dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
39c968b215
lemonldap-ng/doc/pages/documentation/current/security.html
Xavier 39c968b215 Update doc
2019-09-23 22:41:16 +02:00

509 lines
27 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:security</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,security"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="security.html"/>
<link rel="contents" href="security.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:security","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#secure_configuration_access">Secure configuration access</a></div></li>
<li class="level1"><div class="li"><a href="#protect_the_manager">Protect the Manager</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#protect_the_manager_by_the_web_server">Protect the Manager by the web server</a></div></li>
<li class="level2"><div class="li"><a href="#protect_the_manager_by_llng">Protect the Manager by LL::NG</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#portal">Portal</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#split_portal_when_using_soaprest">Split portal when using SOAP/REST</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#write_good_rules">Write good rules</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#order_your_rules">Order your rules</a></div></li>
<li class="level2"><div class="li"><a href="#be_careful_with_url_parameters">Be careful with URL parameters</a></div></li>
<li class="level2"><div class="li"><a href="#encoded_characters">Encoded characters</a></div></li>
<li class="level2"><div class="li"><a href="#ip_in_rules">IP in rules</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#secure_reverse-proxies">Secure reverse-proxies</a></div></li>
<li class="level1"><div class="li"><a href="#configure_security_settings">Configure security settings</a></div></li>
<li class="level1"><div class="li"><a href="#fail2ban">Fail2ban</a></div></li>
<li class="level1"><div class="li"><a href="#sessions_identifier">Sessions identifier</a></div></li>
<li class="level1"><div class="li"><a href="#saml">SAML</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="security_recommendation">Security recommendation</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Security recommendation" [1-39] -->
<h2 class="sectionedit2" id="secure_configuration_access">Secure configuration access</h2>
<div class="level2">
<p>
Configuration can be stored in several formats (<a href="sqlconfbackend.html" class="wikilink1" title="documentation:2.0:sqlconfbackend">SQL</a>, <a href="fileconfbackend.html" class="wikilink1" title="documentation:2.0:fileconfbackend">File</a>, <a href="ldapconfbackend.html" class="wikilink1" title="documentation:2.0:ldapconfbackend">LDAP</a>) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use <a href="soapconfbackend.html" class="wikilink1" title="documentation:2.0:soapconfbackend">SOAP access</a> for those servers.
</p>
<div class="notetip">You can use different type of access: <a href="sqlconfbackend.html" class="wikilink1" title="documentation:2.0:sqlconfbackend">SQL</a>, <a href="fileconfbackend.html" class="wikilink1" title="documentation:2.0:fileconfbackend">File</a> or <a href="ldapconfbackend.html" class="wikilink1" title="documentation:2.0:ldapconfbackend">LDAP</a> for servers in secured network and <a href="soapconfbackend.html" class="wikilink1" title="documentation:2.0:soapconfbackend">SOAP</a> for remote servers.
</div>
<p>
Next, you have to configure the SOAP access as described <a href="soapconfbackend.html#next_configure_soap_for_your_remote_servers" class="wikilink1" title="documentation:2.0:soapconfbackend">here</a> since SOAP access is denied by default.
</p>
</div>
<!-- EDIT2 SECTION "Secure configuration access" [40-809] -->
<h2 class="sectionedit3" id="protect_the_manager">Protect the Manager</h2>
<div class="level2">
<p>
By default, the manager is restricted to the user &#039;dwho&#039; (default backend is Demo). To protect the manager, you have to choose one or both of :
</p>
<ul>
<li class="level1"><div class="li"> protect the manager by Apache configuration</div>
</li>
<li class="level1"><div class="li"> protect the manager by <abbr title="LemonLDAP::NG">LL::NG</abbr></div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Protect the Manager" [810-1069] -->
<h3 class="sectionedit4" id="protect_the_manager_by_the_web_server">Protect the Manager by the web server</h3>
<div class="level3">
<p>
You can use any of the mechanisms proposed by Apache: SSL, Auth-Basic, Kerberos,... Example
</p>
<pre class="code apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">443</span>&gt;
<span class="kw1">ServerName</span> manager.example.com
<span class="co1"># SSL parameters</span>
...
