I need a little guidance on what I can do with an FTP site I am creating.
Essentially the FTP is to provide data that end users have requested. Workflow is as follow:
User selects what data they want -> User's info (contact, requested data/formats, custom user and password string) stored in SQL table -> Email sent to FTP manager with unique ID of end user -> FTP Manager runs script using unique ID as input, generating the requested data -> Data stored in directory on FTP server and email sent to end user with credentials for obtaining data.
So far, everything up to the credentials part of my workflow is working. The FTP uses no authentication as of right now (because I'm not sure what needs to be done to do so).
My question is, is it possible for me to create IIS users to access the FTP site using the user/password string I create when the end user makes the request, that way I can use some authorization on the FTP site? Am I even approaching this in the correct manner? I'm no IIS/DB guru but I know enough to break something.
What I think I should do:
Set the authentication to use IISManagerAuth, and with magic create the IIS users based off of the credentials I create from the end user request (This is what I am going to try and do while you smart folk point and laugh at my lack of understanding and blindness of the inevitable).
Any guidance appreciated!
Related
I apologies in advance - for this question needs a bit of background, which is likely to be long winded:
I'm trying to build an app which works offline with PouchDb. PouchDb will sync with Cloudant.
Technologies used:
Hapi, SQL, Vue, Cloudant, PouchDb
I have built a little hapi.js service to sign up / authenticate users. When an "account owner" signs up - they are added as a new user to a SQL database.
Using Cloudants API, I provision a new database (with a random name), and set security on the database so the new user has access.
I save the security (DB name, User name, and password) as metadata back to the user in the SQL database.
A very similar approach to here: https://www.bennadel.com/blog/3208-provisioning-cloudant-couchdb-databases-from-auth0-for-a-database-per-user-architecture-in-angular-2-4-1.htm (indeed, I based the above on this).
When the "account owner" logs in, the SQL DB is queried - the MetaData retrieved and sent down to the client side vue app. The PouchDB remote string is then populated with the Cloudant DB name, User name, and password.
eg:
const remoteDB = new PouchDB(`https://${name}:${pass}#0000-0000-bluemix.cloudant.com/${DBname}`);
This all works: PouchDB can talk to Cloudant - and data is going to and from without issue.
The "Account owner" is able to give read/write access to other people ("Staff") to their cloudantDB. When they add a new Staff Member, the Staff Member is added to the SQL DB. Using cloudants API, I create new security credentials for this user so that they can access the DB- (I do NOT create a new DB) and save them to the Staff Member in the SQL db as metadata...
The new staff member is sent an email - they set their username and password on the SQL db, and can log in. The Cloudant meta stuff is picked up... etc etc... PouchDB / Couchdb talks to each other - this also works.
Initially I was a bit concerned about sending this meta / credentials down to the client - I wanted to use a JWT or something... But then I saw this answer to another question:
https://stackoverflow.com/a/30417620/714950
So passing credentials down seems to be how its done in Pouch/Couch/Cloudant etc. I've got to be honest - I find the whole thing works like 'magic' - like its too good to be true, and that worries me a bit as I don't really understand it. I might be doing something terribly wrong.
Now for my question(s):
I'm passing these credentials down - is this safe? How would I reset / time out the username and password.
When they log out, I wipe the data from Pouch?
Can a user be 'logged in' and lose connection? Will pouch sync when they reconnect?
If pouch has NOT synced - and they log out (and I wipe Pouch) that would mean they would lose their data? so I guess I would need to persist the data in Pouch for when they log in again?
But what if they are using a shared computer? This data would be sat in Pouch DB waiting for someone to log in?
I'm also unsure how I validate the data... making sure that which gets saved to the DB is valid etc...
I suppose I'm just trying to get my head around this - I've been googling and reading everything I can, but it doesn't quite answer my questions.
Thanks
[** Just had a thought...
Thinking about it, I don't actually need to create the staff user within the SQL DB.
The Account Owner is set up - the DB is created in Cloudant, and credentials applied.
Not just had a thought: Theoretically, when a staff member is added - I only need to set them up inside Cloudant, and write their ID to the "Account Owner" as meta data so that they can be removed etc.
This way, a staff member could log in directly to the Cloudant DB.
However, I generate the security credentials using Cloudants API - so the staff member won't know what their username and password is. I don't want to send the username and password in an email.
Is there a way I can handle this? Am I able to specify a username and password when creating the security credentials? How do I handle things like password resets on cloudant?]
Thanks
I'm passing these credentials down - is this safe?
If your site is served out over HTTPS, then a bad actor would find it difficult to glean the Cloudant username & password in flight. Your client-side app needs to retain the credentials for your app to be "logged in" (for it to retain the right to sync with the server). I like to retain the data in a PouchDB document (e.g. _local/auth - local documents are not replicated so reside only on the device you create them on). You are right to be concerned, however, about having database credentials floating about on a client-side computer. Some folks decide that that is not acceptable and implement their own middle layer. If you don't need sync (that is data can be altered at both client and server side), you might use PouchDB as a buffer for unsynced data and push it to your own API when you're online. You can then control authentication, timeout and access to the database from your own server-side code.
How would I reset / time out the username and password.
