I'm looking into using log4net in my VB.NET WinForms applications and ASP.NET websites. I'd like to have log messages sent to a server across the internet to centralize my logs (right now I'm either logging locally for installed WinForms apps, or sending emails...lots of emails). I'd also like to encrypt the message in transit, to be decrypted on the log server.
How can I send encrypted log4net messages to a logging server?
I found this:
https://log4netremotelogging.codeplex.com/
But I'm not sure if this would work across the internet. I also have no idea how I would secure it. Is there an event I can hook into to encrypt the message with a public key?
Thanks!
Nevermind. I actually found code to use log4net with a webservice. This is much better since you can secure the web service with https relatively easily. Here's the code:
http://www.codeproject.com/Articles/16906/LOG4NET-WebServiceAppender
My only complaint is how he relies on his own custom "framework" dll to accomplish this. I'd prefer a bare bones example for clarity.
Related
Let's suppose I have an Android application that needs to make some API call. I want to authenticate the deployed applications to that my API cannot be used by unauthorized clients.
I can put anything inside the application - HTTP headers that sign the requests, complete with nonces. However, if someone decompiles the application he will be able to replicate the method of authentication, like the algorithm for generating the signature and the shared secret. With Java and Android this is not unfeasible.
Is it possible to avoid? Probably not, but I wanted to be sure that cryptography has no solutions for me.
There is no solution to this problem. It is not possible for your server to know that it is talking to "your" client. The only thing you can reasonably authenticate is the user, not the application. It is also possible to reasonably authenticate certain secure hardware devices, but this is very expensive, and still does not ensure that your client is being used; it only demonstrates that the user has access to one of your secure hardware devices.
This has been discussed many times across SO. These posts discuss the issue and link to many more of these discussions:
Best practices for iOS applications security
Secure https encryption for iPhone app to webpage
While the posts above are framed in terms of iOS, the issue is universal.
how can i use logparser to see how many uniqe session are there by every hour in IIS Logs
According to this post it's not as easy as it seems since Log Parser doesn't support COUNT(DISTINCT), but there is a workaround in post #2.
If you're interested in useful queries there's an old post over at https://serverfault.com/questions/45516/recommended-logparser-queries-for-iis-monitoring which has some useful snippets, you could easily update the unique errors to look for a status code of 200 (although you'd have to filter out your pages only).
By default, your IIS logs will not show session information, just http requests. You might be able to output session information to your IIS logs but it would depend primarily on what application platform you are running and where you are storing session state. For example, if you were using .NET, you could use the AppendToLog method. You could also look into Custom Logging but it would depend what version of IIS you are running. Under IIS6 you could implement a customer logger. Under IIS7 you can use the advanced logging extension.
Having no awareness of your platform or tech stack I'm not in a position to say but you could also look in to something like Elmah which Scott Hanselman has blogged a lot on. If you are running a .NET web app, it seems to have a lot of features already built for you so perhaps that would be an easier route to get your desired goal.
I need to copy files from one server to a UNC path on the same network. The ASP.NET app uses .NET 2.0
Currently we're just using a simple System.IO.File.Copy method, and works just fine, but we were asked to make sure the files are transferred securely.
I can think of two ways to do this. Either writing a WCF or ASMX service and install a SSL certificate on the target server, and use that, or, explicitly encrypting each file before calling File.Copy, and then decrypting the file once it's copied.
Am I missing an option? Are there better ways to do this? If not...which option would be best for my requirement?
thanks in advance.
My initial concern was that a person in my LAN could just launch a simple tool and get a copy of the files being copied between servers on my LAN.
After asking a related question on superuser.com - can a file being copied over my LAN be sniffed?, i learned that even if a regular person is able to launch a popular sniffer tool like WireShark and configure it to see the stream of the files being copied over the network, it would not be an easy task to convert that stream back into a file. It would take a higher skill to do that.
However, for safety, I'd go with encrypting the stream (WCF or ASMX service over SSL) so that even if they can see the stream, it'd still be encrypted.
Just to be on the safe side, what's the best practice to ensure that only my application has access to my webservice, which is hosted on a public server? Should I implement I shared key or something?
My webservice is hosted on Googles App Engine and my Application runs on iPhones and iPads.
If you need further information, just ask.
Thanks,
Henrik
some sort of challenge/response authentication would be your best bet, but you could use something as simple as a key that's sent with every request. it might be quite easy for someone with a packet sniffer to reverse engineer that security though - i guess the amount of time you spend on it will relate to how much you really care :)
If you require your iphone app users to enter a loginid/password, then it is trivial to achieve what you want. But I assume you don't want that ..
Without that, there is no way to ensure you app has exclusive access to your web-services. People can always sniff HTTP traffic and spoof it. People can decompile/reverse-engineer your app to figure out the key/password.
See other discussions on StackOverflow - How to restrict access to my web service? and How can I create and use a web service in public but still restrict its use to only my app?
You could program your app to only serve requests that include your iPhone's unique identier - see StackOverflow question [Unique identifier for an iPhone app]. The id could still be sniffed, so depending on your needs, you may need methods to counter that.
Well, i had similar problem. What i realized, there is no 100% solution. What i did is, i used different approach. I have implemented OAuth and SSL, of course and than make algorithm for my web service to learn behavior of my app.
I try to put that algorithm in some kind of pattern, template, so it can be used in more scenarios. It's still in developing, so here is code of simple console app that will simulate that algorithm. Hope this can help:
https://github.com/vjeftovic/LearningRESTSimulation
I have a WSS installation that's behind basic authentication/SSL (it's hosted at a public web host). I'm creating a sister site in ASP.NET, and am considering just running the credentials through and allowing users to log into the new system providing there is no 401 Not Authorized error returned.
Both are internet-facing applications that will be used by about 20-50 people.
What am I missing? I've never heard of this recommended before, but I don't see why it wouldn't work.
I can't see any major problems with that - you'll obviously want to make sure both servers are using SSL if you've got to send that over the Internet, but other then that it sounds like an elegant way to share credentials between applications.