rejetto forum
Software => HFS ~ HTTP File Server => router & port problems => Topic started by: bbertrand on January 09, 2015, 04:06:43 PM
-
If a malicious user were to try repeatedly to login to HFS, trying one password after another - is there any way to "lock out" for a period of time, or any other suggestions on how to prevent someone trying password after password until eventually they get logged in.
-
I don't think a captcha could be of any help here, so, I think this must be implemented internally on HFS (if it was not implemented already). I don't see another option.
-
there's no such feature ATM, but you can try this old stuff
http://www.rejetto.com/forum/hfs-~-http-file-server/automatictemporary-ban/msg1043503/#msg1043503
-
I tried this - the problem is that I'm using STUNNEL, so all connections into HFS are from 127.0.0.1. Any other ideas?
-
http://www.peerblock.com/
stunnel keeps a log...
Unless you disabled it..
it should tell you what public ip attempted to connect to you...
Not a correct way, was looking for the stunnel conf line to log, but this should also help:
https://github.com/arusso/puppet-stunnel/issues/8
------example...
What to do when stunnel fails
Firstly, the most important things to try when you are having trouble running stunnel is to:
run with full debug mode "debug = 7" in stunnel config
if running the daemon, run it in the foreground foreground = yes
Doing this gives you the best chance of catching the errors in the log on the screen.
along with other ip conections...
----------------
http://www.stunnel.org/static/stunnel.html
*********
log = append | overwrite
log file handling
This option allows to choose whether the log file (specified with the output option) is appended or overwritten when opened or re-opened.
default: append
output = FILE
append log messages to a file
/dev/stdout device can be used to send log messages to the standard output (for example to log them with daemontools splogger).
********************
now that we have public ips that connected with tie stamp...
since hfs had the bad password attempt time stamped...
I would recomend you to downlaod peer blocker
downlaod link:
http://www.peerblock.com/releases/public-releases/peerblock-1.2.0-r693
and add the ip address at that time to permantly block the ip in peer blocker.
*Stunnel log has the public ip that attempt access.
peer blocker is one of many solutions... although i do think hfs in the acount for with in the program should incormapte security rules such as (pasword history/length/complexsit and time out...)
-
although running programs seperately is nice for control, a member of this forum has went to great lengths on incorporation HFS and Stunnel.
There is an option with in the program in which you can have stunels log and hfs log in the same log windows...
http://www.rejetto.com/forum/hfs-~-http-file-server/for-testing-purpose-hfs-beta-279-including-ssl-tools/msg1059793/#msg1059793
as for your port 80 issue it might be a good look into a new members project:
http://www.rejetto.com/forum/router-port-problems/hfs-and-pagekite-public-hfs-wo-router-reconfiguration/msg1059815/?topicseen#msg1059815
-
The issue is this: someone could try and try and try and finally break in; finding a break in AFTER THE FACT is unacceptable; I come from Mainframes - we don't let accidents happen and then clean up the mess - we don't let it happen in the first place. You've never seen a mainframe break in. Anyway, I'm new to STUNNEL and was wondering if there was a way for STUNNEL to pass the original IP address thru (can't see how architecturally) so that the original IP can be barred temporarily, but my first choice would be to like Windows, lock out a userid for a period of time after 3 invalid attempts at the password, and when locked out, the user attempting connection should not know whether it was an invalid password or if the userid is/was locked out. I'm not in the habit of working for my computer (i.e. checking logs) - I believe strongly that if there IS suspicious activity, the computer should tell me. As I use HFS to provide access to ALL of the files on my computer, I'm now concerned that I may have to find an alternative solution, due only to this problem. Would there be a way to disable the target userid for a period of time anyone? And I appreciate all responses. And is the integrated HFS/Stunnel project - does that provide the source IP (still prefer a userid lockout though).
-
Agree that the machin should let you know, but i doubt that these things will be implement into hfs for quite some time...
ON your topic for security (since you work with mainframes...)well, don't know what to sugest for halp...
since you said your using windows or explaing an example with it..., if you want better security then HFS, use IIS...
see link to install iss7 on your machine...
http://www.iis.net/learn/install/installing-iis-7/installing-iis-on-windows-vista-and-windows-7
use php for file upload and downlod...
iss has auto logs and limt that can warn you...
install iss7 php
http://php.iis.net/
http://www.microsoft.com/web/gallery/install.aspx?appid=PHP53
attached is a working file upload via php....
(iss7 create a self signed cert, and it uses https...un less you pay for a global signed one...)
https://www.sslshopper.com/article-when-are-self-signed-certificates-acceptable.html
--------
It's All About Trust
A self-signed certificate is like a fake drivers license. Who would accept a fake drivers license? Most people wouldn't. But Internet communication is very different from real-life communication. You have little idea who is sending the information on the other end. The biggest problem with a self-signed certificate, is a man-in-the-middle attack.
----------
then use open ssh (http://www.openssh.com/windows.html) to conect via putty and create tunnels and use the tunnel for communications... win win.. that what i'm doing now...