Make socket accept requests only from specific clients

Question

I've got a server that handles requests from a client to a sql database. The server accepts requests and gives responses in json. I have written the code for the server and the client, and everything is working. While this is for an internal tool only, I have concerns that some people may try to bypass the client and send their own json messages to the server to potentially manipulate data on the sql database.

I'm not a security guru, so here's my question. What would be the proper method to go about ensuring that the server only accepts requests from the client I wrote, regardless of the machine or IP it's running on?

My initial thought is that I should be encrypting messages between the server and client, so if someone tries to spoof the connection with an unauthorized client they won't have the proper encryption. I also realize I should put authentication on the server side, but that means passing around credentials so the messages should be encrypted anyway. If there is a more accepted way of doing this, I would love to know. If not, links to tutorials would be appreciated.

As the tags state, this is on linux in c++. While I'm sure there's probably some open source library out there that does exactly what I want in all things, I'm pretty restricted as to what libraries I can actually use.

Thanks!

Answer 1

The de-facto standard for securing network communication is TLS (transport-layer security). It both encrypts and signs a TCP stream without actually exchanging private keys over the network. This prevents MITM and replay attacks and makes it possible to verify authenticity of the server and/or the client by either checking that their certificate is signed by a trusted party (CA) or simply by storing the hash of it (fingerprint) beforehand. Alternatively, TLS can be used only to encrypt traffic, and a plain password to authenticate clients.

There aremany open-source libraries that implement TLS. One popular one is OpenSSL .

Answer 2

I present you some filtering and protection measures of lower level which will complement other software measures (TLS, SSL, ...)
As the server is local, access will only be possible by local clients. This allows you to apply filtering by:

• IP adress
  when a client connects (on the accept() function of your server) you have a structure indicating your client's IP address . You can reject it ip address is not in the list of authorized IP adresses.

• Hostname
  If a DHCP is activated, you can use nslookup command to get hostname (name of the machine). You can reject connections that come from a hostname that does not belong to your trusted list.

 nslookup xxx.yyy.zzz.www // Give you the hosname of adresse

• Mac address
  With the arp , you can get the MAC address (physical) of the Client's network card. You can reject it if its MAC address does not belong to your trusted list.

 arp -a

Remarques

• This requires you to manage explicitly trust lists of: IP addresses, MAC, Hostname, ...
• I remind that these measures can be applied only on a local network and can be applied as a complement to other softwar security protocols