Hello,
I have subsonic up and running on my web server, which is exposed to the internet. As it is a quite normal situation that web servers are target of attacks day by day it is crucial to have appropriate security policies.
On susbonic side, I have these basic requests:
1) How can I rename the 'admin' login?
2) Would you implement a policiy of max failed logins resulting in a account blocking for some minutes?
Thank you!
Chris
Security: Rename admin and limit failed logins
Moderator: moderators
11 posts
• Page 1 of 1
Security: Rename admin and limit failed logins
by techsc » Thu Mar 18, 2010 10:23 am
- techsc
- Posts: 19
- Joined: Fri Apr 03, 2009 4:37 pm
Re: Security: Rename admin and limit failed logins
by Sporkman » Thu Mar 18, 2010 12:00 pm
techsc wrote:Hello,
I have subsonic up and running on my web server, which is exposed to the internet. As it is a quite normal situation that web servers are target of attacks day by day it is crucial to have appropriate security policies.
On susbonic side, I have these basic requests:
1) How can I rename the 'admin' login?
2) Would you implement a policiy of max failed logins resulting in a account blocking for some minutes?
Thank you!
Chris
Not a solution, but for 1 I gave admin a very long, random password & then never log in as admin (I set my own user as admin instead).
- Sporkman
- Posts: 18
- Joined: Wed Mar 17, 2010 1:33 am
- Location: The Internet
Re: Security: Rename admin and limit failed logins
by techsc » Thu Mar 18, 2010 4:09 pm
Sporkman wrote:techsc wrote:Hello,
I have subsonic up and running on my web server, which is exposed to the internet. As it is a quite normal situation that web servers are target of attacks day by day it is crucial to have appropriate security policies.
On susbonic side, I have these basic requests:
1) How can I rename the 'admin' login?
2) Would you implement a policiy of max failed logins resulting in a account blocking for some minutes?
Thank you!
Chris
Not a solution, but for 1 I gave admin a very long, random password & then never log in as admin (I set my own user as admin instead).
Yes, I did already choose a extra large password
- techsc
- Posts: 19
- Joined: Fri Apr 03, 2009 4:37 pm
by serond » Tue Mar 30, 2010 7:38 pm
I hoped to use fail2ban to do this but it seems the logging when someone get the "Wrong username or password." message are done in the database. There is one subsonic.log file but no logging are done to this or any other log file when the user logged in or the login failed.
- serond
- Posts: 11
- Joined: Tue Mar 30, 2010 7:32 pm
by techsc » Wed Mar 31, 2010 12:22 pm
serond wrote:I hoped to use fail2ban to do this but it seems the logging when someone get the "Wrong username or password." message are done in the database. There is one subsonic.log file but no logging are done to this or any other log file when the user logged in or the login failed.
Another nice approach, but stuck in missing log entries. But in the end, it is a workaround only
Security Policies - directly implemented - are the 1st choice here.
Chris
- techsc
- Posts: 19
- Joined: Fri Apr 03, 2009 4:37 pm
by techsc » Tue Apr 06, 2010 9:45 pm
techsc wrote:serond wrote:I hoped to use fail2ban to do this but it seems the logging when someone get the "Wrong username or password." message are done in the database. There is one subsonic.log file but no logging are done to this or any other log file when the user logged in or the login failed.
Another nice approach, but stuck in missing log entries. But in the end, it is a workaround only
Security Policies - directly implemented - are the 1st choice here.
Chris
@Sindre:
Is security policy on your roadmap?
Thanks
Chris
- techsc
- Posts: 19
- Joined: Fri Apr 03, 2009 4:37 pm
by serond » Thu Apr 08, 2010 7:08 am
I agree, Security Policies are the best choice. I created a Feature Requests for this.
To see the data in the database you can go to <subsonic>/db.view and enter SELECT * FROM INFORMATION_SCHEMA.SYSTEM_TABLES to display all the tables in the database. I did not discover any logging of user retries or last time a user accessed subsonic.
But a failed try does log to subsonic.log if anyone uses the api.
And according to this:
http://www.acegisecurity.org/faq.html
"A common user requirement is to disable / lock an account after a number of failed login attempts. Acegi itself does not provide anything "out of the box"
To see the data in the database you can go to <subsonic>/db.view and enter SELECT * FROM INFORMATION_SCHEMA.SYSTEM_TABLES to display all the tables in the database. I did not discover any logging of user retries or last time a user accessed subsonic.
But a failed try does log to subsonic.log if anyone uses the api.
And according to this:
http://www.acegisecurity.org/faq.html
"A common user requirement is to disable / lock an account after a number of failed login attempts. Acegi itself does not provide anything "out of the box"
- serond
- Posts: 11
- Joined: Tue Mar 30, 2010 7:32 pm
by techsc » Sun Jul 17, 2011 12:58 pm
Generally speaking, security policies e.g. Account Lockout for a pre-defined period are pure basic features and very important to any server application.
Too bad, that the creator of Subsonic does not give any statement.
Too bad, that the creator of Subsonic does not give any statement.
- techsc
- Posts: 19
- Joined: Fri Apr 03, 2009 4:37 pm
Re:
by techsc » Sun Nov 11, 2012 3:00 pm
still no anser from the developer...
evilnone wrote:Is there any input on this for the future? I am currently having my server being brute force attacked on the admin account and would love for any of these ideas in this thread to be implemented.
- techsc
- Posts: 19
- Joined: Fri Apr 03, 2009 4:37 pm
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 12 guests