Admin and other security access

miab · April 25, 2017, 10:18am

I was wondering whether we may already have or will have some of following security methods which are used by easydns.com to safeguard our MIAB, its ADMIN/DNS section and if possible, email/cloud with 2-factor as well.

Thanks
Peng

Cybercriminals Seized Control of Brazilian Bank for 5 Hours

Security features from easydns.com:

Access Control Lists (ACLs), Event notifications and 2-factor authentication.

security information

Click to find out what this section means
Previous Login: April 24, 2017 - 05:58 PM EDT
From: 184.75.212.122
Current Login From: 145.555.55.5.5

2-Factor Authentication (sms ,email)

2-Factor authentication allows you to add a second authentication challenge to your login.
This will add 2-Factor authentication for ALL logins unless you specify:

from outside your ACL, or
outside your permitted countries
IMPORTANT TO NOTE: If you get LOCKED OUT OF YOUR ACCOUNT because your 2nd factor is lost, compromised or unavailable, the only way to re-instate access it by supplying the answers to your secret questions.

Access Control List view | edit

An ACL (Access Control List) allows you to limit access to your account based on the network location.

Failed Login Attempts view | clear

Country Based Login Restrictions view | edit

Login restrictions provide an additional layer of security for users by limiting which countries (as reported by GeoIP) a login request can originate from. Login restrictions will prevent access from any country not provided in the list below. This follows the filtering already available in your accounts ACL restrictions.

Activity Notifications edit

Logins:
Domain lock status changes:
Whois modifications:
Nameserver delegations:
DNS updates:
Login Attempts Exceeded:
Delivery method:
Destination address:

JoshData · April 30, 2017, 12:57pm

security information: I am open to adding more info to log files but someone will have to do the work to make it happen.
2-Factor Authentication: I would like to do this but it is hard, same as above.
limit access to your account based on the network location: I am open to adding this as an advanced configuration, but someone will have to do the work to make it happen.
Failed Login Attempts: I am open to adding more info to log files but someone will have to do the work to make it happen.
Country Based Login Restrictions: No.
Activity Notifications: I am open to adding this as an advanced configuration, but someone will have to do the work to make it happen.

miab · May 4, 2017, 3:58pm

jege · May 5, 2017, 11:44pm

From the full list, 2FA is certainly the most valuable. Unfortunately it is also the one that requires most work. LinOTP would indeed be the best candidate.

miab · June 2, 2017, 2:03pm

Just found out that KDE neon has another way of Two-Factor authenticationi, just a FYI.
https://identity.kde.org/index.php?r=people/twoFactorAuthentication&uid=kdeneon

Enable/Disable Two-Factor Authentication for kde neon

	KDE Identity supports two-factor authentication to protect your

Identity account against unauthorized access. Please store a copy of the
security grid for future login attempts by printing or saving a copy of
it.

	Two factor authentication is a method where you protect your login

with an additional step. KDE has chosen to do this based on a
grid-challenge. The idea is that you combine ‘something that you know’,
with ‘something you got’. The first one is your password, the second is
the grid shown below. The grid used by each person is individual and
unique.

	When you try to login into identity.kde.org, we will ask for your

username and password as usual, and after that we will ask for a
coordinate from the grid below, for example D10. You look in the grid,
select column D and row 10. Then you enter the 4 characters you find
there.

	The advantage of all this is that if your password is compromised,

people cannot login to KDE Identity using your account, because they
don’t have access to your grid. On the other hand, if someone gets to
your grid, they can not access identity.kde.org, because they don’t have
your password.

ABCDEFGHJK
1QFGDG7HXP9JQTZDMJBC2PLS23AWLRSNPCSH9C95G
2TFEGZC2APAXYWRGHKS7FQDUA46C74LBHJ5ABQ63Y
37GK56BWJDFUWJ9BRFHR6XZNG2D36C7H6ATQDLJBE
4YLNPMFNWUFN6NYZ24LFHBR97K56RDRB9FWNLBMGH
5KPLMNPSQNQ62HMQCUSCYU3AQBM3ENSF76HJW26JY
6R9BLW7YEXM3ZW346EZKGS5TDLPUHFS6UYZWXFKTB
75JXFRW4SNDUP4FRS4XUSNF7CB23MPTQ9HDC6KG92
8CDUAR5ECY4SGSCDQP794UBPLPF9USM4AFJQTJK4L
9JD9ANCFUUMDGEANCUME3PZGQFJZYWQBRS9MN4PHC
105TFKJKCWCRGJAZS9D4ESM72BFLNSFS7TPEHSRF5N

murgero · June 22, 2017, 11:36pm

2 Factor authentication is easy with Google Authenticator and Googles server script.

sssmoves · June 26, 2017, 9:49am

Is it possible to give privacyidea a shot

I just read about this for nextcloud a well

Still reading the docs and I see that the authentication in dovecot can work via PAM

murgero · July 1, 2017, 3:52pm

@jege - What are you talking about? Google Authenticator for 2FA takes 5 minutes to setup… I guess another 30 minutes or so to configure the installer to do an Admin 2FA setup? Which google also has a script for…

jege · July 1, 2017, 6:22pm

Great! Look like we have a super coder around! If connecting thru Google or Facebook APIs (some would consider you mad given the loss of privacy/anonimity) is so easy for you, go ahead. It takes you less than 1H? Even better: do a pull request, implement, and send it back in 2 hrs. Please help us and Josh implement it in MIAB in a way that is well tested.

murgero · July 1, 2017, 7:53pm

Google Authenticator can be completely disconnected from google’s API though. And hell no on that FB API. The whole reason I am using MIAB is to guard against similar shit that they do. lol I am not saying I am a “super coder”, and I would do the pull request, however, I am currently working on too many projects of my own (https://urgero.org) see my site if you would like.

That being said, It wouldn’t be the first time I have done an “add-on” for MIAB I also wrote a quick and dirty external registrator and authentication tool for PHP, as well as a mod to allow MIAB to become a hyper-visor.

I am sorry if I offended, that was not my intention, was just trying to point out a solution that should be simple for someone to implement.

sssmoves · October 16, 2017, 8:20pm

Sorry for the late reply, just got father with a healthy baby boy around that time.
After sleepless nights I try to crawl back to online stuff.

The reason why I suggested privacy idea was with the intention not using external API stuff like Google or FB.
Secondly I have set this up with Nextcloud for some neighbourhood schools and I am extremely happy not relying on Google or FB.

Maybe I misunderstood the idea behind this project but I looked for something self hosted and thought privacy idea kind of fit the 2FA stuff.

pohutukawa · October 21, 2017, 2:37am

+1 for 2-Factor Authentication

Appreciate that this won’t be included for a while, if at all, due to the effort/time required. Just wanted to help with prioritisation

pohutukawa · October 21, 2017, 2:39am

+1 Google Authenticator.

One can use any app that utilises GA i.e. it’s not dependent on Google infrastructure (or even existence!).

I use Authy for example.