scary security questions
We are putting our site up and have some questions about Zope security relating to one of Zope's biggest benefits...remote administration. If some kid obtained access to the manage screens he could...well you know :( 1) What prevents someone from getting into the manage screens by cracking the admin username:password? Are failed login attempts logged anywhere? If not, is there any way to log them short of hacking the zope python code? 2) Is there any way to turn off the manage screens, or set them so that they can only be run locally? 5 er...3) Is there any way to run the manage screens on a different port than the rest of Zope? (i.e. not port 80) This would allow us to open/close that port in our firewall whenever we needed to access the manage screens remotely, or run it over a VPN. What are other people doing to protect themselves? Thanks in advance, -Paul __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/
1) What prevents someone from getting into the manage screens by cracking the admin username:password? Are failed login attempts logged anywhere? If not, is there any way to log them short of hacking the zope python code?
The failed attempts are logged as "401" errors. J
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <20000511215531.15698.qmail@web701.mail.yahoo.com>, Paul Abrams <paulabrams@yahoo.com> writes
1) What prevents someone from getting into the manage screens by cracking the admin username:password? Are failed login attempts logged anywhere? If not, is there any way to log them short of hacking the zope python code?
I think you can restrict access by IP address. - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.com/dynamo - The Homebuilt Dynamo http://www.compkarori.com/dbase - The dBase bulletin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBORqlx7TRdIWzaLpMEQIG3wCfREaJYSFT50jATjOVHN/cOns0xMAAnAlT FEkqKy2us7J3sdAVNl8/c+LN =WPrF -----END PGP SIGNATURE-----
Paul Abrams wrote:
2) Is there any way to turn off the manage screens, or set them so that they can only be run locally?
5 er...3) Is there any way to run the manage screens on a different port than the rest of Zope? (i.e. not port 80) This would allow us to open/close that port in our firewall whenever we needed to access the manage screens remotely, or run it over a VPN.
You can use apache and SiteAccess to put all management screens behind SSL. You could use SiteAccess to prohibit management access to the outside world, but that seems silly, since you can already limit logins for users by domain or IP. -- ethan mindlace fremen mindlace@imeme.net zope -&- imap email -&- mailing list weave your web with the web at http://imeme.net
On Thu, 11 May 2000, Paul Abrams wrote:
2) Is there any way to turn off the manage screens, or set them so that they can only be run locally?
I would run Zope behind another web server for this (eg. Apache) and use it to stop access to */manage* from bad addresses. Note you can't just block of */manage/*, as that will still allow access to functions like manage_delete directly. This may affect the usability of other products. A better alternative is to not allow access by accounts with management rights from external addresses.
5 er...3) Is there any way to run the manage screens on a different port than the rest of Zope? (i.e. not port 80) This would allow us to open/close that port in our firewall whenever we needed to access the manage screens remotely, or run it over a VPN.
Yes - you will need to run it behind another web server again. If you want to use something like GenericUserFolder or LoginManager to control your authentication, it will be possible to only allow certain users to login via certain interfaces (eg. manager level accounts must have connected via SSL).
What are other people doing to protect themselves?
Ensure your connection can't be sniffed (SSL or trusted network), keep your workstations free from trojans, and don't have simple passwords that can be cracked. If your more paranoid, you can look into using certificate based or single sign on authentication schemes but you will need to invest development time - the frameworks are there (LoginManager) but you will need to give them the brains. -- ___ // Zen (alias Stuart Bishop) Work: zen@cs.rmit.edu.au // E N Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au //__ Computer Science, RMIT WWW: http://www.cs.rmit.edu.au/~zen
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In article <20000511215531.15698.qmail@web701.mail.yahoo.com>, Paul Abrams <paulabrams@yahoo.com> writes
1) What prevents someone from getting into the manage screens by cracking the admin username:password? Are failed login attempts logged anywhere? If not, is there any way to log them short of hacking the zope python code?
I do this on my E-Commerce site. All failed log ons are logged with IP addresses, and after 3 failures, an email is sent to me, and that IP address is barred from access. But I'm not using Zope authentication. - -- Regards, Graham Chiu gchiu<at>compkarori.co.nz http://www.compkarori.co.nz/x.php?/Shopping -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBORvG5rTRdIWzaLpMEQLxeACdF4OdTXkoFybnF/yijBZdpmEm4XIAoILT 81x0unG4w71gOshAWauwJA6D =wUra -----END PGP SIGNATURE-----
participants (5)
-
Graham Chiu -
J. Atwood -
mindlace -
Paul Abrams -
Stuart 'Zen' Bishop