I've got a web application which can be used for individual peoples (one account for one person) and for places such as schools (one account per computer). I would like to make sure that the schools accounts can only be logged in from the said school.
I've tried an IP filter which isn't appropriate as they have a dynamic IP (it changes every day or each time they reboot their ISP box). The MAC address is not an option since it's not readable by PHP and not conserved between packets hops.
So here is my question, how may I make sure that the schools accounts are used from and only from the school ? Maybe something that I have to install on each trusted computer and which can't be cleaned without paying attention ?
Go with the IP address. Solve the dynamic ip address problem by installing a small script that will ping your server once per 5 minutes and you will get the current school's ip address by this.
The simplest solution would be to use cookies. However, cookies are super easy to read and transfer by the user if he knows how.
A bit more complicated solution would be to make an browser plugin that adds some HTTP header to every request, which would need to be installed on every 'trusted' computer. To falsificate this one it would take a bit more computer skill.
Another solution would be to install secure VPN on trusted computers and make website accessible only through this VPN.
The most sophisticated solution would be to implement some browser-fingerprinting library. That is when website collects all available informations about the browser and machine it runs on (available HTTP headers, available system fonts, how the machine handles decimal point arithmetics etc)
Related
My office network provides internet access to my employees when they connect to it through the office's router. I want to make a web application in which only computers connected to the internet through my office router, can access. So that my employees have to be in my office area before they can login into the php web application.
If they are connected to the internet, but not through my office network they should not be able to log in to the application. (I know I could have deployed the php app in a local server setup in my office but I want the app to be on a remote server on the internet for my personal reason).
What hardware do i need to setup my office network and how do I make PHP detect the id of the hardware of my network so php can determine that a request is coming from my network.
Some options to recognise your private office from a public website:
IP address
This will only work if you know what IP address is in use at any given time by your allowed clients. In the case you use a NAT gateway, this has to be the outside address.
It becomes pretty easy to do this if you have static IP addresses for all your allowed clients, if they change, it quickly becomes a nightmare to keep them right at all times.
Security: since HTTP is based on TCP it's not trivial for other to get to use your IP address through spoofing, but it's by far not foolproof either. Consider it a poor-man solution at the very best.
Caveat: if any of your staff can get remotely to their machine, they can access it remote (so e.g. a time registration system is going to get circumvented by this quickly)
VPN
VPN stands for Virtual Private Network.
This is the goto solution from a security perspective. Essentially you build up tunnels between either individual clients or networks as a whole with the VPN server.
On the central end of those tunnel(s), your webserver answers to web requests (but not to the internet at large).
There is a whole range of VPN products out there. There are equally relatively easy to build solutions using free software (e.g. OpenVPN).
Things on how the client (network or computers) will authenticate to the server and what traffic is attracted to the VPN and much more are all possible parameters you can set.
Security: it depends a bit on the choices made, but unless unproven or outdated solutions are picked, this can be done "top notch". It is however in skill level probably just above your typical IT shop around the corner (but you might be in luck).
Same remark as above: your staff that can gain access to it, might be tunnelling into their machine at work or might use credentials and settings on an office machine at home as well.
DNS
reverse mapping of IP to names is far too easy to spoof, don't try this.
Login/Password
This is a relatively easy solution: allow access from anywhere, but give authorised users a login and password and let them have access after being logged in properly.
Security: It's non-trivial to get this fully secure, there's plenty of opportunity to make errors in how the application works so that it becomes a problem.
But if you have to have a zero footprint on the clients, this is your best option.
Add in 2 factor authentication to increase the password security and make passing on passwords a bit more difficult.
TL;DR
I'd setup an OpenVPN based VPN, they are relatively easy to setup, the clients exist for most OSes (take care not all: e.g. iOS: I don't know of one) and it'll give you more than average protection without you having to delve deeply into the details of encryption protocols and the like.
Still there's a learning curve, but there's plenty of tutorials out there that don't assume much prior knowledge either.
For your clients you setup a certificate-based authentication system using EasyRSA (included with OpenVPN). It's a bit of a habit you need to create, but once setup properly, adding and removing users becomes relatively painless.
On your server all you need to do is make sure the http server only binds to the IP address of the tunnel interface.
Didn't really know what title to give this question so I hope its acceptable.
I am using a system which has an API. I don't have a lot of control over this system, but one thing I need for security reasons is for it to be locked down to my IP. This works, so now the system can only be accessed from my IP.
Now, I have built a custom app which uses the above API. This app is hosted on a server which is different from my IP address. Therefore, when I try to make the API call it fails due to it being restricted. I know this is the case, because if I run the app locally from my location, it works without any problems.
So, the question is whats the best thing to do? I know I could add the IP address of the server which is hosting my app to the systems API. However, I think the servers IP is dynamic which could cause problems. I have also used things like no-ip locally to control my dynamic IP, but I cant imagine I can install this on my web server.
Looking for thoughts as to how I can overcome this problem.
Thanks
I'm a user of a certain forum, but recently my IP adress has been being blocked.That's not my fault but some users probalbly broke the rule and his ISP or IP address is same or close to mine, so I was enmeshed.
I rent a web server, so now I try to post comments to the forum from my server, but it fails.
