To summarize: - No SQL server needs to be accessible over the network except in the event of a 'special case' (e.g., an externally-hosted web front end). - No other ports but 8002 in a standard or default ROBUST configuration need be accessible to the viewer-based end user. - The keys were removed by consensus because they provided *no* security.
Joshua: Use the similar settings in the OpenSim.ini file, the one's in the Region.ini file should be removed. Cheers James/Hiro http://SimHost.com On Mon, Oct 8, 2012 at 3:01 AM, Joshua Rubeck <[email protected]> wrote: > Thanks for the info guys, that was very helpful. One of the other things > we were having issues with is the MaxPrims setting in the region INI files. > Clearly this setting is available, however it does not appear to work. I am > sure on my grids this is not an issue after all OpenSimulator is usually > used to eliminate many of the restrictions SL has. However for us we are > trying to follow the same style of region and prims counts as SL for the > sole reason that it appears to be more cost effective in terms of > resources. I mean we can have more regions on Server A if each region is > limited to 15k prim, where as Server B can only host a few safely without > thos limitations. Any idea how to make sure the software enforces the max > prim limitations? > > > On Sun, Oct 7, 2012 at 10:12 PM, Tom Haines <[email protected]> wrote: > >> Blocking port 8003 on the firewall to block unauthorized regions doesn't >> work if you have an external organization that hosts a region server that >> connects to your grid and has OpenSim users both NATing to the same IP >> address. And situations like this tend to pop up for political, and not >> technical reasons, which means there is little recourse for the grid >> operator. >> >> I've considered SSH tunneling for the 8003 connection, but have not had a >> chance to experiment. >> >> And to confirm, there is no communication directly between viewer and SQL >> server. The database will, and should be run unexposed to the end user. >> >> >> On Sunday, October 7, 2012, wrote: >> >>> Further to this i understand there should be no reason for a normal >>> viewer >>> to talk directly to the SQL server. It is all done via the simulator. >>> >>> As such it would be feasible to set your SQL server to only allow your >>> OpenSim users to authenticate from servers you run (usually by IP or >>> FQDN). There should always be a focus on security but I would imagine all >>> these factors would make it at least very difficult for someone to >>> casually connect a simulator to your grid even without additional >>> authentication in OpenSim. >>> >>> >>> >>> > unless there have been profound recent changes in the OS services >>> > connectors structure that i've failed to notice (which is QUITE >>> > possible), all end-user accessibility is handled by port 8002 and the >>> > rest (connection services) is governed by port 8003 (in a standard >>> > ROBUST based grid setup). therefore, placing :8003 behind your >>> firewall >>> > (thus preventing 'unauthorized' outside users from attaching to your >>> > grid services) should not interfere with public/open access via viewers >>> > on :8002 which would remain outside the firewall. afaik, this is the >>> > only reliable and in my experience completely effective solution to the >>> > problem. >>> > >>> > i also believe the security key function was removed by concensus as it >>> > didn't provide any hardcore security. >>> > >>> > hope this helps and is remotely correct in it's technical assumptions - >>> > or at least follows the path your concerns and argument were headed... >>> > >>> > - core >>> > >>> > On 10/7/2012 11:50 AM, Tom Haines wrote: >>> >> I disagree that this should not be considered a concern. Under this >>> >> security model, anyone with the information to connect to the grid as >>> >> a user has enough information to connect a region to the grid. >>> >> >>> >> I am concerned with this as an operator of an educational grid. We >>> >> offer our services to students and educators with the understanding >>> >> that we can limit the objectionable content they would be exposed to >>> >> in SL or other public OpenSim grids. Obviously if anyone can connect >>> >> their own regions without authorization from the grid operators, our >>> >> ability to offer this service is compromised. >>> >> >>> >> I know there were pass keys used in the past to authenticate regions, >>> >> but I believe this functionality has been removed. I haven't seen >>> >> anything on the website regarding this. I've read before that >>> >> firewalls are the best defense, but this is untenable, since our usage >>> >> requirements demand controlled access by region operators, but open >>> >> access to end users from heterogeneous network environments. >>> >> >>> >> Could someone weigh in with the official line on this? >>> >> >>> >> On Sunday, October 7, 2012, Fleep Tuque wrote: >>> >> >>> >> Hi Josh, >>> >> >>> >> As far as I know, in order to connect a region to your grid, >>> >> someone would need to know all the connection details and unless >>> >> you provide that information, I'm not sure how anyone would know >>> >> how to or be able to connect to your grid. FleepGrid has been >>> >> running for nearly 2 years and I've never seen any attempts to >>> >> connect a rogue region as far as I know, so I'm not sure it's much >>> >> of a concern. >>> >> >>> >> I'll let someone with more knowledge of the possible configuration >>> >> options address any .ini settings that you might be able to use to >>> >> disable region connections, but if this is a security issue or >>> >> problem, it's the first I've heard of it. >>> >> >>> >> Sincerely, >>> >> >>> >> - Chris/Fleep >>> >> >>> >> Chris M. Collins (SL/OS: Fleep Tuque) >>> >> Center for Simulations & Virtual Environments Research (UCSIM) >>> >> UCIT Instructional & Research Computing >>> >> University of Cincinnati >>> >> 406A Zimmer Hall >>> >> 315 College Drive >>> >> PO BOX 210088 >>> >> Cincinnati, OH 45221-0088 >>> >> [email protected] <javascript:_e({}, 'cvml', >>> >> '[email protected]');> >>> >> (513) 556-3018 >>> >> >>> >> http://ucsim.uc.edu >>> >> >>> >> On Sun, Oct 7, 2012 at 9:52 AM, Joshua Rubeck >>> >> <[email protected] <javascript:_e({}, 'cvml', >>> >> '[email protected]');>> wrote: >>> >> >>> >> Okay so here is a question for everyone. Myself and a few >>> >> others are setting up a grid for public use, but we do not >>> >> want other people to be able to connect their regions on a >>> >> home based computer to our grid. One of my friends remembers >>> >> that there used to be a setting that would prevent an >>> >> opensimulator instance from connectiong to robust without >>> >> authentication but I cannot find that in the configuration >>> >> files. Is there a configuration that allows us to run a public >>> >> grid without other people being able to connect their regions >>> >> to our gird. >>> >> _______________________________________________ >>> >> Opensim-users mailing list >>> >> [email protected] <javascript:_e({}, 'cvml', >>> >> '[email protected]');> >>> >> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> Opensim-users mailing list >>> >> [email protected] >>> >> https://lists.berlios.de/mailman/listinfo/opensim-users >>> > >>> > _______________________________________________ >>> > Opensim-users mailing list >>> > [email protected] >>> > https://lists.berlios.de/mailman/listinfo/opensim-users >>> >>> >>> _______________________________________________ >>> Opensim-users mailing list >>> [email protected] >>> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >> >> _______________________________________________ >> Opensim-users mailing list >> [email protected] >> https://lists.berlios.de/mailman/listinfo/opensim-users >> > > > _______________________________________________ > Opensim-users mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/opensim-users > -- =================================== http://simhost.com http://twitter.com/jstallings2 http://www.linkedin.com/pub/5/770/a49
_______________________________________________ Opensim-users mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-users
