Computer / Network aware

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Jimbo435
Forum Newbie
Posts: 4
Joined: Thu Jan 29, 2009 11:29 am

Computer / Network aware

Post by Jimbo435 »

I am creating a sign in system for a preschool. I plan to use touch screen computers. I want to create a page that is touch screen friendly, to use in each classroom. Rather than having to type their user name, I want them to pick their user name from a list. So they can basically login with a few taps. (4-digit password required)

Parents and staff will also be able to login in a more traditional way (must enter user and password) from home, or anywhere else.

Obviously, I don't want anyone to be able to see these lists of users if they are browsing on a computer outside the school. Also, based on whether they login from school, or from elsewhere, I want them to see different features (can't sign your child in from home, etc.)

My original idea was simply to have different sign in pages that are accessed from school, and not to publicize the urls. However, this is basically very little if any security at all.

Is there a way I can make PHP aware that it is being viewed on a school computer versus a non-school computer? I know I can get the IP, but we are on a dynamic IP ISP, and I can't risk the entire system going down because my ISP decided to change my IP. Perhaps I can create a script to check my internal IP and load that to a database? Or is there some other identifier I can use?

Ideas?

Jim
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Computer / Network aware

Post by kaisellgren »

You could use IP address to determine whether the connection is from outside the school. If it is, require more complex login system than 4-digit login. Traditional PIN codes consisting of 4 numbers have 10^4 different combinations, which equals to 10 000. You should create a system that prevents too many failed attempts.

Your orginal idea (if I understood correctly) uses a different URL. Now if anyone inside the school, or even outside, knows this URL he could just use it to attack your site.

One idea is to make the web browser in the school to send some additional information, e.g. IN_SCHOOL HTTP header. This is not bulletproof, but an attacker must be using the school computers at least for once and look at the HTTP talking the web browser and school server uses.

You may also want to ask your ISP if they are cycling specific IPs for you. So then you could make an IP range.
Jimbo435
Forum Newbie
Posts: 4
Joined: Thu Jan 29, 2009 11:29 am

Re: Computer / Network aware

Post by Jimbo435 »

Thanks for your help.

So in your opinion, would a public 4-digit pin code for login with a limit on the number of tries be sufficient security? I guess I could have them select a longer alphanumeric password, but I am trying to keep it simple. (while also secure)

Is there a way, to hide the address bar on IE 7? I think the computers we are buying will use IE 7. I was hoping if I hid that, and as you say, passed a variable to the page, even if someone discovered the page, without the variable value, they would see no data. I think the chance that an employee or parent would attempt to discover the url in an attempt to subvert the security.

BTW, do you know, if I put a page on my site, and do not link it to the main page, how would someone discover its existence? Is there a way to view all the pages on a site?

Jim
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Computer / Network aware

Post by kaisellgren »

Jimbo435 wrote:Thanks for your help.

So in your opinion, would a public 4-digit pin code for login with a limit on the number of tries be sufficient security? I guess I could have them select a longer alphanumeric password, but I am trying to keep it simple. (while also secure)

Is there a way, to hide the address bar on IE 7? I think the computers we are buying will use IE 7. I was hoping if I hid that, and as you say, passed a variable to the page, even if someone discovered the page, without the variable value, they would see no data. I think the chance that an employee or parent would attempt to discover the url in an attempt to subvert the security.

BTW, do you know, if I put a page on my site, and do not link it to the main page, how would someone discover its existence? Is there a way to view all the pages on a site?

Jim
You could install Firefox and an extension that adds a header into the HTTP call. This way the attacker must have been on the school computer at least once - otherwise he can't really know about it.

About the PIN code. If you have 10 000 combinations, if you let anyone to try 3 invalid logins, the attacker would need around 1500 different IPs to crack the PIN code with ~50% probability. So it's up to you if you define if that is safe. The PIN code system should be only available to your school computers.

The problem is how to identify school computers. I would probably code a simple software that is being run on the background of school computers and it sends the IP of the computer to a secret school "main computer" which has a list of the IPs. Now you just check the IP of the connecting PC and if it matches this list then the computer is your school computer. Or you could allow a certain range of IPs, because some ISPs will make you cycle between a few IPs. For example, I have 5 dynamic IPs that are being cycled. I'm not sure whether this changes in the future or not - that's where you would need to ask your ISP.

I highly recommend using alphanumeric passwords instead of PIN codes.

