lemonldap-ng/doc/pages/documentation/1.9/security.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
 lang="en" dir="ltr">

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />

</head>
<body>
<div class="dokuwiki export">


<h1 class="sectionedit1" id="security_recommendation">Security recommendation</h1>
<div class="level1">

</div>
<!-- EDIT1 SECTION "Security recommendation" [1-39] -->
<h2 class="sectionedit2" id="secure_configuration_access">Secure configuration access</h2>
<div class="level2">

<p>
Configuration can be stored in several formats (<a href="../../documentation/1.9/sqlconfbackend.html" class="wikilink1" title="documentation:1.9:sqlconfbackend">SQL</a>, <a href="../../documentation/1.9/fileconfbackend.html" class="wikilink1" title="documentation:1.9:fileconfbackend">File</a>, <a href="../../documentation/1.9/ldapconfbackend.html" class="wikilink1" title="documentation:1.9:ldapconfbackend">LDAP</a>) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use <a href="../../documentation/1.9/soapconfbackend.html" class="wikilink1" title="documentation:1.9:soapconfbackend">SOAP access</a> for those servers.
</p>

<p>
<p><div class="notetip">You can use different type of access: <a href="../../documentation/1.9/sqlconfbackend.html" class="wikilink1" title="documentation:1.9:sqlconfbackend">SQL</a>, <a href="../../documentation/1.9/fileconfbackend.html" class="wikilink1" title="documentation:1.9:fileconfbackend">File</a> or <a href="../../documentation/1.9/ldapconfbackend.html" class="wikilink1" title="documentation:1.9:ldapconfbackend">LDAP</a> for servers in secured network and <a href="../../documentation/1.9/soapconfbackend.html" class="wikilink1" title="documentation:1.9:soapconfbackend">SOAP</a> for remote servers.
</div></p>
</p>

<p>
Next, you have to configure the SOAP access as described <a href="../../documentation/1.9/soapconfbackend.html#next_configure_soap_for_your_remote_servers" class="wikilink1" title="documentation:1.9:soapconfbackend">here</a> since SOAP access is denied by default.
</p>

</div>
<!-- EDIT2 SECTION "Secure configuration access" [40-809] -->
<h2 class="sectionedit3" id="protect_the_manager">Protect the Manager</h2>
<div class="level2">

<p>
By default, the manager is restricted to the user &#039;dwho&#039; (default backend is Demo). To protect the manager, you have to choose one or both of :
</p>
<ul>
<li class="level1"><div class="li"> protect the manager by Apache configuration</div>
</li>
<li class="level1"><div class="li"> protect the manager by <abbr title="LemonLDAP::NG">LL::NG</abbr></div>
</li>
</ul>

</div>
<!-- EDIT3 SECTION "Protect the Manager" [810-1069] -->
<h3 class="sectionedit4" id="protect_the_manager_by_apache">Protect the Manager by Apache</h3>
<div class="level3">

<p>
You can use any of the mechanisms proposed by Apache: SSL, Auth-Basic, Kerberos,… Example
</p>
<pre class="code apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">443</span>&gt;
    <span class="kw1">ServerName</span> manager.example.com
    <span class="co1"># SSL parameters</span>
    ...
    <span class="co1"># DocumentRoot</span>
    <span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/manager/
    &lt;<span class="kw3">Location</span> /&gt;
        <span class="kw1">AuthType</span> Basic
        <span class="kw1">AuthName</span> <span class="st0">&quot;Lemonldap::NG manager&quot;</span>
        <span class="kw1">AuthUserFile</span> /usr/local/apache/passwd/passwords
        <span class="kw1">Require</span> <span class="kw1">user</span> rbowen
        <span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
        <span class="kw1">Deny</span> from <span class="kw2">all</span>
        <span class="kw1">Allow</span> from 192.168.142.0/<span class="nu0">24</span>
        <span class="kw1">Options</span> +ExecCGI
    &lt;/<span class="kw3">Location</span>&gt;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>

</div>
<!-- EDIT4 SECTION "Protect the Manager by Apache" [1070-1680] -->
<h3 class="sectionedit5" id="protect_the_manager_by_llng">Protect the Manager by LL::NG</h3>
<div class="level3">

<p>
To protect the manager by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you just have to set this in <code>lemonldap-ng.ini</code> configuration file (section [manager]):
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">protection</span> <span class="sy0">=</span><span class="re2"> manager</span></pre>

<p>
<p><div class="noteimportant">Before, you have to create the virtual host <code>manager.your.domain</code> in the manager and set a <a href="../../documentation/1.9/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.9:writingrulesand_headers">rules</a>, else access to the manager will be denied.
</div></p>
</p>

</div>
<!-- EDIT5 SECTION "Protect the Manager by LL::NG" [1681-2097] -->
<h2 class="sectionedit6" id="write_good_rules">Write good rules</h2>
<div class="level2">