<span class="co1"># DocumentRoot</span>
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/manager/
&lt;<span class="kw3">Location</span> /&gt;
<span class="kw1">AuthType</span> Basic
<span class="kw1">AuthName</span> <span class="st0">&quot;Lemonldap::NG manager&quot;</span>
<span class="kw1">AuthUserFile</span> /usr/local/apache/passwd/passwords
<span class="kw1">Require</span> <span class="kw1">user</span> rbowen
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 192.168.142.0/<span class="nu0">24</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Location</span>&gt;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</div>
<!-- EDIT4 SECTION "Protect the Manager by the web server" [1070-1688] -->
<h3 class="sectionedit5" id="protect_the_manager_by_llng">Protect the Manager by LL::NG</h3>
<div class="level3">
<p>
To protect the manager by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you just have to set this in <code>lemonldap-ng.ini</code> configuration file (section [manager]):
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">protection</span> <span class="sy0">=</span><span class="re2"> manager</span></pre>
<div class="noteimportant">Before, you have to create the virtual host <code>manager.your.domain</code> in the manager and set a <a href="writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rules</a>, else access to the manager will be denied.
</div>
</div>
<!-- EDIT5 SECTION "Protect the Manager by LL::NG" [1689-2105] -->
<h2 class="sectionedit6" id="portal">Portal</h2>
<div class="level2">
<p>
LLNG portal now embeds the following features:
</p>
<ul>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-site_request_forgery" rel="nofollow">CSRF</a> protection <em>(Cross-Site Request Forgery)</em>: a token is build for each form. To disable it, set &#039;require Token for forms&#039; to Off <em>(portal security parameters in the manager)</em>. Token timeout can be defined via manager (default to 120 seconds)</div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Brute-force_attack" class="urlextern" title="https://en.wikipedia.org/wiki/Brute-force_attack" rel="nofollow">Brute-force attack</a> protection: after some failed logins, user must wait before re-try to log into Portal</div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Content_Security_Policy" class="urlextern" title="https://en.wikipedia.org/wiki/Content_Security_Policy" rel="nofollow">Content-Security-Policy</a> header: portal builds dynamically this header. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Content-Security-Policy)</em></div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="nofollow">Cross-Origin Resource Sharing</a> headers: CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain &quot;cross-domain&quot; requests, notably Ajax requests, are forbidden by default by the same-origin security policy. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Cross-Origin Resource Sharing)</em></div>
</li>
</ul>
<div class="noteimportant"><ul>
<li class="level1"><div class="li"> Brute-force attack protection is DISABLED by default</div>
</li>
<li class="level1"><div class="li"> Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes <code>*</code>.</div>
</li>
</ul>
</div>
</div>
<!-- EDIT6 SECTION "Portal" [2106-3831] -->
<h3 class="sectionedit7" id="split_portal_when_using_soaprest">Split portal when using SOAP/REST</h3>
<div class="level3">
<p>
If you use <a href="soapsessionbackend.html" class="wikilink1" title="documentation:2.0:soapsessionbackend">SOAP</a> or <a href="restsessionbackend.html" class="wikilink1" title="documentation:2.0:restsessionbackend">REST</a> session backend, dedicate a portal especially for these internal requests.
</p>
</div>
<!-- EDIT7 SECTION "Split portal when using SOAP/REST" [3832-4022] -->
<h2 class="sectionedit8" id="write_good_rules">Write good rules</h2>
<div class="level2">
</div>
<!-- EDIT8 SECTION "Write good rules" [4023-4052] -->
<h3 class="sectionedit9" id="order_your_rules">Order your rules</h3>
<div class="level3">
<p>
<a href="writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Rules</a> are applied in alphabetical order (comment and regular expression). The first matching rule is applied.
