Open-AudIT

What's on your network?
It is currently Tue Oct 23, 2018 4:05 pm

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 
Author Message
PostPosted: Mon Jan 07, 2008 7:11 pm 
Offline
Newbie

Joined: Wed Oct 31, 2007 12:40 am
Posts: 7
Hello, the majority of users at my company are working outside the office. So it isn't possible to scan them from one central computer.

My idea was to run Apache on a non standard port and maybe throw in some basic password authentication, then have the script run locally on users machines. Is anyone running Open Audit on a public facing webserver?


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 07, 2008 9:12 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1961
Location: Brisbane, Australia
Open-AudIT has NOT been designed to withstand being on a public network (the internet).
Having said that, if you did want to run it that way, I would suggest putting ONLY the audit submit page on the public facing web pages.
I would then use another server to run the rest of the app from.
That way, only your "inside" network can view the information.
External people can ONLY submit information. They cannot VIEW anything.
Remember - a full audit will submit Windows CD Keys, Office CD Keys, etc, etc - some very sensitive information, that you don't want available to the bad guys...

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 08, 2008 9:10 am 
Offline
Newbie

Joined: Wed Jan 18, 2006 1:37 am
Posts: 5
My OA server has a public IP, but it's also SSL encrypted and requires an LDAP login. I have set up a few laptops to run the audit script locally, and it seems to work fine regardless of if it's on the LAN or somewhere else on the internet.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 08, 2008 7:27 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I think Mark is quite sensible to say proceed with caution.

If you do decide to proceed, then I would copy include.php include_config.php admin_pc_add_1.php to a separate folder, and expose this only to the internet. In other words, tie down your live pages using .htaccess (under apache) or IIS admin so that they can be seen only from the local network. I would further tie down the live page so it can only be seen from the IP addresses of the remote sites.

Better still, use some sort of VPN between sites, and thus eliminate the problem completely. This doesn't have to be an expensive option, but will require a bit of planning to set up. Well worth the extra layer of security it would provide.

Take a look at IPCop and Zerina OpenVPN Module, plus OpenVPN for Windows for example. Both are open source. You would need a spare low spec PC or a virtual machine to run them on though.

IPCop http://www.ipcop.org/
Zerina http://www.vpnforum.de/zerina/?q=download
OpenVPN for Windows http://openvpn.se/

Obviously there are lots of other ways to do this, but be aware that Open Audit makes no claims to be secure, (and indeed it would be foolish to expect any system facing the internet to be 100% secure) so additional security measures would be an absolute necessity in my opinion. Finally the admin add pages do not insist on https.... don't expect them to protect you from SQL injection attacks either. Be aware, determined hacker can break most things. :evil:

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 22, 2008 11:29 pm 
Offline
Newbie

Joined: Wed Aug 16, 2006 4:23 am
Posts: 19
yakk0dotorg wrote:
My OA server has a public IP, but it's also SSL encrypted and requires an LDAP login. I have set up a few laptops to run the audit script locally, and it seems to work fine regardless of if it's on the LAN or somewhere else on the internet.



How did you set up SSL encryption and authentication in your vbs?


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 23, 2008 7:02 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
So far as I recall, the admin_add* pages dont require ldap authentication, in other words, they are a potential security risk. Although it would take some carefully crafted scripting to actually attack you using these pages, so the risk is fairly low. That said, as OA becomes more popular, sooner or later some hacker will find a way. I would suggest that using VPNs to connect to the server site, would give you more security, as suggested elsewhere.

Using SSL (i.e. https:) is supported on all pages including the admin_add* pages. To enable, go to the Admin> Config page, and enable it from there. If you find it doesn't work, you may have to edit include_config.php manually to switch it back off. :o

The exact method of setting up Apache or IIS to work with SSL/HTTPS will very much depend on your particular site. (If you use Xampp, most of the hard work is done for you).

_________________
Andrew

OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 6 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group