<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
 lang="en" dir="ltr">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />

</head>
<body>
<div class="dokuwiki export">




<h1><a name="security_recommendation" id="security_recommendation">Security recommendation</a></h1>
<div class="level1">

</div>
<!-- SECTION "Security recommendation" [1-39] -->
<h2><a name="secure_configuration_access" id="secure_configuration_access">Secure configuration access</a></h2>
<div class="level2">

<p>

Configuration can be stored in several formats (<a href="../../documentation/1.3/sqlconfbackend.html" class="wikilink1" title="documentation:1.3:sqlconfbackend">SQL</a>, <a href="../../documentation/1.3/fileconfbackend.html" class="wikilink1" title="documentation:1.3:fileconfbackend">File</a>, <a href="../../documentation/1.3/ldapconfbackend.html" class="wikilink1" title="documentation:1.3:ldapconfbackend">LDAP</a>) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use <a href="../../documentation/1.3/soapconfbackend.html" class="wikilink1" title="documentation:1.3:soapconfbackend">SOAP access</a> for those servers.
</p>

<p>
<p><div class="notetip">You can use different type of access: <a href="../../documentation/1.3/sqlconfbackend.html" class="wikilink1" title="documentation:1.3:sqlconfbackend">SQL</a>, <a href="../../documentation/1.3/fileconfbackend.html" class="wikilink1" title="documentation:1.3:fileconfbackend">File</a> or <a href="../../documentation/1.3/ldapconfbackend.html" class="wikilink1" title="documentation:1.3:ldapconfbackend">LDAP</a> for servers in secured network and <a href="../../documentation/1.3/soapconfbackend.html" class="wikilink1" title="documentation:1.3:soapconfbackend">SOAP</a> for remote servers.
</div></p>
</p>

<p>
Next, you have to configure the <acronym title="Simple Object Access Protocol">SOAP</acronym> access as described <a href="../../documentation/1.3/soapconfbackend.html#next_configure_soap_for_your_remote_servers" class="wikilink1" title="documentation:1.3:soapconfbackend">here</a> since <acronym title="Simple Object Access Protocol">SOAP</acronym> access is denied by default.
</p>

</div>
<!-- SECTION "Secure configuration access" [40-809] -->
<h2><a name="protect_the_manager" id="protect_the_manager">Protect the Manager</a></h2>
<div class="level2">

<p>

By default, the manager is restricted to the user &#039;dwho&#039; (default backend is Demo). To protect the manager, you have to choose one or both of :
</p>
<ul>
<li class="level1"><div class="li"> protect the manager by Apache configuration</div>
</li>
<li class="level1"><div class="li"> protect the manager by <acronym title="LemonLDAP::NG">LL::NG</acronym></div>
</li>
</ul>

</div>
<!-- SECTION "Protect the Manager" [810-1069] -->
<h3><a name="protect_the_manager_by_apache" id="protect_the_manager_by_apache">Protect the Manager by Apache</a></h3>
<div class="level3">

<p>

You can use any of the mechanisms proposed by Apache: <acronym title="Secure Sockets Layer">SSL</acronym>, Auth-Basic, Kerberos,… Example

</p>
<pre class="code apache">&lt;<span class="kw3">VirtualHost</span> *:443&gt;
    <span class="kw1">ServerName</span> manager.example.com
    <span class="co1"># SSL parameters</span>
    ...
    <span class="co1"># DocumentRoot</span>
    <span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/manager/
    &lt;<span class="kw3">Location</span> /&gt;
        <span class="kw1">AuthType</span> Basic
        <span class="kw1">AuthName</span> <span class="st0">&quot;Lemonldap::NG manager&quot;</span>
        <span class="kw1">AuthUserFile</span> /usr/local/apache/passwd/passwords
        <span class="kw1">Require</span> <span class="kw1">user</span> rbowen
        <span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
        <span class="kw1">Deny</span> from <span class="kw2">all</span>
        <span class="kw1">Allow</span> from 192.168.142.0/24
        <span class="kw1">Options</span> +ExecCGI
    &lt;/<span class="kw3">Location</span>&gt;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>

</div>
<!-- SECTION "Protect the Manager by Apache" [1070-1680] -->
<h3><a name="protect_the_manager_by_llng" id="protect_the_manager_by_llng">Protect the Manager by LL::NG</a></h3>
<div class="level3">

<p>

To protect the manager by <acronym title="LemonLDAP::NG">LL::NG</acronym>, you just have to set this in <code>lemonldap-ng.ini</code> configuration file (section [manager]):

</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">protection</span> <span class="sy0">=</span><span class="re2"> manager</span></pre>