</div>
<!-- EDIT6 SECTION "Write good rules" [2098-2127] -->
<h3 class="sectionedit7" id="order_your_rules">Order your rules</h3>
<div class="level3">

<p>
<a href="../../documentation/1.9/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.9:writingrulesand_headers">Rules</a> are applied in alphabetical order (comment and regular expression). The first rule that matches is applied.
</p>

<p>
<p><div class="noteimportant">The “default” rule is only applied if no other rule match
</div></p>
</p>

<p>
The Manager let you define comments in rules, to order them:
</p>

<p>
<a href="/_detail/documentation/manager-rule.png?id=documentation%3A1.9%3Asecurity" class="media" title="documentation:manager-rule.png"><img src="../../../media/documentation/manager-rule.png" class="mediacenter" alt="" /></a>
</p>

<p>
For example, if these rules are used without comments:
</p>
<div class="table sectionedit8"><table class="inline">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq “root” </td><td class="col2"> </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> </td>
	</tr>
</table></div>
<!-- EDIT8 TABLE [2544-2654] -->
<p>
Then the second rule will be applied first, so every authenticated user will access to <code>/pub/admin</code> directory.
</p>

<p>
Use comment to correct this:
</p>
<div class="table sectionedit9"><table class="inline">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq “root” </td><td class="col2"> 1_admin </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> 2_pub </td>
	</tr>
</table></div>
<!-- EDIT9 TABLE [2799-2923] -->
<p>
<p><div class="notetip">
</p>
<ul>
<li class="level1"><div class="li"> Reload the Manager to see the order that will be used</div>
</li>
<li class="level1"><div class="li"> Use rule comments to order your rules</div>
</li>
</ul>

<p>

</div></p>
</p>

</div>
<!-- EDIT7 SECTION "Order your rules" [2128-3044] -->
<h3 class="sectionedit10" id="be_careful_with_url_parameters">Be careful with URL parameters</h3>
<div class="level3">

<p>
You can write <a href="../../documentation/1.9/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.9:writingrulesand_headers">rules</a> matching any component of <abbr title="Uniform Resource Locator">URL</abbr> to protect including GET parameters, but be careful.
</p>

<p>
For example with this rule on the <code>access</code> parameter:
</p>
<div class="table sectionedit11"><table class="inline">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0"> ^/index.php\?.*access=admin </td><td class="col1"> $groups =~ /\badmin\b/ </td><td class="col2"> </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
	</tr>
</table></div>
<!-- EDIT11 TABLE [3281-3415] -->
<p>
Then a user that try to access to one of the following <em class="u">will be granted</em> !
</p>
<ul>
<li class="level1"><div class="li"> /index.php?access=admin&amp;access=other</div>
</li>
<li class="level1"><div class="li"> /index.php?Access=admin</div>
</li>
</ul>

<p>
You can use the following rules instead:
</p>
<div class="table sectionedit12"><table class="inline">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Regular expression  </th><th class="col1 centeralign">  Rule  </th><th class="col2 leftalign"> Comment  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0"> ^/(?i)index.php\?.*access.*access </td><td class="col1"> deny </td><td class="col2"> 0_bad </td>
	</tr>
	<tr class="row2 roweven">
		<td class="col0"> ^/(?i)index.php\?.*access=admin </td><td class="col1"> $groups =~ /\badmin\b/ </td><td class="col2"> 1_admin </td>
	</tr>
	<tr class="row3 rowodd">
		<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
	</tr>
</table></div>
<!-- EDIT12 TABLE [3613-3816] -->
<p>
<p><div class="notetip"><strong>(?i)</strong> means case no sensitive.
</div></p>
</p>

<p>
<p><div class="notewarning">Remember that rules written on GET parameters must be tested.
</div></p>
</p>

</div>
<!-- EDIT10 SECTION "Be careful with URL parameters" [3045-3953] -->
<h3 class="sectionedit13" id="encoded_characters">Encoded characters</h3>
<div class="level3">

<p>
Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, <abbr title="LemonLDAP::NG">LL::NG</abbr> decode them using <a href="http://search.cpan.org/perldoc?Apache2::URI#unescape_url" class="urlextern" title="http://search.cpan.org/perldoc?Apache2::URI#unescape_url"  rel="nofollow">http://search.cpan.org/perldoc?Apache2::URI#unescape_url</a>. So write your rules using normal characters.
</p>

</div>
<!-- EDIT13 SECTION "Encoded characters" [3954-4207] -->
<h2 class="sectionedit14" id="secure_reverse-proxies">Secure reverse-proxies</h2>
<div class="level2">