When I post a comment using a form in the site, the error says that the referer was wrong.
I tried header() function using PHP but it doesn't work.
I tries to change referer but still it doesn't work.
I think if I could have a client in my web server, the IP and host change in posting comments, without changing referer information.But I don't know how to do this.
The restriction is temporary, maybe a few weeks, so I don't necessarily need a perfect and permanent solution.
Is there any ways to solve this problem?
If they're blocking you based on IP address, then it's the web IP address of your local network that they're blocking. If they've decided to block a range of IPs then you have a larger problem depending on your host.
A few things you can try:
Chances are (unless this is a work account) that you're using a dynamic ip address from your host. A lot of work accounts use a dynamic IP too, but you would need access to the modem (since you're probably not the corporate network administrator). Sometimes to get a new IP address from a completely different range by unplugging your cable or DSL modem and plugging it back in after about 30 seconds. Most electronics clear instantaneously (unless they have an onboard battery backup), but in the case of network components they purposely build in a few seconds of wait time in DHCP servers before providing a completely different IP address. Usually when I'm having a problem on my local network or doing an upgrade and unplug my modem after about 10 minutes of work when I plug my modem back in I have a new IP so I have to go through all of the trouble of re-whitelisting myself everywhere (so I know this works).
You could try connecting to the boards through your cell phone if you can tether your cell phone to your workstation or desktop. This will provide you with an IP address through the cell phone carrier's network (Note: it might violate the TOS).
You could do as #Bergi suggested and use a proxy. Some web browsers (like Opera) allow you to specify a proxy in the browser without forcing all of your desktop traffic to a different network. You can obtain a proxy server address from several resources, but this is one of my favorites. Be sure to use an HTTPS proxy in order to have the best defense against someone packet filtering and catching your credentials. People can still capture the initial handshake for SSL and decrypt your communications (so make sure this is what you want to do.)
You can try to force inject headers into the message board and make your server post for you. Good forum software will check the referrer and the user_agent to see if you are a "real person" (however real the programmer felt you needed to prove). If there is a CAPTCHA you will need to be able to see the image, hear the sound, or use a plug-in to break it. (This will require research). Chances are your web server is using a static IP, so there is nothing to prevent the board from blocking this one as well. (You will not be able to change it.) If the web host has strict guidelines about using their servers for this sort of thing it might *cost you your account*. I will not provide an example for this on this board. But you can check out a book called WebBots, Spiders, and Screen Scrapers.
I have a small web function that should run only when the user is in the office . But the problem is that our internet provider changes its IP regularly and i cant keep track of it. We have windows 7 systems in our office and they dont have any static IP. I cant even set a static IP as it will hamper the internet provider settings and will stop connecting to internet. Im stuck now. Is there a way with which i can make sure that a person is in office only when he is using that function?
The surest way is to ID using MAC adresse since IP can be changed, MAC address is harder to spoof and does not change. It is the "serial number" of the network card. So unless they take the card home, they won't be able to access it. Have a read at
this post
You could use dyndns to get the current ip.
Dynamic dns allows ypou to redirrect a host name to a dynamic ip.
So if you get a request from a unkown ip or more then x seconds have passed since the last request you can use gethostbyname to retrive the offic ip.
Free Dynamic DNS:
http://www.dnsdynamic.org/
Getting the IP:
$ip = gethostbyname('http://sample.dnsdynamic.org/');
One way to do it would be to set up the server so it exposes 2 services - 'A' with the "special office-only function" available, and 'B' without.
Then, set up the network security so that Service A is only accessible over a VPN tunnel from your office.
--
An alternative approach might be to use PKI - get the office computers installed with certificates that are required to access the Service A functionality. However, while complicated, it is still possible for users with sufficient authority and knowledge to copy the certificate and install it at home.
If your users aren't nerds, you can set a special cookie in the office computers, and check against that every time the user accesses the application.
(If your users know to to set and unset cookies, that would fail, as they would simply copy this behavior to their home).
Also, there should still be a specific range of IPs when connecting from the office (even if the IP changes), sample a few IPs and check for a recurring pattern.
Provide your office user with some kind of token, after they authorize. Then use the token to determine if access is granted or not.
The token can be stored in a cookie on the the office users computer, so authorization is done only once.
If you have an access to office network - you may try to config your server, which gives an access to the internet, so it will add some token (cookie?) to all requests (sent to your server). And you will check it in your code.
I have been developing a parental control software program for my company, but have run into a problem. The software uses policy listings stored in a MySQL DB to determine whether to block a website or not. It uses a local proxy. Each time a website is visited, the proxy sends that site to the server, then the server determines if the site should be blocked or not based on the settings for the user. The software is done, but there is one major problem. It takes too long for the address to be sent to the server, and the server's response to get back to the proxy. Browsing speed is slowed down a lot when using the software. Is there a better way to do this?
The proxy is written in Python and everything on the server end is done in PHP.
Are you caching the server's responses locally on the client? If not, you should - it ought to speed things up considerably.
And if you're asking your server about each URL, you should only ask about the domain name, so that the number of requests per site goes down from lots to only one. (Unless there are domains for which you only want to ban a part of it, but that seems unlikely.)