<p>
<p><div class="noteimportant">Before, you have to create the virtual host <code>manager.your.domain</code> in the manager and set a <a href="../../documentation/1.3/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.3:writingrulesand_headers">rules</a>, else access to the manager will be denied.
</div></p>
</p>

</div>
<!-- SECTION "Protect the Manager by LL::NG" [1681-2097] -->
<h2><a name="write_good_rules" id="write_good_rules">Write good rules</a></h2>
<div class="level2">

</div>
<!-- SECTION "Write good rules" [2098-2127] -->
<h3><a name="order_your_rules" id="order_your_rules">Order your rules</a></h3>
<div class="level3">

<p>

<a href="../../documentation/1.3/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.3:writingrulesand_headers">Rules</a> are applied in alphabetical order (comment and regular expression). The first rule that matches is applied.
</p>

<p>
<p><div class="noteimportant">The “default” rule is only applied if no other rule match
</div></p>
</p>

<p>
The Manager let you define comments in rules, to order them:
</p>

<p>
<a href="/_detail/documentation/manager_access_rule.png?id=documentation%3A1.3%3Asecurity" class="media" title="documentation:manager_access_rule.png"><img src="../../../media/documentation/manager_access_rule.png" class="mediacenter" alt="" /></a>
</p>

<p>
For example, if these rules are used without comments:
</p>
<table class="inline">
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	<tr class="row1 rowodd">
		<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq “root” </td><td class="col2"> </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> </td>
	</tr>
</table>

<p>

Then the second rule will be applied first, so every authenticated user will access to <code>/pub/admin</code> directory.
</p>

<p>
Use comment to correct this:
</p>
<table class="inline">
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	<tr class="row1 rowodd">
		<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq “root” </td><td class="col2"> 1_admin </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> 2_pub </td>
	</tr>
</table>

<p>

<p><div class="notetip">
</p>
<ul>
<li class="level1"><div class="li"> Reload the Manager to see the order that will be used</div>
</li>
<li class="level1"><div class="li"> Use rule comments to order your rules</div>
</li>
</ul>

<p>

</div></p>
</p>

</div>
<!-- SECTION "Order your rules" [2128-3051] -->
<h3><a name="be_careful_with_url_parameters" id="be_careful_with_url_parameters">Be careful with URL parameters</a></h3>
<div class="level3">

<p>

You can write <a href="../../documentation/1.3/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.3:writingrulesand_headers">rules</a> matching any component of <acronym title="Uniform Resource Locator">URL</acronym> to protect including GET parameters, but be careful.
</p>

<p>
For example with this rule on the <code>access</code> parameter:
</p>
<table class="inline">
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	<tr class="row1 rowodd">
		<td class="col0"> ^/index.php\?.*access=admin </td><td class="col1"> $groups =~ /\badmin\b/ </td><td class="col2"> </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
	</tr>
</table>

<p>

Then a user that try to access to one of the following <em class="u">will be granted</em> !
</p>
<ul>
<li class="level1"><div class="li"> /index.php?access=admin&amp;access=other</div>
</li>
<li class="level1"><div class="li"> /index.php?Access=admin</div>
</li>
</ul>

<p>

You can use the following rules instead:
</p>
<table class="inline">
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	<tr class="row1 rowodd">
		<td class="col0"> ^/(?i)index.php\?.*access.*access </td><td class="col1"> deny </td><td class="col2"> 0_bad </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> ^/(?i)index.php\?.*access=admin </td><td class="col1"> $groups =~ /\badmin\b/ </td><td class="col2"> 1_admin </td>
	</tr>
	<tr class="row3 rowodd">
		<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
	</tr>
</table>

<p>

<p><div class="notetip"><strong>(?i)</strong> means case no sensitive.
</div></p>
</p>

<p>
<p><div class="notewarning">Remember that rules written on GET parameters must be tested.
</div></p>
</p>

</div>
<!-- SECTION "Be careful with URL parameters" [3052-3960] -->
<h3><a name="encoded_characters" id="encoded_characters">Encoded characters</a></h3>
<div class="level3">

<p>

Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, <acronym title="LemonLDAP::NG">LL::NG</acronym> decode them using <a href="http://search.cpan.org/perldoc?Apache2::URI#unescape_url" class="urlextern" title="http://search.cpan.org/perldoc?Apache2::URI#unescape_url"  rel="nofollow">http://search.cpan.org/perldoc?Apache2::URI#unescape_url</a>. So write your rules using normal characters.
</p>

</div>
<!-- SECTION "Encoded characters" [3961-4214] -->
<h2><a name="secure_reverse-proxies" id="secure_reverse-proxies">Secure reverse-proxies</a></h2>
<div class="level2">

