BinarySurfer

I'm thinking about making a Java server for a series of clients to conect to. All that it is suppose to do is relay the incoming strings to the other clients. It was brought to my attention that it can be hacked and who knows what else can happen afterwords. Is running this server a hackers dream or an overstatement?

Arevos

Um... It depends entirely how you go about implementing it.

The only things I can think of that would make this insecure is whether you need to keep track of who is sending which string, and whether you care that the strings could be intercepted.

Both of these problems can be solved relatively easily.

BinarySurfer

I don't intend to keep track of anything and the strings aren't sensitive, it just allows connection with the proper password, and sends whatever other strings comes it way to the other clients.
It was also brought to my attention that allowing the server through the firewall leaves my computer vulnerable through the port it uses because it's exposed/open. Is that true?

Arevos

If it has a password, and you don't want unauthorised people to access it, then you'll need some encryption. There's a number of Java libraries out there that provide good crypto, and quite a bit of functionality in the standard Java libraries. If you look around, you may even find a system that does most of the work for you - encrypting network data streams is a very common problem.

I don't know who you're talking to, but at best, we're only talking about potential vulnerabilities. Opening a port and running a server off it doesn't magically make your system vulnerable. You need to first screw something up, and your program seems simple enough that this would be relatively difficult.

I'll give you an example of a potential vulnerability that a program could have, just so you have some idea of what makes a system vulnerable to attack. Let's say you've made a file server, which people can use to download files off you. You probably don't want to give them access to your entire hard drive, so you limit them to a single directory, like so:


At first glance, this may look okay. But what if someone requests a file called "..\\My Private Folder\\My_bank_account_password.txt". The ".." at the beginning will cause the operating system to skip up a folder, so:
Is the same as:
Oops! The user has escaped the shared folder, and is now loose on your filesystem. He can now read any file you have on your hard drive, which from a security point of view, is a disaster.

But there's nothing magical about how the attacker broke in. All the attacker can do is to try and trick your server with strange inputs. A key rule of computer security is to always check your user's data thoroughly. This may sound simple, but it's one of the prime causes of computer vulnerabilities. Again, I should emphasis that hackers aren't magicians; they break into servers by capitalizing on your mistakes.

However, your system is simple, and you don't appear to need to let the users access files on the hard drives or anything like that. This vastly reduces the points at which a malicious user might gain entry. The more features a server has, the more points where mistakes can be made, and more points where vulnerabilities could potentially show. However, assuming you also use some encryption to guard your, it's safe to say that it shouldn't be too hard to make your server more-or-less utterly impregnable.

BinarySurfer

Ah, I see. Thank you! That defiantly cleared up a lot of confusion.