2FA for all LDAP apps
-
I hear you, not the spirit of my comment.
I've been impressed lately with the WP WAF plugins like WP Cerber that do a good job to notice, escalate and block nefarious IPs probing to get in.
Cloudron could benefit from something similar at the system level.
fail2ban is ok, but could use a dashboard and configurator as an Cloudron App.
-
@marcusquinn Haha, the only reason for that one million comment thread was because I constantly needed to reference back. I've actually got
box
down pretty well. And, hey, now a random live blog of me doing 1000 things wrong, and finally getting 1002nd attempt right exists in the world! I'll always get to go back and say "hey, that was my first attempt at learning docker, and cloudron." ️What are the benefits of this Bitwarden connection with Cloudron?
-
@Lonk Based on my policy suggestion above, assuming Bitwarden is installed and 2FA enforced:
Current flow:
- Create a Cloudron User.
- Create a Bitwarden User.
- Create an Organisation called Users.
- Create a Collection for each User, including just that User, with Hide Password and Read Only enabled settings.
- Create a Bitwarden Login record containing said User Cloudron LDAP Login credentials.
- Share said record with said User Collection.
- Add all URLs to all allowed Cloudron Apps to said record.
- User can now only login to those Cloudron Apps using the Bitwarden extension and can't see or know their Cloudron LDAP password as it is hidden and read-only..
Proposed flow:
- Have a setting for each App that selects an available Bitwarden instance.
- Complete the above steps from Cloudron to Bitwarden API.
- Relax.
-
I agree with @mehdi. That workflow also comes with the downside that while the actual owner of the account does not know his/her own password, you (as the admin) actually now it yourself.
Rather enforce secure passwords and rotate them regularly (in addition to encouraging users to use password managers).
-
@fbartels said in 2FA for all LDAP apps:
and rotate them regularly
(Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security, rather than enhance it : if encourages users to chose simpler passwords, because they're gonna have to remember more passwords)
-
@mehdi said in 2FA for all LDAP apps:
Forcing password rotation when there has been no indication of compromise has actually been proven experimentally to lower security
This seems to be one of those counter-intuitive ideas. I had no idea it actually lowers security.
-
-
@Lonk yeah, I hate those forced password changing policies, they are a security risk in themselves as they just increase the likelihood of a keystroke logger being able to capture.
I wrote more on the subject of password security for our team policy here:
https://brandlight.org/h/policies/password-security-policy/
And my thoughts on Security here:
https://www.marcusquinn.com/security/
Hopefully something of interest there to those with similar responsibilities for data security.
-
@marcusquinn Security has become my newest point of interest in the programming world - amazing how ridiculously insecure things were even 15 years ago.
-
@Lonk agreed, and misinformation and information-overload cause a lot of vulnerabilities for people that don't know what we do, and even we find difficult to truly solve. Steps in the right direction though.
-
What most people don't realise is that all the add-ons, extensions and social-logins would once have been considered trojans for the snooping capabilities they have.
I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.
So, it doesn't matter how good my security is, we all rely on the security of everyone we are connected to.
-
@marcusquinn said in 2FA for all LDAP apps:
Next time I look at Twitter the first ad is for a Nespresso machine.
I only ever look at Twitter through Firefox with ublock origin installed, so don't see ads on there.
The UX is a bit shit in the mobile browser (especially since recent Firefox update, ironically), but that helps me to use it less on my mobile!
-
@jdaviescoates Interesting, I deleted the Facebook app a long time ago. Makes me think I should do the same for other social spyware too. Will give it a try.
-
@marcusquinn see also Nitter and similar apps for accessing other platforms.
-
@marcusquinn said in 2FA for all LDAP apps:
I deleted the Facebook app a long time ago
I never even installed it as it asked for such a ridiculous number of permissions.
-
@jdaviescoates Nice. will try. Been looking at https://jarvee.com/ - maybe of interest in a similar API access approach but more for data-mining and marketing.
-
@marcusquinn said in 2FA for all LDAP apps:
I mentioned "coffee machine" on a phone call to a friend, hadn't typed it in anywhere or searched anything. Next time I look at Twitter the first ad is for a Nespresso machine.
I think it's just a coincidence ^^ There is no reason to think ad companies are literally listening to you 24/7 : it's too costly from a computing power standpoint, so not worth it.
What they're doing is "just" knowing everything else about you : who you're talking to, what your looking at online, what are your interests, your age, where you live ... And based on that, they can just guess that you may be interested in coffee machines.
(Which, if you ask me, is even scarier that being listened to ^^)