rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: ledufe on April 29, 2006, 03:05:55 PM
-
rejetto, is there any possibility to do a function or a option to add a always authorized machine/user based on his dynamic dns?
something like:
i have a friend
and he use dyn dns account
i want to always let he acces my server, but i want to restric the server to only let some ip, and my question is, can i set the hfs to allways let some adress like "xxx.homedns.org" to get-in?
-
it is possible to make such feature but... it is dangerous.
when your friend is not online, or for any other reason he doesn't update the DNS, your server will be accessible by a stranger.
-
i know the security riscs, but my friend, my company, my family use the no-ip or dyn-dns to publish their ip not only to publish some pages, but to me make some techsupport and and in the case of the company i would like to only make the hfs work permitting (is that write right?) only access to hfs from another filial(i donĀ“t know the right word in english to say the other company office) and i guess that this feature would be nice, and by the way i manage the dyn-dns and the no-ip of all of then, i watch it "close"....:-)
-
LeDuFe,
if i understood you correctly, you have a HFS server in your company and you want to allow your friend to connect to your HFS server from another office. Both of you have different dynamic ip's (you are not in a LAN) and both of you have static URL's from DynDNS.
Do you only want to check that it is really your friend who connects to you? Then make a unique account with username:password.
Or do you want additionally check that it's your friend because the user:pass is correct and he is also connecting from this specific (DynDNS)address?
As rejetto said, i would not trust on that. Headers, which contain the host information can be modified easily (f.e. Proxomitron).
To my opinion the only almost certain way to know that it is your friend who is trying to connect is:
Give him an unique user:pass account for the resources he is allowed to access. This is the default procedure.
To add more security, you could run HFS with SSL and provide your friend with a trusted client certificate. This certificate resides on your friends computer (in a safe place!, but can you be really sure about that??). Connection with HFS will only be made, if this certificate fits with the one you have and the user:pass are correct. And, of course http access to this resources should be switched off!
But do you really need that? If someone else can access your friend's computer with the client certificate and find out the user:pass, then you are back at square one. And before you consider to apply this, first make sure that your WIN is updated and patched, your router is not accessible from the WAN side or at least password protected (not the defaults!) and your WIFI AP is protected (no SSID broadcasting, WPA not WEP, allow predefined MAC adresses only, passworded).
And in case you want protect your crown jewels , i would search for a trusted professional hardware/software (VPN) solution.