It's very hard to find out sites that are not linked to. There are several approaches. For instance, looking at web browser history after you or someone high level access guy has accessed the page, another way is to plain brute force the server, one way is simply opening the "folder" and if it has index it will show all files, e.g. site.com/subfolder/ if index is enabled the files are shown. In Apache you can create a file .htaccess and type "Options -Indexes" to remove indexes, and there might be many other ways to know webpages. If there is one place that leaks the information of its existence, then it's possible to know it.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Computer / Network aware

Post by VladSun »

Jimbo435 wrote: I know I can get the IP, but we are on a dynamic IP ISP, and I can't risk the entire system going down because my ISP decided to change my IP. Perhaps I can create a script to check my internal IP and load that to a database? Or is there some other identifier I can use?
Yeah, you might implement something like "no-ip.com" service.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Computer / Network aware

Post by Christopher »

I think I would probably configure the web server to have two domain names: 'myschool.com' for external traffic and 'myschool' for internal traffic. Then I'd probably use the same home page, but with different configuration files to specific what is allowed for each site. You really need to structurally stop any internet traffic from accessing the internal site.
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Computer / Network aware

Post by kaisellgren »

arborint wrote:I think I would probably configure the web server to have two domain names: 'myschool.com' for external traffic and 'myschool' for internal traffic. Then I'd probably use the same home page, but with different configuration files to specific what is allowed for each site. You really need to structurally stop any internet traffic from accessing the internal site.
Yep.

PHP is not really the answer to all this.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Computer / Network aware

Post by VladSun »

arborint wrote:I think I would probably configure the web server to have two domain names: 'myschool.com' for external traffic and 'myschool' for internal traffic. Then I'd probably use the same home page, but with different configuration files to specific what is allowed for each site. You really need to structurally stop any internet traffic from accessing the internal site.
As far as I understand Jimbo435's problem is that there is a SNAT-ed LAN (the school private one), remote hosting server (i.e. outside the school network) and Internet. That is - everything is Internet and not Intranet.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Computer / Network aware

Post by Christopher »

VladSun wrote:As far as I understand Jimbo435's problem is that there is a SNAT-ed LAN (the school private one), remote hosting server (i.e. outside the school network) and Internet. That is - everything is Internet and not Intranet.
Sorry completely misread it. The answer is obviously to do Access Control by user account. You don't care about IP at all, just the account. Employee accounts can see all records necessary. Parent accounts can only see their own kids information. Login any public computers at the school in with a visitor account that has appropriate functionality.
(#10850)
Jimbo435
Forum Newbie
Posts: 4
Joined: Thu Jan 29, 2009 11:29 am

Re: Computer / Network aware

Post by Jimbo435 »

Thanks for all the help. You are correct, everything is over Internet. I thought about internal hosting, and may need to do that depending on the performance of my ISP. Bandwidth sucks (AT&T), and Comcast wanted over $35k to run cable across the street. We may try satellite if AT&T can't get the performance back up. But that's another topic...

I thought of using another level of login that is more secure, thinking that the first teacher in each room would login to a generic account that would then provide the user friendly lists of users and pin passwords I am after. But this would mean they could also login from home and do the same. Then I thought of asking the Director (my wife) to login in the morning on all computers. This way only she would know the specifics of this generic account. But what happens if she is on vacation?

Can you tell me more about this Firefox extension that includes the header? I am thinking now that this header mod, hiding the url on school computers, and ensuring that indexing is off, could be sufficient security. If these pages were compromised, then I would be revealing my list of users, and providing them access via 4-digit pin. How hard is it to generate 1500 different IPs? I will probably also put some other checks in place, like only allowing login via pin during school hours.

As for external access, I will ask that they setup a user name and alpha password. I may even enforce strong passwords as we want to display some account information going forward.

I may still try to implement some kind of IP checking as my experience at least at home, is that the IP does not change that often. To me this would be the best security. Its too bad I can't put a file of some kind on each computer, and then check for its existence in the PHP. Although this can probably be hacked as well.

What would you recommend if PHP is not the right tool?

Thanks again
Jim
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Computer / Network aware

Post by kaisellgren »

Like VladSun mentioned, no-ip.com could help you.

I used to keep a DirectConnect hub open with No-IP dyn DNS tool. Basically you run a tool on the school computers, each computer has their own "no-ip-name" which is called the hostname. E.g. yourschoolpc1.no-ip.org,yourschoolpc2.no-ip.org, ... and the tool that you run on those computers will make sure that dynamic IPs are not a problem anymore.

You can't "create" IPs. There are people who have access to hundreds of thousands of computers (read unique IPs).

I suggest you to go to http://www.no-ip.com and register a hostname and then download the dynamic dns tool and run it on your computer to test it out. I think this is the best way to go, this way you can ensure no other computer except school computer can login with the PIN code.
Jimbo435
Forum Newbie
Posts: 4
Joined: Thu Jan 29, 2009 11:29 am

Re: Computer / Network aware

Post by Jimbo435 »

Excellent! THanks
Post Reply