Re: [Dhis2-users] Secure remote access
Hi Mark, I'd use HTTPS/SSL for web access and definitely use SSH (preferably using both certificates and passwords) for server access (for people administering the linux installations). Even if you may not strictly need HTTPS/SSL, it covers your back in case there was an attempted attack. Not using it might be seen as unprofessional by many. A large part of security for the server is also to keep it up to date with security patches. This is often forgotten. And of course backups etc, which is also a security precaution. Note that if you're using the mobile clients, this may put some extra requirements on which SSL certificate registrars you use, as the cheaper ones give errors or simply don't work on mobile phones. So although Verisign and Thawte are more expensive, it might be worth using these. Lars 2012/3/9 Jason Pickering jason.p.picker...@gmail.com Hi Mar, Personally, I would be much more concerned about the security of the server itself. I get dozens of attempted forced entry attempts on servers I manage each day. I know servers where DHIS2 has been setup have been taken over due to weak passwords on the server. It really depends on the security requirements of the organization. DHIS password requirements are pretty insecure (at least 8 characters, one caps, one number) and well known, so of course, this is a weakness. This of course could be changed to suit your own needs, but would require alteration of the source code to do so. Best to get an exact security requirement from them. Regards, Jason On Fri, Mar 9, 2012 at 6:50 AM, Mark Spohr mhsp...@gmail.com wrote: Thanks for this Some here are worried about unauthorized access to the system using easily guessed names and password combos. Has that been a problem? Mark Spohr MD On Mar 8, 2012 8:28 PM, Jason Pickering jason.p.picker...@gmail.com wrote: Hi Mark, I think you answered your own question. I use HTTPS for end users, as it does not require them to do anything, and VPN in situations where direct access to the remote database may be required. There is some information in the user manual on setting up DHIS with SSL/HTTPS. For Apache, some stuff is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011 For Nginx, some more info is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html For VPN,I would reccomend OpenVPN . A little tricky to setup, but extremely powerful and secure. https://openvpn.net Regards, Jason On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr mhsp...@gmail.com wrote: What strategies do people use for securing DHIS over the internet? VPN? HTTPS? Mark Spohr MD ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp -- Lars Kristian Roland Research Fellow, Department of Informatics, University of Oslo Email: l...@roland.bz - rol...@ifi.uio.no Phone: +47 90733036 ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
Re: [Dhis2-users] Secure remote access
I'd use HTTPS/SSL for web access and definitely use SSH (preferably using both certificates and passwords) for server access (for people administering the linux installations). SSH is a must. I would also move it to a non-standard port, and disable remote access with passwords, and disable the root user from being able to login over SSH. You will still get a lot of bot attacks, but using certificates (with a password) will greatly increase the security of the server. ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
[Dhis2-users] Secure remote access
What strategies do people use for securing DHIS over the internet? VPN? HTTPS? Mark Spohr MD ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
Re: [Dhis2-users] Secure remote access
Hi Mark, I think you answered your own question. I use HTTPS for end users, as it does not require them to do anything, and VPN in situations where direct access to the remote database may be required. There is some information in the user manual on setting up DHIS with SSL/HTTPS. For Apache, some stuff is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011 For Nginx, some more info is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html For VPN,I would reccomend OpenVPN . A little tricky to setup, but extremely powerful and secure. https://openvpn.net Regards, Jason On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr mhsp...@gmail.com wrote: What strategies do people use for securing DHIS over the internet? VPN? HTTPS? Mark Spohr MD ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
Re: [Dhis2-users] Secure remote access
Thanks for this Some here are worried about unauthorized access to the system using easily guessed names and password combos. Has that been a problem? Mark Spohr MD On Mar 8, 2012 8:28 PM, Jason Pickering jason.p.picker...@gmail.com wrote: Hi Mark, I think you answered your own question. I use HTTPS for end users, as it does not require them to do anything, and VPN in situations where direct access to the remote database may be required. There is some information in the user manual on setting up DHIS with SSL/HTTPS. For Apache, some stuff is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011 For Nginx, some more info is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html For VPN,I would reccomend OpenVPN . A little tricky to setup, but extremely powerful and secure. https://openvpn.net Regards, Jason On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr mhsp...@gmail.com wrote: What strategies do people use for securing DHIS over the internet? VPN? HTTPS? Mark Spohr MD ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp
Re: [Dhis2-users] Secure remote access
Hi Mar, Personally, I would be much more concerned about the security of the server itself. I get dozens of attempted forced entry attempts on servers I manage each day. I know servers where DHIS2 has been setup have been taken over due to weak passwords on the server. It really depends on the security requirements of the organization. DHIS password requirements are pretty insecure (at least 8 characters, one caps, one number) and well known, so of course, this is a weakness. This of course could be changed to suit your own needs, but would require alteration of the source code to do so. Best to get an exact security requirement from them. Regards, Jason On Fri, Mar 9, 2012 at 6:50 AM, Mark Spohr mhsp...@gmail.com wrote: Thanks for this Some here are worried about unauthorized access to the system using easily guessed names and password combos. Has that been a problem? Mark Spohr MD On Mar 8, 2012 8:28 PM, Jason Pickering jason.p.picker...@gmail.com wrote: Hi Mark, I think you answered your own question. I use HTTPS for end users, as it does not require them to do anything, and VPN in situations where direct access to the remote database may be required. There is some information in the user manual on setting up DHIS with SSL/HTTPS. For Apache, some stuff is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011 For Nginx, some more info is here http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html For VPN,I would reccomend OpenVPN . A little tricky to setup, but extremely powerful and secure. https://openvpn.net Regards, Jason On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr mhsp...@gmail.com wrote: What strategies do people use for securing DHIS over the internet? VPN? HTTPS? Mark Spohr MD ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~dhis2-users Post to : dhis2-users@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-users More help : https://help.launchpad.net/ListHelp