</p>
<div class="noteimportant">The &quot;default&quot; rule is only applied if no other rule matchs
</div>
<p>
The Manager let you define comments in rules, to order them:
</p>
<p>
<a href="documentation/manager-rule.png_documentation_2.0_security.html" class="media" title="documentation:manager-rule.png"><img src="documentation/manager-rule.png" class="mediacenter" alt="" /></a>
</p>
<p>
For example, if these rules are used without comments:
</p>
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Regular expression </th><th class="col1 centeralign"> Rule </th><th class="col2 leftalign"> Comment </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq &quot;root&quot; </td><td class="col2"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [4466-4576] -->
<p>
Then the second rule will be applied first, so every authenticated user will access to <code>/pub/admin</code> directory.
</p>
<p>
Use comment to correct this:
</p>
<div class="table sectionedit11"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Regular expression </th><th class="col1 centeralign"> Rule </th><th class="col2 leftalign"> Comment </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq &quot;root&quot; </td><td class="col2"> 1_admin </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> 2_pub </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [4721-4845] --><div class="notetip"><ul>
<li class="level1"><div class="li"> Reload the Manager to see the effective order</div>
</li>
<li class="level1"><div class="li"> Use rule comments to order your rules</div>
</li>
</ul>
</div>
</div>
<!-- EDIT9 SECTION "Order your rules" [4053-4958] -->
<h3 class="sectionedit12" id="be_careful_with_url_parameters">Be careful with URL parameters</h3>
<div class="level3">
<p>
You can write <a href="writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rules</a> matching any component of <abbr title="Uniform Resource Locator">URL</abbr> to protect including GET parameters, but be careful.
</p>
<p>
For example with this rule on the <code>access</code> parameter:
</p>
<div class="table sectionedit13"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Regular expression </th><th class="col1 centeralign"> Rule </th><th class="col2 leftalign"> Comment </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> ^/index.php\?.*access=admin </td><td class="col1"> $groups =~ /\badmin\b/ </td><td class="col2"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [5195-5329] -->
<p>
Then a user that try to access to one of the following <em class="u">will be granted</em> !
</p>
<ul>
<li class="level1"><div class="li"> /index.php?access=admin&amp;access=other</div>
</li>
<li class="level1"><div class="li"> /index.php?Access=admin</div>
</li>
</ul>
<p>
You can use the following rules instead:
</p>
<div class="table sectionedit14"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Regular expression </th><th class="col1 centeralign"> Rule </th><th class="col2 leftalign"> Comment </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> ^/(?i)index.php\?.*access.*access </td><td class="col1"> deny </td><td class="col2"> 0_bad </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> ^/(?i)index.php\?.*access=admin </td><td class="col1"> $groups =~ /\badmin\b/ </td><td class="col2"> 1_admin </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [5527-5730] --><div class="notetip"><strong>(?i)</strong> means case no sensitive.
</div><div class="notewarning">Remember that rules written on GET parameters must be tested.
</div>
</div>
<!-- EDIT12 SECTION "Be careful with URL parameters" [4959-5867] -->
<h3 class="sectionedit15" id="encoded_characters">Encoded characters</h3>
<div class="level3">
<p>
Some characters are encoded in URLs by the browser (such as space,...). To avoid problems, <abbr title="LemonLDAP::NG">LL::NG</abbr> decode them using <a href="https://metacpan.org/pod/Apache2::URI#unescape_url" class="urlextern" title="https://metacpan.org/pod/Apache2::URI#unescape_url" rel="nofollow">https://metacpan.org/pod/Apache2::URI#unescape_url</a>. So write your rules using normal characters.