You can "log out" by:
deleting your client-side state e.g. deleting the _local/auth document.
making the key/password have no permissions on the client side. Without _reader/_writer/_replicator rights, a Cloudant api key and password is useless
Alternatively you could transmit the username & password to the client which could use them against the Cloudant POST /_session endpoint which gives the web browser a time-limited cookie. Your app could then "forget" the credentials until it needs them again.
When they log out, I wipe the data from Pouch?
Yes.
Can a user be 'logged in' and lose connection? Will pouch sync when they reconnect?
If you write your client side app correctly, it could function perfectly well with its local PouchDB data, whether it has an internet connection or not. This is known as an Offline First approach. As long as your credentials are still valid, your app can sync when a connection is re-established.
If pouch has NOT synced - and they log out (and I wipe Pouch) that would mean they would lose their data?
Correct. If you have only one copy of some data and delete it, you lose data :)
But what if they are using a shared computer? This data would be sat in Pouch DB waiting for someone to log in?
Correct. On a shared computer, another user's data may be visible to the second user. Just as if I left my Facebook session logged in on a shared computer.
Is it possible that a website uses the models of another lavarel website to access the database, without the first website having the sql credentials hardcoded. But with the credentials to log into the second lavarel website hardcoded.
This way the first website doesn't have to have the sql credentials on it's ftp server, but can still access the databases through the other website (with their personal login of that website).
If that is impossible, I am wondering, is there a way to access a databases without having to hardcode the credentials anywhere.
UPDATE (the actual problem)
Only a part of the database should be visible to a particular user, so i can provide different users with different credentials and they all see something different in the database
What you are talking about is an API. So you'd build out the entire infrastructure on the first website, then on the second website, it would make some kind of calls to the first website to get back the information it needs, usually using some kind of credentials or access token.
This way, you can allow anyone in the world to communicate with your website, kind of like how Facebook, or Twitter does.
As far as accessing your database, you would need to tell your app somewhere the credentials to use, so technically, you do need to hardcode them somewhere as they can't just magically make up some credentials somehow to access a database.
if your different users are defined:
use laravel model/db event to replicate the data to a database by
user.
Or sync each database with a cron job..
These have benefits to avoid security transport problems.
I am developing an iOS app that is password protected and all the users are stored in a wordpress account that, of course, is password protected as well. Does anybody know the format that wordpress uses to store login information for these accounts, I would assume that it is a MySQL that sends a json? I have only been able to find the database code for the initial admin page but nothing that shows the way these accounts (815 to be exact) would be stored within the site.
The raw data is in the wp_users MySQL table.
The (default) code WordPress to authenticate users in the wp_check_password function. It's possible (though unlikely) that the password is a straight MD5 hash (I assume that check's just for backwards compatibility). Usually, it'll be encrypted using the PHPass library (see here for the WordPress code).
As far as I know, there's no API for checking a password that returns JSON. You'd probably have to write something yourself. This question suggests the wp_authenticate_username_password would be the best way to check the username / password combination on the server.
I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.
I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.
I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.
So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.
I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link
In above example, please have look at line
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
this entry object would be used for authentication when you make a search call on active directory.
If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.
But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.
I would be interested to know your answer.
There are basically two ways of doing this:
You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired
Edit
After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.
The code you linked to had this line
object obj = entry.NativeObject
Which was to force authentication. Have you included this line?
I have a vb.net application that uses my gmail smtp server settings and my password to send me the users feedback through the email, (I don't want to show my email to the users)
The problem is I want to store these data securely in the vb.net application so that It's hard for any hackers/crackers through (reverse engineering or programs like cheat engine) to get my gmail account data.
Any ideas are welcome.
You cannot be 100% secure, you could store the email in a resource file and use an obsficator to make it much harder to get at the string but it is possible to break it (encrypted resource files and strings). However Even if you used a different email address and setup a forwarding rule the password for that account could still be comprimised. Anything you have access to in code a hacker could potentially break into as the key will be in clear text at some point.
You have a number of secure options:
Setup a webservice to receive your messages and email them onto you/log them to a database
Log your messages to a 3rd Party system (irc? news? some p2p network, IM system), and pick um the messages later.
Setup a Source Control/issue site for your system, google code/bitbucket/something else that has the ability to receive issues via an api.
I don't know if this makes any sense but what I'd do is let the program run an external PHP script that sends the mail.
Basically, if I'm understanding your question, you don't want the password in clear text in your .exe. Correct?
The solution is simply to ENCRYPT the string in your program, then decrypt it at runtime (pass your decrypted variable to your e-mail function).
Any two-way encryption will work. For example:
http://www.vbdotnetforums.com/security/1240-encrypt-password.html
As other people pointed out saving the password to your email in your application is unsafe because somebody might be able to crack your code and retrieve your password.
For logging errors, I suggest creating a very small PHP script and putting it on a PHP server. When an error occurs in your VB.NET application, the application can send data to this .php script. The script can save the data in a file or in a MySQL database.
All the things you need for sending data to PHP scripts can be found in "System. Net. WebRequest" namespace in VB.NET.
If you cannot use a PHP script, you may use a combination of IsolatedStorage ("System.IO.IsolatedStorage" namespace) and Cryptography ("System.Security.Cryptography" namespace) to save sensitive data. But, this is not completely secure to savvy attackers.