<p>

<acronym title="LemonLDAP::NG">LL::NG</acronym> can protect any Apache hosted application including Apache reverse-proxy mechanism. Example:
</p>
<pre class="code apache">PerlOptions +GlobalRequest
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
&lt;<span class="kw3">VirtualHost</span> *:443&gt;
    <span class="kw1">SSLEngine</span> <span class="kw2">On</span>
    ... other SSL parameters ...
    PerlInitHandler My::Handler
    <span class="kw1">ServerName</span> appl1.example.com
    <span class="kw1">ProxyPass</span> / http://hiddenappl1.example.com/
    <span class="kw1">ProxyPassReverse</span> / http://hiddenappl1.example.com/
    <span class="kw1">ProxyPassReverseCookieDomain</span> / http://hiddenappl1.example.com/
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>

<p>
See <a href="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html"  rel="nofollow">mod_proxy</a> and <a href="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html"  rel="nofollow">mod_rewrite</a> documentation for more about configuring Apache reverse-proxies.
</p>

<p>
Such configuration can have some security problems:
</p>
<ul>
<li class="level1"><div class="li"> if a user can access directly to the hidden application, it can bypass <acronym title="LemonLDAP::NG">LL::NG</acronym> protection</div>
</li>
<li class="level1"><div class="li"> if many hidden applications are on the same private network, if one is corrupted (by <acronym title="Structured Query Language">SQL</acronym> injection, or another attack), the hacker will be able to access to other applications without using reverse-proxies so it can bypass <acronym title="LemonLDAP::NG">LL::NG</acronym> protection</div>
</li>
</ul>

<p>

It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the <acronym title="LemonLDAP::NG">LL::NG</acronym> protected reverse-proxies are allowed. You can use one or a combination of:
</p>
<ul>
<li class="level1"><div class="li"> firewalls (but be careful if more than 1 server is behind the firewall)</div>
</li>
<li class="level1"><div class="li"> server based restriction (like Apache “allow/deny” mechanism)</div>
</li>
<li class="level1"><div class="li"> <acronym title="Secure Sockets Layer">SSL</acronym> client certificate for the reverse-proxy (see SSLProxy* parameters in <a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html"  rel="nofollow">mod_ssl documentation</a>)</div>
</li>
</ul>

</div>
<!-- SECTION "Secure reverse-proxies" [4215-5883] -->
<h2><a name="configure_security_settings" id="configure_security_settings">Configure security settings</a></h2>
<div class="level2">

<p>

Go in Manager, <code>General parameters</code> » <code>Advanced parameters</code> » <code>Security</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Username control</strong>: Regular expression used to check user login syntax.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication</strong>: set to &#039;On&#039; to force authentication when user connects to portal, even if he has a valid session</div>
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal. Set &#039;*&#039; to accept all.</div>
</li>
<li class="level1"><div class="li"> <strong>Use Safe jail</strong>: set to &#039;Off&#039; to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues.</div>
</li>
<li class="level1"><div class="li"> <strong>Check <acronym title="Cross Site Scripting">XSS</acronym> Attacks</strong>: Set to &#039;Off&#039; to disable <acronym title="Cross Site Scripting">XSS</acronym> checks. <acronym title="Cross Site Scripting">XSS</acronym> checks will still be done with warning in logs, but this will not prevent the process to continue.</div>
</li>
</ul>

</div>
<!-- SECTION "Configure security settings" [5884-6752] -->
<h2><a name="fail2ban" id="fail2ban">Fail2ban</a></h2>
<div class="level2">

<p>
For block brute force attack with fail2ban
</p>

<p>
Edit /etc/fail2ban/jail.conf

</p>
<pre class="code">[lemonldap-ng]
enabled = true
port    = http,https
filter  = lemonldap
action   = iptables-multiport[name=lemonldap, port=&quot;http,https&quot;]
logpath = /var/log/apache*/error*.log
maxretry = 3
</pre>

<p>
and edit /etc/fail2ban/filter.d/lemonldap.conf
</p>
<pre class="code">
# Fail2Ban configuration file
#
# Author: Adrien Beudin
#
# $Revision: 2 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named &quot;host&quot;. The tag &quot;&lt;HOST&gt;&quot; can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P&lt;host&gt;[\w\-.^_]+)
# Values:  TEXT
#
failregex = Lemonldap\:\:NG \: .* was not found in LDAP directory \(&lt;HOST&gt;\)
            Lemonldap\:\:NG \: Bad password for .* \(&lt;HOST&gt;\)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
</pre>

<p>
Restart fail2ban

</p>

</div>
<!-- SECTION "Fail2ban" [6753-] --></div><!-- closes <div class="dokuwiki export">-->