[ome-users] OMERO and network security...
Josh Moore
josh.moore at gmx.de
Tue Oct 19 21:04:19 BST 2010
Hi Jerome,
On Oct 11, 2010, at 6:33 PM, Jerome Avondo wrote:
> I am trying to build a case/knowledge about setting up a public facing OMERO server.
> Let me start with some details about what I mean.
> And by all means I have little if no experience in the matter, hence turning to the wise community for help :)
>
> We would like to have a public facing server.
> The server is linked to our LDAP for authentication server.
> There will be for now, no public/guest/anonymous accounts.
>
> So the biggest hurdle I have is trying to address the security concerns our network admins have.
> I have created a quick fact page for them on our wiki about OMERO and security, it is just a collection of various techie details gathered from the omero website...
> Just in a quick read format... http://dmbi.nbi.bbsrc.ac.uk/index.php/Security
Thanks for the link. This is a great overview. You could add something about securing the communication between OMERO and the LDAP server with SSL if that's a concern; and if you'd like more specifics about alternative LDAP configurations we could certainly provide you with something. Several examples are available under:
http://trac.openmicroscopy.org.uk/omero/browser/trunk/components/server/test/ome/services/ldap
> It would useful for me to see what people who have faced such issues have done and setup as simple counter measures against attacks or even just best practices that can be adopted to minimize security concerns...
This would definitely be useful for everyone.
> Basically I know the OMERO team have a public demo server.
>
> - Do you have anything "special/extra" from the out of the box OMERO in place to stop attacks on the server?
> - Does any one else have a public facing OMERO server and had to deal with such issues?
>
> The main issue I can see so far, and I'm by far no expert, is a brute force attack on the login.. Any recommendations to counter this?
The public demo server has nothing in place that's not available in trunk. There are several things we would like to add to improve login security, which is being tracked under the scheduled ticket:
http://trac.openmicroscopy.org.uk/omero/ticket/1387
I've added a higher priority sub-ticket to that:
http://trac.openmicroscopy.org.uk/omero/ticket/3138
for an intermediate fix in 4.2.1. This is a very simple solution, namely that repeated failed logins impose a wait time on subsequent login attempts. This is not optimal and can be misused in a Denial-of-Service attack, but provides a first line of defense against brute force attacks.
A more complete solution for disabling accounts will be included in future versions, but with the fix for #3138, it's now possible to add your own listener for "LoginAttemptMessage" instances and do something more extensive if you'd like.
As always, we're open to any suggestions, comments, and/or questions.
~Josh
> Anyway, hopefully this can start a useful discussion....
>
> Thanks for your time!
>
> Jerome.
More information about the ome-users
mailing list