Results 1 to 18 of 18
  1. #1

    Secure Log-in Portal for HIGHLY data sensitive site.

    Here is what I need some help on. I have a site that provides very sensitive data to various organizations and groups.

    I need to find the most secure way to create a log-in area so they can view the various data. Essentially, I am making them their own secure "portal" so they can log in anytime they want.

    As of right now I just set up a SSL certificate but don't' think that really makes the "log-in" secure but rather the data that is sent back and forth. I of course plan on placing everything on the https:// side of the server.

    Right now I just have a simple .htaccess set on the directory where everything is placed. It is my understanding that this only method is not very secure if I want to make things VERY secure above and beyond simple .htaccess.

    I have no idea how to really make this log-in safe.

    Here are some things that others have told me to try but am not sure if they worth it:
    - Doing everything through Secure SSH or something like that.
    -Setting up an IP table of some type or something so that only people with a pre-defined IP address can even see the log-in screen.

    Here are the stats:
    -I have my own dedicated box
    -LAMP platform.
    -SSL Certificate set up

    Any advice would be GREAT appreciated, I am in WAY over my head.
    The New Newbie

  2. #2
    bobtex,

    Some things you might want to do...

    - Encrypt sensitive database fields in your database, using a key that changes for each client based on some unique element of that client's profile
    - Compile your source code, so that in the event that PHP gets turned off on your server, or someone gains access to it by mistake, they can't figure out how everything works
    - Don't store anything sensitive in $_SESSION
    - Hire an expert to review your code

    Aaron
    Aaron Greenspan
    President & CEO, Think Computer Corporation

    http://www.thinkcomputer.com

  3. #3
    First you need to secure your server. Then make sure scripts and programs used in the server is secure. SSL won't help you if any of the above is vulnerable.

    You can limit user access from a range of IP's. This you have to do in your login script.

    Installing SSL will help against phising attacks, dns poisoning, etc...

  4. #4
    Join Date
    Sep 2005
    Posts
    86
    - Secure your server
    - Use high bit SSL cert
    - Deploy two factor authenticaton solution and distribute one time password tokens to your clients

  5. #5
    Join Date
    Jan 2005
    Location
    Chicago
    Posts
    226
    If this app is really critical, the database should be on another backend machine.
    Ken

    CROWHOST hosting+colocation services | 877-CROWHOST | support at crowhost.com
    Independent remote-hands serving all Chicago data centers

  6. #6
    See my biggest issue is not really protecting the code but making sure no one can see or login to the "back-door".
    The New Newbie

  7. #7
    Someone mentioned a while back that one very secure way to do it would to go through SSH or they called it Secure SSH? I was not sure what the difference was between SSH and Secure SSH and Secure Shell?
    The New Newbie

  8. #8
    SSH is already secure, for added security, you may use complicated password, then change Port in which SSH is running, and allow only SSH 2

    But SSH itself is secure if you use a complex password.

  9. #9
    Is there anyway to let people see webpages by logging in via SSH. My understanding of SSH is it's all command line stuff.
    The New Newbie

  10. #10
    Yes, SSH is command line, secure telnet. So you can't do that, never provide SSH access on your server to others unless you really need it.

  11. #11
    Join Date
    Sep 2005
    Posts
    86
    If you rely on password for authentication, no password is complex enough. The real answer is the OTP (one time password) which can be used only once and next time it changes. PIN + OTP is the the way to go. It you want more security, consider smart card.

    Quote Originally Posted by flashwebhost
    SSH is already secure, for added security, you may use complicated password, then change Port in which SSH is running, and allow only SSH 2

    But SSH itself is secure if you use a complex password.

  12. #12
    How and where do you get PIN + OTP working on your own system?
    The New Newbie

  13. #13
    Join Date
    Jan 2005
    Location
    Chicago
    Posts
    226
    Bobtex.

    All this nosense about OTP and keycards is not what you need.

    You need to isolate your data from the application. You need to keep the data away from the internet. You need to restrict access to the application. You need to have properly setup and secured servers. You need a carefully designed application and data model that even if compromised, makes it hard to steal all the information.

    This all doesn't even have to be hard to do either. I suggest looking up the following security standards- "Mastercard SDP" and "Visa CISP. For the SDP, lookup class 4 merchart, or something like that. It's very basic stuff and still better than what more people implement.
    Ken

    CROWHOST hosting+colocation services | 877-CROWHOST | support at crowhost.com
    Independent remote-hands serving all Chicago data centers

  14. #14
    Join Date
    Sep 2005
    Posts
    86
    I don't think OTP is nonsense. Take banks as an example, they obvious do all you said to secure the server, but they are still deploying the OTP because the password system is the ultimate weak point against password phishing and social engineering after all hardening work. Since OP mentioned "HIGHLY data sensitive", I would imagine it's equal or greater than bank system.

    People do choose weak password.

    Quote Originally Posted by CROWHOST
    Bobtex.

    All this nosense about OTP and keycards is not what you need.

    You need to isolate your data from the application. You need to keep the data away from the internet. You need to restrict access to the application. You need to have properly setup and secured servers. You need a carefully designed application and data model that even if compromised, makes it hard to steal all the information.

    This all doesn't even have to be hard to do either. I suggest looking up the following security standards- "Mastercard SDP" and "Visa CISP. For the SDP, lookup class 4 merchart, or something like that. It's very basic stuff and still better than what more people implement.

  15. #15
    Join Date
    Sep 2005
    Posts
    86
    They rely on password token devices. Check RSA, Vasco or Verisign for their token products.

    Quote Originally Posted by bobtex
    How and where do you get PIN + OTP working on your own system?

  16. #16
    Join Date
    Jan 2005
    Location
    Chicago
    Posts
    226
    OTP is nosense when you've not exhaused all other sercurity techniques first. Handing out SecureIDs to users is meaningless when your server is rooted within 3 minutes of being in the internet in the first place.
    Ken

    CROWHOST hosting+colocation services | 877-CROWHOST | support at crowhost.com
    Independent remote-hands serving all Chicago data centers

  17. #17
    Join Date
    Sep 2005
    Posts
    86
    Of course I know that. That's why I listed OPT as 3rd in my post after the secure server. I am merely enumerate options for protecting "high sensitive" data. Don't get me wrong.

    Quote Originally Posted by CROWHOST
    OTP is nosense when you've not exhaused all other sercurity techniques first. Handing out SecureIDs to users is meaningless when your server is rooted within 3 minutes of being in the internet in the first place.

  18. #18
    Join Date
    Jan 2003
    Posts
    1,715
    It works as well here as it does on Slashdot: If you're asking for free advice in a free forum, I doubt your 'highly sensitive' data is quite as dire as you suggest. Hire a security consulting firm, preferably one with DoD Secret or Top Secret project experience. You and your clients need to realize that quality is worth paying for, and security is certainly no exception.
    Game Servers are the next hot market!
    Slim margins, heavy support, fickle customers, and moronic suppliers!
    Start your own today!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •