I installed OpenLDAP on my ubuntu server, and realized that the address book is in the public domain without a password. That is, anyone who knows the values ou=,dc=,dc= can connect it and get the data of all employees (email addresses, phones, etc.)
A task
Make an entrance to the address book with some kind of authentication (for example, by password). Employees use such mail clients as: Mozilla Thunderbird, BAT!, Outlook.
Setting up a firewall and restricting access by ip addresses does not suit, because employees must connect to it from any ip addresses.
Are there any options to protect and hide access to the address book of employees?
P.S. I heard that there is some kind of authentication in Kerberos, but I am not familiar with this and I could not find information on this either.
Thank you in advance.
Related
I'm new to user authentication and related digital security issues, so I would like to know if the way I'm doing things is ok. Currently the way my server "remembers" users is based solely on the IP address they have logged in from. If they check the remember me option, I store that IP in the database and from then on, every time that machine enters the website, I check if that IP is associated with one of my users. If so, I log them in.
What is good or bad on that approach?
We develop a web application.
There is a user login and a user area for the customers of a certain company.
And there is an agent/office login and area for some employees of the company who manage user account handling and so on.
The office agent has to login with his username and password.
But additionally, for security reasons, we will limit the agent/office login and area for specific IP addresses (as seen in other applications).
But we would like to have a "fallback" for certain situations where, for example, a web developer of the application needs access to the office area and has not one of the special IP addresses.
Until now we had not many ideas.
We thought of providing access when there is a very special user-agent string with a hash value.
Has anybody implemented such security mechanisms and can inform me about it?
Thanks alot in advance
I've just started using MVC5 and I want to make my website available just for a specific IP address, so I check the client IP address using the following:
Request.UserHostAddress;
I have two users to access to my website and every one have to access from specific IP address, so I need your help to know how to do this note that I use the default user authentication from MVC.
Every single support word is appreciated.
I realize that mac addresses or machine ids aren't transferred over the internet, however, I would like to lock down our subscription-based website security so that only specific computers can register and have access to its resources.
Large organizations will subscribe to our service and will undoubtedly have more than one ip for their organization. As well, we'd like to give the ability for their qualified employees to access the website on devices outside of their physical organization (for road-trip presentations, etc.).
Is there a sure-fire way to achieve this end (beyond the username/password assigned to each account)? If not, what would be the most effective approach?
Instead of restricting access via IP, you want to use something that's actually secure.
Username and password over an HTTPS connection should at least be unsniffable, but you might want to look in to client SSL certificates. They can be configured in Apache or other web server software. If username/password authentication is not enough, this is the next (and perhaps final) step up.
UPDATE:
That said, what many application providers will do is provide a method for subscribers to implement an ACL for their accounts. You can even force people to consider their ACL before allowing them to access your services. Think of it this way:
An account is set up in your system allowing login from anywhere. Upon creation, the ACL is UNSET.
User logs in and is immediately directed to an ACL setup page, where they must provide either an IP address or range or subnet associated with their account. You can be clever and pre-populate things with their existing IP address or subnet, perhaps even looking things up at ARIN to see if their IP is in a network assigned to the company name on their account.
Once the ACL is set (or they have, despite your warnings, confirmed that they want to keep their ACL open), they can access your services.
If they try log in from elsewhere, they (and you) are notified via email (or SMS or whatever) of an attempted breach.
If they no longer have access to their ACL-listed IPs (i.e. IP renumbering due to a new upstream Internet provider and bad planning), they can call your phone support who will validate them by other means. FAX confirmation perhaps, because that's SO secure...
A user-managed ACL is not a "sure-fire" way, but it may be sufficiently effective for your needs, and it will certainly instill a sense in your customers that you have their best interests at heart.
There is no sure-fire way. That's in the nature of networks. You accept data from a remote machine and you have to trust it at least to some extend.
Take the simple username/password approach. If the usename and the passwords match, you have to trust, that they where entered by the person that the username and password was intended for. This does not fundamentally change if you require more data to be send by the client.
I've had to secure a website administrative login system recently, and wanted to get some second opinions on the method that I'm using, since security tends to benefit from second opinions.
Implementation details: Linux, Debian, Mysql, Php
Ip whitelisting system
Parts:
in-database: username, password, email, ip address, ip whitelist
provided by user: username, password
provided by client: current ip address
In addition to requiring a correct username and password, the ip of the system that you are connecting from has to be whitelisted to allow login. Thus the logic of the system cascades like this:
if ip not whitelisted: you cannot log in, you must verify that ip.
Verify your current ip: Go to a page, put in a username, you get a "We will verify that username [someUsername] if it exists and you will receive an automated email for that account directly." A verification email is emailed to the email on file for that account, if it exists & is active. Otherwise it'll just display the message and do nothing.
Verification email: simply has a link with a private key that matches the key in the verification database, links to the site, the page links verifies the ip for that record in the database.
if ip whitelisted: once whitelisted, correct username/password combinations are accepted for login as normal, incorrect ones are rejected.
That is the system. It seems slightly similar to the method that banks use to verify devices, though not identical, so perhaps it needs refactoring. Any advice?
My only suggestion would be to use Golden Questions versus Emails. Emails are easily compromised.
If you aren't familiar with Golden Questions it is where you get the user to import X amount of Questions and Answers. The first time they log on you randomly get them to answer some subset of them, if they do it correctly you can white-list. The process repeats each time they log on using a new IP.
Some added benefits are a faster user experience, and less interruption (they dont have to wait for an email before being allowed access).