Open-AudIT :: View topic - Security Issues Running Open-AudIT on a public webserver?

Open-AudIT https://www.open-audit.org/phpBB3/

Security Issues Running Open-AudIT on a public webserver? https://www.open-audit.org/phpBB3/viewtopic.php?f=5&t=2560	Page 1 of 1

Author:	Deetz [ Mon Jan 07, 2008 7:11 pm ]
Post subject:	Security Issues Running Open-AudIT on a public webserver?
Hello, the majority of users at my company are working outside the office. So it isn't possible to scan them from one central computer. My idea was to run Apache on a non standard port and maybe throw in some basic password authentication, then have the script run locally on users machines. Is anyone running Open Audit on a public facing webserver?

Author:	Mark [ Mon Jan 07, 2008 9:12 pm ]
Post subject:	Re: Security Issues Running Open-AudIT on a public webserver?
Open-AudIT has NOT been designed to withstand being on a public network (the internet). Having said that, if you did want to run it that way, I would suggest putting ONLY the audit submit page on the public facing web pages. I would then use another server to run the rest of the app from. That way, only your "inside" network can view the information. External people can ONLY submit information. They cannot VIEW anything. Remember - a full audit will submit Windows CD Keys, Office CD Keys, etc, etc - some very sensitive information, that you don't want available to the bad guys...

Author:	yakk0dotorg [ Tue Jan 08, 2008 9:10 am ]
Post subject:	Re: Security Issues Running Open-AudIT on a public webserver?
My OA server has a public IP, but it's also SSL encrypted and requires an LDAP login. I have set up a few laptops to run the audit script locally, and it seems to work fine regardless of if it's on the LAN or somewhere else on the internet.

Author:	A_Hull [ Tue Jan 08, 2008 7:27 pm ]
Post subject:	Re: Security Issues Running Open-AudIT on a public webserver?
I think Mark is quite sensible to say proceed with caution. If you do decide to proceed, then I would copy include.php include_config.php admin_pc_add_1.php to a separate folder, and expose this only to the internet. In other words, tie down your live pages using .htaccess (under apache) or IIS admin so that they can be seen only from the local network. I would further tie down the live page so it can only be seen from the IP addresses of the remote sites. Better still, use some sort of VPN between sites, and thus eliminate the problem completely. This doesn't have to be an expensive option, but will require a bit of planning to set up. Well worth the extra layer of security it would provide. Take a look at IPCop and Zerina OpenVPN Module, plus OpenVPN for Windows for example. Both are open source. You would need a spare low spec PC or a virtual machine to run them on though. IPCop http://www.ipcop.org/ Zerina http://www.vpnforum.de/zerina/?q=download OpenVPN for Windows http://openvpn.se/ Obviously there are lots of other ways to do this, but be aware that Open Audit makes no claims to be secure, (and indeed it would be foolish to expect any system facing the internet to be 100% secure) so additional security measures would be an absolute necessity in my opinion. Finally the admin add pages do not insist on https.... don't expect them to protect you from SQL injection attacks either. Be aware, determined hacker can break most things.

Author:	NsOnLn [ Tue Jan 22, 2008 11:29 pm ]
Post subject:	Re: Security Issues Running Open-AudIT on a public webserver?
[quote="yakk0dotorg"]My OA server has a public IP, but it's also SSL encrypted and requires an LDAP login. I have set up a few laptops to run the audit script locally, and it seems to work fine regardless of if it's on the LAN or somewhere else on the internet. How did you set up SSL encryption and authentication in your vbs?

Author:	A_Hull [ Wed Jan 23, 2008 7:02 pm ]
Post subject:	Re: Security Issues Running Open-AudIT on a public webserver?
So far as I recall, the admin_add* pages dont require ldap authentication, in other words, they are a potential security risk. Although it would take some carefully crafted scripting to actually attack you using these pages, so the risk is fairly low. That said, as OA becomes more popular, sooner or later some hacker will find a way. I would suggest that using VPNs to connect to the server site, would give you more security, as suggested elsewhere. Using SSL (i.e. https:) is supported on all pages including the admin_add* pages. To enable, go to the Admin> Config page, and enable it from there. If you find it doesn't work, you may have to edit include_config.php manually to switch it back off. The exact method of setting up Apache or IIS to work with SSL/HTTPS will very much depend on your particular site. (If you use Xampp, most of the hard work is done for you).

Page 1 of 1	All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/