</p>
</div>
<!-- EDIT15 SECTION "Encoded characters" [5868-6115] -->
<h3 class="sectionedit16" id="ip_in_rules">IP in rules</h3>
<div class="level3">
<div class="notewarning">If you are running LemonLDAP::NG behind a reverse proxy, make sure you check the <a href="behindproxyminihowto.html" class="wikilink1" title="documentation:2.0:behindproxyminihowto">Reverse Proxy how-to</a> so that the rule applies to the real user <abbr title="Internet Protocol">IP</abbr> and not the reverse proxy&#039;s <abbr title="Internet Protocol">IP</abbr>. Make sure you only specify trusted proxy addresses so that an attacker cannot forge the <code>X-Forwarded-For</code> header
</div>
</div>
<!-- EDIT16 SECTION "IP in rules" [6116-6479] -->
<h2 class="sectionedit17" id="secure_reverse-proxies">Secure reverse-proxies</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can protect any Apache hosted application including Apache reverse-proxy mechanism. Example:
</p>
<pre class="code apache">PerlOptions +GlobalRequest
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">443</span>&gt;
<span class="kw1">SSLEngine</span> <span class="kw2">On</span>
... other SSL parameters ...
PerlInitHandler My::Handler
<span class="kw1">ServerName</span> appl1.example.com
<span class="kw1">ProxyPass</span> / http://hiddenappl1.example.com/
<span class="kw1">ProxyPassReverse</span> / http://hiddenappl1.example.com/
<span class="kw1">ProxyPassReverseCookieDomain</span> / http://hiddenappl1.example.com/
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<p>
See <a href="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html" rel="nofollow">mod_proxy</a> and <a href="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html" rel="nofollow">mod_rewrite</a> documentation for more about configuring Apache reverse-proxies.
</p>
<p>
Such configuration can have some security problems:
</p>
<ul>
<li class="level1"><div class="li"> if a user can access directly to the hidden application, it can bypass <abbr title="LemonLDAP::NG">LL::NG</abbr> protection</div>
</li>
<li class="level1"><div class="li"> if many hidden applications are on the same private network, if one is corrupted (by SQL injection, or another attack), the hacker will be able to access to other applications without using reverse-proxies so it can bypass <abbr title="LemonLDAP::NG">LL::NG</abbr> protection</div>
</li>
</ul>
<p>
It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the <abbr title="LemonLDAP::NG">LL::NG</abbr> protected reverse-proxies are allowed. You can use one or a combination of:
</p>
<ul>
<li class="level1"><div class="li"> firewalls (but be careful if more than 1 server is behind the firewall)</div>
</li>
<li class="level1"><div class="li"> server based restriction (like Apache &quot;allow/deny&quot; mechanism)</div>
</li>
<li class="level1"><div class="li"> SSL client certificate for the reverse-proxy (see SSLProxy* parameters in <a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html" rel="nofollow">mod_ssl documentation</a>)</div>
</li>
</ul>
</div>
<!-- EDIT17 SECTION "Secure reverse-proxies" [6480-8148] -->
<h2 class="sectionedit18" id="configure_security_settings">Configure security settings</h2>
<div class="level2">
<p>
Go in Manager, <code>General parameters</code> » <code>Advanced parameters</code> » <code>Security</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Username control</strong>: Regular expression used to check user login syntax.</div>
</li>
<li class="level1"><div class="li"> <strong>Avoid browsers to store users password</strong>: Enable this option to prevent browsers from prompting users to save passwords.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication</strong>: set to &#039;On&#039; to force authentication when user connects to portal, even if he has a valid session.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication interval</strong>: time interval (in seconds) when an authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances, you can increase this value.</div>
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal.</div>
<ul>
<li class="level2"><div class="li"> Example: <code>myapp.example.com .subdomain.example.com</code></div>
</li>
<li class="level2"><div class="li"> <code>*</code> allows redirections to any external domain (DANGEROUS)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Use Safe jail</strong>: set to &#039;Off&#039; to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues.</div>
