I am trying to find a way to secure openstack dashboard from Dos attack using ACL, if there is a way, how to do it?
ACLs are for controlling access to files in a file system, not network access. So, basically, ACLs will not help you here.
What you need is a firewall or packet filter in front of your Horizon instance.
Related
What is the meaning of Remediation of vulnerabilities and how to Implement it. Please advise. Thank you.
(1)It is recommended to implement a whitelist of permitted services and hosts, and block any interactions that do not appear on this whitelist.
(2) It is recommended to block network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter
I would like to add security (e.g. a login with a password) for the public-ip for my Azure VM. Because else everybody could e.g. deploy smart contracts via the cakeshop links or turn off and on the Ethereum nodes.
Does anybody know how to do it?
It seems that you cannot set a password for the public IP. But you can set the password for the VM. For the security of the VM, you can use the Azure Network Security Group to filter the traffic. For more details, see Filter network traffic with a network security group.
For more security to the VM, you can try the Identity of Azure AD. Take a look at this Configure managed identities for Azure resources on a VM. Hope this will help you.
There is no such thing as a password for a public IP, a public IP is just a resource assigning IP's to a network interface, nothing more.
If you are hosting an application in Azure it is up to you to make sure this is secure. Ideally, this would be done through authentication at the application layer, to prevent users from being able to do anything in the application without authenticating. If your application does not provide this then you may want to take a closer look at your application and whether it is fit for purpose.
If application level authentication is not possible then you could look at adding authentication at the application server level, be this Apache, IIS, Tomcat etc. You would need to look at the appropriate documentation for your application server.
I work in a very large, bureaucratic organization and I'm trying to pitch a simple (local) web interface to my team. Given extensive firewall and domain security, I am wondering if this is even possible.
My question is: From a network security perspective, what might prevent IIS from allowing connections from other users on my network?
I believe IIS uses port 80 for default traffic, but it isn't listed as "Listening" when I run netstat -a through command prompt. I do have other ports listening but my fear is they are strictly monitored. Our organization also restricts connectivity between users to shared directories, so I'm wondering if that impacts anything like Windows Authentication in IIS.
I have very little network security experience so thank you in advance to anyone who can shed some light on this!
what might prevent IIS from allowing connections from other users on my network?
local firewall (GPO)
more GPOs regarding IIS or services in general
switch ACLs
switch port privacy
firewall rules
If your company has a network service policy you shouldn't try to circumvent it. It might put your job in danger.
I have to prove my SolrCloud is secure.
From my understanding of what I am reading I can secure the Solr instances talking to each other via basic authentication and SSL which is great, its secure, it works.
However, I can't see anything that will allow me to secure Zookeeper - or am I mistaken? Is there anything in an open Zookeeper that will allow a malicious user on my internal network to "hack" my SolrCloud, or is it the case that Zookeeper doesn't have anything that needs to be hidden?
Regarding securing ZooKeeper, you may want to check ZooKeeper access control using ACLs link.
What we do at Measured Search for our customers who are using our Solr-as-a-Service platform, we allow them to restrict access to Zookeeper with IP filtering. They can either specify a specific IP address or a CIDR (range) that can have access to Zookeeper.
http://docs.measuredsearch.com/security/
That way, they can secure their Solr instances independently of Zookeeper.
We currently have an Amazon VPC containing several instances, all using the same security group.
Unfortunately, we have off-site staff who connect to our network via VPN. These users have an elastic IP address, meaning we're finding it tough to give them reliable access via the security group.
Does anyone know of a way of giving access via MAC address? Its the only solution i can think of other than arranging for them to have static IP's. Any ideas? Haven't been able to find a thing elsewhere online!
Cheers,
Per the security group documentation, only IP addresses/networks in CIDR notation and security group IDs are permitted as rules. You cannot use DNS, nor is there a straightforward way to allow access from a dynamic IP address such as in the case of your off-site staff.
You could set up a jump/bastion host in your VPC, harden it properly, allow access from everywhere to that jump host, and then allow that jump host to access your other instances in the VPC.
Alternatively, Dome9 offers a nifty service that adds an extension to users browsers to permit temporary access. Basically you authorize Dome9 to make changes to your security group. The user clicks the browser extension, Dome9 changes the security group to allow access from that user's IP address for some amount of time, and removes the rule when the time is up.