Hi. As is becoming more common, one of our customers recently had a security audit.
Vulnerability: Sybase Adaptive Server Anywhere (ASA) Ping The remote Sybase SQL Anywhere / Adaptive Server Anywhere database is configured to listen for client connection broadcasts, which allows and attacker to see the name and port that the Sybase SQL Anywhere / Adaptive Server Anywhere server is running on. Service: - CVSSv2: AV:N/AC:L/Au:N/C:P/I:N/A:N (Base Score:5.00)
Remediation Action: Switch off broadcast listening via the ‘-sb’ switch when starting Sybase.
What is the downside (if any) of using the -sb switch?
Should I recommend another switch, or include the -sb in a group of other switches?
asked 25 Feb '12, 10:51
What version are you using?
I can't give any security recommendations - just tell about the "downside" in terms of changes needed for client apps:
AFAIK, when using -sb 0 ("stealth mode"), clients connecting over TCP/IP must specify the TCP/IP address in the connection string (or SQL CONNECT information) in order to be able to connect to the server.
In case the server is not using the default port (2638), you will also have to add the port number to the HOST connection parameter or add the PORT protocoll option.
In contrast, using "-sb 1" won't affect client connection logic but prevent the server from react to dblocate. However, I haven't checked whether it will stop reacting on port scans.
Just to add: Using NETSTAT -a, the UDP port is still visible locally - independent of the -sb setting - tested with 220.127.116.1154...