[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Users Changing their Passwords over web?



I didn't have the time to read through this thread until now, sorry all...

* Bill Tihen -- TECHNOLOGY (bill@mail.tasis.ch) [991103]:%y42Wed, Nov 03, 1999 at 05:42:00PM +0100]:
> Administratively, I am able to hold off a while, because
> we are having so many problems with Windows and the
> people that we hired to help have done a lousy job -- 
> so I have some time here.  I think until the new year. 
> However, there I really need to find some one in the
> area -- a shop -- who knows linux -- I will check the
> user groups and see what is available in the Italian
> speaking Cantons in Switzerland -- hopefully Lugano. 
> But I really need a solution for end users that is easy
> to use.  

I've tried making a NT server secure... If you really do not know what you 
are doing, it is impossible (unlike our good friend Linux).

> 
> I users need to be able to change their (after they
> correctly enter their username and password):

> 
> o change their password -- like userpasswd
> o user information (probably) -- like userinfo

A user should not be able to do this (at least not the students).

> o setup email forwarding (some staff are required to
> have email but want their messages forwarded somewhere
> else).

As stated before, this is stuff that users can do, the rest is
stuff for the admin. For this it would be very simple to create a 
PHP script, if needed I could jiggle one together quite quickly.
For security SSL should be used (I'll send the info on that maybe 
tomorrow ;). 

> o able to restrict access to specific IP address (or a
> range).

For what services? An easy way to secure things is to remove telnet
all together and just use SSH to access the server from a remote location.
Telnet, after all, is a wide open hole (especially if we consider the
possibility of sniffing). SSH can easily be configured to limit the 
hosts from which connections (shell) are allowed.

> o use a different port than normal http (or at least
> make it firewall filterable somehow).

A firewall is quite a thing to set up. I wouldn't recommend it as a first
measure. It will cause you a lot more work...
> 
> Nice feature for some administrators would also be:  
> o a vacation message -- that is mailling list friendly.

Vacation messages are a potential security risk... (And to tell you the 
truth, I've never seen the use of them in any case.)

>  
> At least until I install SSL I would also like to
> restrict access to this port to my LAN and ignore
> requests from the Internet.  (Probably even blocking
> them with my firewall too).

So you start another Apache instance with a wierd port (NOT
8000 or 8080 or something of the sort) and in the httpd.config for
that intance declare it to allow connections only from some hosts,
deny all others. At the same time you could limit the pages
on this service to only the admin stuff, normal use would go to another
server (again security, partly through obscurity).

> 
> 
> Quoting Doug Loss <dloss@csrlink.net>:
> 
> > Bill Tihen -- TECHNOLOGY wrote:
> > >
> > > I am thinking of the linux account information.
> >
> > > 2) My boss wants to get rid of all the Linux
> servers.
> > > He is afraid because I am the only computer guy at
> my
> > > school and if I go on vacation and something goes
> down
> > > no one will be able to fix it.  None of the local
> > > vendors know Linux -- they all think it is brand new
> and
> > > will go away in 6 months anyway.

How would your school think of getting support from a company in Finland?
;) We'd be cheap! Seriously though, how well does he think that some 
company can fix up a NT server if it really goes down? I really doubt
it since I've (or my company) have been asked to consult on NT 
security from one of the bigger companies in Finland. At that time
our research showed me that if I want to create a secure server it will 
not use NT!

ramin
-- 
Ramin Miraftabi                         Student of Computer Science
email: ramin@cs.joensuu.fi              University of Joensuu
WWW: http://dawn.joensuu.fi/~ramin/     Joensuu, Finland

    - GPG public key ID 49C9CFF7 -- (c) Copyright 1999 -