</li>
<li class="level1"><div class="li"> <strong>Check <abbr title="Cross Site Scripting">XSS</abbr> Attacks</strong>: Set to &#039;Off&#039; to disable <abbr title="Cross Site Scripting">XSS</abbr> checks. <abbr title="Cross Site Scripting">XSS</abbr> checks will still be done with warning in logs, but this will not prevent the process to continue.</div>
</li>
<li class="level1"><div class="li"> <strong>Brute-Force Attack protection</strong>: set to &#039;On&#039; to enable it. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds, making it easy for an attacker to beat a password-based authentication system.</div>
</li>
<li class="level1"><div class="li"> <strong>Required token for forms</strong>: To prevent CSRF attack, a token is build for each form. To disable it, set this parameter to &#039;Off&#039; or set a special rule</div>
</li>
<li class="level1"><div class="li"> <strong>Form timeout</strong>: Form token timeout (default to 120 seconds)</div>
</li>
<li class="level1"><div class="li"> <strong>Use global storage</strong>: Local cache is used by default for one time tokens. To use global storage, set it to &#039;On&#039;</div>
</li>
<li class="level1"><div class="li"> <strong>LWP::UserAgent and SSL options</strong>: insert here options to pass to LWP::UserAgent object (used by <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect to query partners and AuthSSL or AuthBasic handler to request Portal <abbr title="Uniform Resource Locator">URL</abbr>). Example: <code>verify_hostname =&gt; 0</code>, <code>SSL_verify_mode =&gt; 0</code></div>
</li>
<li class="level1"><div class="li"> <strong>Content Security Policy</strong>: Portal builds dynamically this header. You can modify default values. Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does). Administrators may have to modify <code>formAction</code> value with wildcard likes *.</div>
</li>
<li class="level1"><div class="li"> <strong>Cross-Origin Resource Sharing</strong>: Portal builds those headers. You can modify default values. Administrators may have to modify <code>Access-Control-Allow-Origin</code> value with &#039; &#039;.</div>
</li>
</ul>
<div class="noteimportant">If URLs are protected with AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers <abbr title="Internet Protocol">IP</abbr> address like this :
<p>
requireToken =&gt; $env-&gt;{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
</p>
</div><div class="notewarning">Enable global storage for one time tokens will downgrade Portal performance!!!
<p>
Must ONLY be use with outdated or low performance Load Balancer.
</p>
</div>
</div>
<!-- EDIT18 SECTION "Configure security settings" [8149-11367] -->
<h2 class="sectionedit19" id="fail2ban">Fail2ban</h2>
<div class="level2">
<p>
To prevent brute force attack with fail2ban
</p>
<p>
Edit /etc/fail2ban/jail.conf
</p>
<pre class="code">[lemonldap-ng]
enabled = true
port = http,https
filter = lemonldap
action = iptables-multiport[name=lemonldap, port=&quot;http,https&quot;]
logpath = /var/log/apache*/error*.log
maxretry = 3</pre>
<p>
and edit /etc/fail2ban/filter.d/lemonldap.conf
</p>
<pre class="code"># Fail2Ban configuration file
#
# Author: Adrien Beudin
#
# $Revision: 2 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named &quot;host&quot;. The tag &quot;&lt;HOST&gt;&quot; can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P&lt;host&gt;[\w\-.^_]+)
# Values: TEXT
#
failregex = Lemonldap\:\:NG \: .* was not found in LDAP directory \(&lt;HOST&gt;\)
Lemonldap\:\:NG \: Bad password for .* \(&lt;HOST&gt;\)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =</pre>
<p>
Restart fail2ban
</p>
</div>
<!-- EDIT19 SECTION "Fail2ban" [11368-12422] -->
<h2 class="sectionedit20" id="sessions_identifier">Sessions identifier</h2>
<div class="level2">
<p>
You can change the module used for sessions identifier generation. To do, add <code>generateModule</code> key in the configured session backend options.
</p>
<p>
We recommend to use : <code>Lemonldap::NG::Common::Apache::Session::Generate::SHA256</code>.
</p>
</div>
<!-- EDIT20 SECTION "Sessions identifier" [12423-12685] -->
<h2 class="sectionedit21" id="saml">SAML</h2>
<div class="level2">
<p>
See <a href="samlservice.html#security_parameters" class="wikilink1" title="documentation:2.0:samlservice">security_parameters</a>
</p>
</div>
<!-- EDIT21 SECTION "SAML" [12686-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink