Koha Security best practises
Is a best practises document available for securing a System running Koha? I mean beyond whatever documentation is available for OSes in general, is there anything Koha specific to look into? I cannot think of anything beyond filtering out incoming traffic to ports other than 80 and 8080, and long complicated passwords. -- Mahesh T. Pai || Sent from my Computer. Running Debian GNU/Linux
On Sun, Jun 19, 2011 at 09:57:02PM +0530, Mahesh T Pai wrote:
Is a best practises document available for securing a System running Koha?
I mean beyond whatever documentation is available for OSes in general, is there anything Koha specific to look into?
I cannot think of anything beyond filtering out incoming traffic to ports other than 80 and 8080, and long complicated passwords.
We are using https for logged in users[1] and for intranet. 1: just edit login form action to https version -- Dobrica Pavlinusic 2share!2flame dpavlin@rot13.org Unix addict. Internet consultant. http://www.rot13.org/~dpavlin
Dobrica Pavlinusic <dpavlin@rot13.org> writes:
We are using https for logged in users[1] and for intranet.
1: just edit login form action to https version
Thanks. Is it possible to use IP address based access controls from within koha? Like specifying from where library staff can access / log in ? -- Mahesh T. Pai || L'homme est libre au moment qu'il veut l'etre. * Man is free at the instant he wants to be.
Mahesh T Pai schreef op ma 20-06-2011 om 10:36 [+0530]:
Thanks.
Is it possible to use IP address based access controls from within koha?
Like specifying from where library staff can access / log in ?
These kinds of things are best handled by Apache, as it has all sorts of controls that can be applied. For example: http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6296 allows Apache to require that the user has a correct client SSL certificate (and if they do, it makes it possible to log them in without a password.) -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Robin Sheat <robin@catalyst.net.nz> writes:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6296
Exactly the kind of thing I was looking for. But, I am not happy with that no username / password thing required comment in that report; one library I knew (10 years back) did not restrict physical access much. -- Mahesh T. Pai ||
From The Devil's Dictionary (1881-1906) [devil]: LAWYER, n. One skilled in circumvention of the law.
Mahesh T Pai schreef op ma 20-06-2011 om 11:23 [+0530]:
Exactly the kind of thing I was looking for.
But, I am not happy with that no username / password thing required comment in that report; one library I knew (10 years back) did not restrict physical access much.
Well, if you don't turn the syspref on, then Apache will validate the certificate and you'll still require a login. However, in this case, the certificate is part of an organisations single-sign-on system, and so it would have largely defeated its purpose to still require a login (also, by the nature of the organisation, being a government department, there is a significant element of physical security.) -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
participants (3)
-
Dobrica Pavlinusic -
Mahesh T Pai -
Robin Sheat