to 127.0.0.1 and/or ::1 and be done with it.

You might be sharing your computer with others, i.e. running a shell service, which means you're giving out access to your system. In this case, the ability of one of your (hopefully trustworthy) users to connect to loopback-bound services should be one of the least of your concerns. When you let other people behind your firewall, and into your userland, you give them the ability to probe your entire network! Your router, your printer and any phones you have connected to your network can also run software, and these devices can be much more difficult to secure than your server.

You should consider sandboxing such users using virtualisation such as KVM, Xen, etc, giving them their own virtual environment (including a virtual network interface) to play in and thus giving you the ability to install a firewall on such virtual network interface. What are the best practices for choosing a port on localhost (if that's already a practice not so bad) and, if that's possible, securing it?

Again, inbound connections from a non-loopback interface should not be able to connect to sockets listening on a loopback interface. If your OS allows such a connection, it's either grossly misconfigured, or it's Windows XP, service pack 1a or below (which is itself a separate problem). Your main concern should be preventing untrusted users from running code directly in your userland, so if you're sharing your computer with other people, as the administrator, you should sandbox those other people and maintain a finely grained approach at what external stuff they can see. Assuming they're sandboxed, they can only communicate with your host via a virtual network interface, so again, they can't connect to 127.0.0.1 or ::1-bound services on the host, but they might be able to scan your network, still…



Your Answer

Interviews

Parent Categories