IDempiere服务器安全

来自iDempiere zh
跳转至:导航搜索

英文原文: iDempiere服务器安全

原始贡献者: Carlos Ruiz - GlobalQSS - 请各位随时改进该文章。

IDempiereSecurity.png

浏览器(chrome, firefox, safari, ie, opera)

https

请不要使用http,必须始终使用SSL加密的https

客户端证书

可以通过向用户提供客户端证书的方式来限制可以连接的用户

代理WEB服务器 (nginx, apache)

通过设置一台代理web服务器来公开用户所需的服务,大多数情况下仅公开webui即可

设置代理的推荐方法

VPN (openvpn, cisco)

iDempiere相关的WEB服务

zkwebui

idempiereMonitor

felix console

cxf webservices

rest webservices

 在7.1之后以及删除了会返回数据库密码的Web服务

webstore

fitnesse

其他外部扩展 (手机端等)

服务器操作系统 (linux, windows, mac)

openssl生成客户端证书

idempiere-server文件夹

必须保护文件idempiereEnv.properties、idempiele.propertie、.idpass以及包含数据库密码的其他一些文件。

  • Windows:默认情况下,通常每个人都具有读取权限
  • Linux:默认情况下文件受到保护,密码使用base64进行模糊处理
    • There is a provision to customize the way to obfuscate/encrypt the password, or externalize it (avoid to save it on the server). Note externalizing the password protect against physical access (like stolen hard drive), but these passwords CANNOT be protected against a hacker accessing the live server, unless you sacrifice the ability to automate many things requiring manual intervention from an operator to provide some credentials.

swing client

swing客户端不安全,不推荐使用

database password encrypted in properties file

The database password on swing client is "encrypted" in a properties file, the problem is that the encryption algorithm is usually common and easy to decrypt, and even if you change it can be easily extracted from the jar files. There is the possibility of implementing alternative keys, algorithm or even classes to encrypt better the strings.

terminal server approach (nx, citrix, ts)

if definitely you are needing to use swing client is better to use it via a terminal server where you have control of the machines

jasper reports

  • Be careful, jasper can read anything over the database, just install trusted reports.
  • Consider including in your jasper queries the security layer of iDempiere, like is included by MRole.addAccessSQL, like:
    • Restrict to the organizations the user has access to
    • Take into account AD_Private_Access and AD_Record_Access

external tools

If you need to give direct SQL access to other tools like jasper, odbc/jdbc connections to libreoffice, datawarehouses, ETL, talend, etc - better consider creating a read-only user with access to preconfigured views. The views can contain the security filter for AD_Client_ID

database

dba user

iDempiere configuration

roles

  • configure access not menus (menus don't restrict access - user still can zoom)
  • db access (tables, columns)
  • private records
  • record access

org access

menu access (note zoom still allows user to navigate)

db access (table, column)

private record & record access

NOTE ON ADVANCED ROLES

The advanced roles are intended for IT on client side - do not give an advanced role to an end user. You must consider advanced roles as SuperUser, they have access to all security holes.

Also you must consider SuperUser as if it has access to the operating system user used to install iDempiere on the server.

users

sensitive fields (like passwords)

hashed passwords

encryption

password rules

user locking

Multi-factor Authentication

Since version 8.2.2021-06-09 iDempiere is able to manage Multi-factor Authentication on login time. Refer to Configure MFA for details about how to setup and use this feature.

You can trace MFA failures in the file AuthFailure.log, it is recommended to setup a mechanism to inform users when MFA failures happen, it can mean that their password was leaked.

tracing possible attacks

Every trial to login with a wrong password, or an MFA failure is recorded in the file AuthFailure.log

external tools to deny service on attacks

You can use tools like denyhosts to ban IP addresses that are testing passwords based on the AuthFailure.log file

initial steps

  • sysconfig ZK_ROOT_FOLDER_BROWSER
  • change encryption key
  • hash passwords (if not using hashed passwords, then encrypt AD_User.Password and AD_Password_History.Password)
  • encrypt all columns containing passwords (not required for AD_User.Password and AD_Password_History.Password if using hashed passwords)
  • setup password rules
  • change default passwords for SuperUser, System, GardenAdmin and GardenUser
  • change default passwords after creating a new client (in Initial Client Setup can select not to assign passwords by default for better security)
Cookie帮助我们提供我们的服务。通过使用我们的服务,您同意我们使用cookie。