all bits considered data to information to knowledge

25Sep/120

Securing SVN external access

If you are going to allow external access to your SVN installation there are few basic things that you might want to ponder that are security related, all revolving around authorization and authentication.

1. Apply "least privilege" rule to selecting accounts, and disable unused features

If setting your SVN on Windows pay closer attention to the accounts under which processes will run.
If you do not plan implement any hooks, you can run subversion on Local System Account. Same type of account could be used with Apache server.

Additionally, secure Apache server by following all the standard procedures: disabling all unnecessary modules, turning off multiple options etc.

2. Choose your access protocols wisely
There are several protocols that can be used to access SVN:
[irrelevant, by and large]
file:// - Through this protocol you get direct repository access. Works only on the same system (local disk), not over the network.

[not secure]
http:// - It is possible to use WebDAV on a Subversion-aware Apache2 server to access a repository. Works over the network (port 80).
svn:// - Access to a repository is done through an svnserve server. Works over the network (port 3690).

[the only ones that should be considered for external access]
svn+ssh:// - Same as svn://, but through an SSH tunnel (port 22).
https:// - Same as http://, but over a secure SSL connection (port 443).

Using reverse proxy/gateway to fine-tune the access is highly recommended
------------------------------------------------------------------------------------------------
The communications must encrypted either with SSL (get a real Verisign/Thawte certificate, or generate your own), or using SSH keys (instead of passwords set in open text! It does add to maintenance but is worth it ).

3. Restrict directory browsing.

You can limit the user to the one and only one directory by disabling directory browsing altogether on Apache HTTP Server level. This comes in handy when using "blanket" LDAP authentication as it might be possible to traverse directory structure by doctoring URL

Here's an example:
# Disallow browsing
<DirectoryMatch "^/.*/\.svn/">
Order deny,allow
Deny from all
</DirectoryMatch>

4. Test your installation for vulnerabilities: what you don't know will hurt you

To test SVN security we could use any of network security tools such as Nessus or free OpenVAS
----------------------------------------------------
P.S.   SVN (also: TortoiseSVN client) supports SASL (Simple Authentication and Security Layer). It adds generic authentication and encryption capabilities to any network protocol. More information can be found here

29Sep/118

NTLM authentication with JMeter (sort of)

I have been using JMeter for quite some time now, and consider it to be an exteremely useful tool for all kinds of testing - especially web apps. It is not as polished as some commercial apps out there but by virtue of being an open source (and free!) it proved to be quite adequate for my team. Until we bumped our heads againtst NTLM authentication required by Sharepoint 2007 server.
Following the documentation  [HTTP Authorization Manager] was added and configured all the properties as described in the documentation. Yet no matter what we've tried, we were always getting 401 response - "Not authorized"; quick Internet search confirmed that I am not the only one struggling with this problem yet somehow solutions proposed did not work in my particular situation.

Digging into the source code (gotta love open source!) I've found that it fails NTLN challenge/response hoops (see this link for a very detailed explanation on how NTLM works), and then the following information posted on Apache Foundation site regarding use of NTLM with version 4.1.2 HTTP Components (used by the JMeter 2.5 version we are using)
Turns out that "there are still known compatibility issues with newer Microsoft products as the default NTLM engine implementation is still relatively new"... and the maintainer of the code put together a quick workaround to show how to use "more established and mature NTLM engine developed by Samba project."

The article does a great jobs showing details of implementation (along with the reasons why it is not part of HTTPClient library) but stops short of providing a working example, which is the purpose of this post.

Disclaimer: this is but a quick'n'dirty proof of concept (hardcoded values, console outputs, no unit tests or logging etc);   the sole intention of this code is to illustrate the concept.

The project contains two source packages, one for NTLMEngine and NTLMSchemeFactory  interfaces, and one - NTLM_ping - providing the main executable which imports JCIFSEngine.NTLMSchemeFactory.

The structure of the project (including depensdency JAR(s)) is shown on the picture below

 

 

 

 

 

 

 

 

 

and here are the results of successful execution


 

 

Finally, the source code for NTLM_ping.java ( the contents of the JCIFSEngine.java and NTLMSchemeFactory files are provided at the Apache Foundation post I've mentioned above).

------------------------------------------------------------------------------------------------

package NTLM_ping;

import org.apache.http.auth.AuthScope;
import org.apache.http.auth.NTCredentials;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.HttpResponse;
import org.apache.http.client.params.CookiePolicy;

import JCIFSEngine.NTLMSchemeFactory;

public class NTLM_ping {
 public NTLM_ping() {
     super();
     }

 public static void main(String[] args) throws Exception {

        DefaultHttpClient httpclient = new DefaultHttpClient();
        httpclient.getAuthSchemes().register("ntlm", new NTLMSchemeFactory());

        //add credentials
        httpclient.getCredentialsProvider().setCredentials(
            new AuthScope("host", -1),
            new NTCredentials(
                      "user"
                    , "password"
                    , "host"
                    , "domain"));

        HttpGet httpget = new HttpGet("http://<url>");
        //ignore cookies
        httpget.getParams().setParameter("http.protocol.cookie-policy", CookiePolicy.IGNORE_COOKIES);
     try {
     // execute the GET
            HttpResponse status = httpclient.execute(httpget);
            System.out.println(status.getProtocolVersion());
            System.out.println(status.getStatusLine().getStatusCode());
            System.out.println(status.getStatusLine().getReasonPhrase());
            System.out.println(status.getStatusLine().toString());
     } finally {
     // release any resources
        }
    }
}

------------------------------------------------------------------------------------------

It would be relatively simple to wrap this code as a custom element/sampler for JMeter though one would have to pay attention to licensing issues (JMeter is licensed under Apache licennse, while JCIFS Samba libraries are under LGPL)

A very detailed tutorial by Mike Stover and Peter Lin on extending JMeter w/plugins can be found at Jakarta website.