Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.

Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website

  • I must determine whether it is safe to grant write access to Internet Mango users without creating unnecessary risks. To implement this without adding too much danger, I must know whether common security features have been implemented.

    Which of the security features below have been implemented in Mango Automation 2.x?

    • Write failed login attempts to a log file, including originating IP address
    • Ban IP addresses with repeated login failures to prevent brute force attacks
    • Salt the passwords to prevent a break-in via a user with a weak password from making all other users vulnerable
    • Sanitize inputs to prevent SQL back door attacks as illustrated in [url=http://xkcd.com/327/]this cartoon

    image

    Thanks


  • Thanks for the cartoon. Your last point is covered. The other three have not been implemented.


  • I'm using the free Fail2ban (https://en.wikipedia.org/wiki/Fail2ban) software to ban brute force ssh login attemps, and it is banning 1-3 IP addresses every day.

    Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).
    http://www.fail2ban.org/
    If you can implement the first feature:

    • Write failed login attempts to a log file, including originating IP address
      ... then we can use [url=http://www.fail2ban.org/] fail2ban to watch the Mango log file for repeated login failures. Fail2ban will take care of banning the IP address if the number of failed login entries exceeds the allowed number. This would be a fast track to improved security.
      How about it?
      Source code at https://github.com/fail2ban/fail2ban (not that you would need it).

    Thanks.