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can protect any Apache hosted application including Apache reverse-proxy mechanism. Example:
</p>
<pre class="code apache">PerlOptions +GlobalRequest
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">443</span>&gt;
    <span class="kw1">SSLEngine</span> <span class="kw2">On</span>
    ... other SSL parameters ...
    PerlInitHandler My::Handler
    <span class="kw1">ServerName</span> appl1.example.com
    <span class="kw1">ProxyPass</span> / http://hiddenappl1.example.com/
    <span class="kw1">ProxyPassReverse</span> / http://hiddenappl1.example.com/
    <span class="kw1">ProxyPassReverseCookieDomain</span> / http://hiddenappl1.example.com/
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>

<p>
See <a href="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html"  rel="nofollow">mod_proxy</a> and <a href="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html"  rel="nofollow">mod_rewrite</a> documentation for more about configuring Apache reverse-proxies.
</p>

<p>
Such configuration can have some security problems:
</p>
<ul>
<li class="level1"><div class="li"> if a user can access directly to the hidden application, it can bypass <abbr title="LemonLDAP::NG">LL::NG</abbr> protection</div>
</li>
<li class="level1"><div class="li"> if many hidden applications are on the same private network, if one is corrupted (by SQL injection, or another attack), the hacker will be able to access to other applications without using reverse-proxies so it can bypass <abbr title="LemonLDAP::NG">LL::NG</abbr> protection</div>
</li>
</ul>

<p>
It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the <abbr title="LemonLDAP::NG">LL::NG</abbr> protected reverse-proxies are allowed. You can use one or a combination of:
</p>
<ul>
<li class="level1"><div class="li"> firewalls (but be careful if more than 1 server is behind the firewall)</div>
</li>
<li class="level1"><div class="li"> server based restriction (like Apache “allow/deny” mechanism)</div>
</li>
<li class="level1"><div class="li"> SSL client certificate for the reverse-proxy (see SSLProxy* parameters in <a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html"  rel="nofollow">mod_ssl documentation</a>)</div>
</li>
</ul>

</div>
<!-- EDIT14 SECTION "Secure reverse-proxies" [4208-5876] -->
<h2 class="sectionedit15" id="configure_security_settings">Configure security settings</h2>
<div class="level2">

<p>
Go in Manager, <code>General parameters</code> » <code>Advanced parameters</code> » <code>Security</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Username control</strong>: Regular expression used to check user login syntax.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication</strong>: set to &#039;On&#039; to force authentication when user connects to portal, even if he has a valid session</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication interval</strong>: time interval (in seconds) when a authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances, you can increase this value.</div>
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal. Set &#039;*&#039; to accept all.</div>
</li>
<li class="level1"><div class="li"> <strong>Use Safe jail</strong>: set to &#039;Off&#039; to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues.</div>
</li>
<li class="level1"><div class="li"> <strong>Check <abbr title="Cross Site Scripting">XSS</abbr> Attacks</strong>: Set to &#039;Off&#039; to disable <abbr title="Cross Site Scripting">XSS</abbr> checks. <abbr title="Cross Site Scripting">XSS</abbr> checks will still be done with warning in logs, but this will not prevent the process to continue.</div>
</li>
</ul>

</div>
<!-- EDIT15 SECTION "Configure security settings" [5877-7010] -->
<h2 class="sectionedit16" id="fail2ban">Fail2ban</h2>
<div class="level2">

<p>
For block brute force attack with fail2ban
</p>

<p>
Edit /etc/fail2ban/jail.conf
</p>
<pre class="code">[lemonldap-ng]
enabled = true
port    = http,https
filter  = lemonldap
action   = iptables-multiport[name=lemonldap, port=&quot;http,https&quot;]
logpath = /var/log/apache*/error*.log
maxretry = 3</pre>

<p>
and edit /etc/fail2ban/filter.d/lemonldap.conf
</p>
<pre class="code"># Fail2Ban configuration file
#
# Author: Adrien Beudin
#
# $Revision: 2 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named &quot;host&quot;. The tag &quot;&lt;HOST&gt;&quot; can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P&lt;host&gt;[\w\-.^_]+)
# Values:  TEXT
#
failregex = Lemonldap\:\:NG \: .* was not found in LDAP directory \(&lt;HOST&gt;\)
            Lemonldap\:\:NG \: Bad password for .* \(&lt;HOST&gt;\)

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =</pre>

<p>
Restart fail2ban
</p>

</div>
<!-- EDIT16 SECTION "Fail2ban" [7011-8064] -->
<h2 class="sectionedit17" id="sessions_identifier">Sessions identifier</h2>
<div class="level2">

<p>
You can change the module used for sessions identifier generation. To do, add <code>generateModule</code> key in the configured session backend options.
</p>

<p>
We recommend the use of <code>Lemonldap::NG::Common::Apache::Session::Generate::SHA256</code>.
</p>

</div>
</div><!-- closes <div class="dokuwiki export">-->