Secure remote access

What strategies do people use for securing DHIS over the internet?

VPN?

HTTPS?

Mark Spohr MD

Hi Mark,

I think you answered your own question. I use HTTPS for end users, as
it does not require them to do anything, and VPN in situations where
direct access to the remote database may be required.

There is some information in the user manual on setting up DHIS with SSL/HTTPS.

For Apache, some stuff is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011

For Nginx, some more info is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html

For VPN,I would reccomend OpenVPN . A little tricky to setup, but
extremely powerful and secure.

Regards,
Jason

···

On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr <mhspohr@gmail.com> wrote:

What strategies do people use for securing DHIS over the internet?
VPN?
HTTPS?

Mark Spohr MD

_______________________________________________
Mailing list: DHIS 2 Users in Launchpad
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : DHIS 2 Users in Launchpad
More help : ListHelp - Launchpad Help

Thanks for this

Some here are worried about unauthorized access to the system using easily guessed names and password combos.

Has that been a problem?

Mark Spohr MD

···

On Mar 8, 2012 8:28 PM, “Jason Pickering” jason.p.pickering@gmail.com wrote:

Hi Mark,

I think you answered your own question. I use HTTPS for end users, as

it does not require them to do anything, and VPN in situations where

direct access to the remote database may be required.

There is some information in the user manual on setting up DHIS with SSL/HTTPS.

For Apache, some stuff is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011

For Nginx, some more info is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html

For VPN,I would reccomend OpenVPN . A little tricky to setup, but

extremely powerful and secure.

https://openvpn.net

Regards,

Jason

On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr mhspohr@gmail.com wrote:

What strategies do people use for securing DHIS over the internet?

VPN?

HTTPS?

Mark Spohr MD


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp

Hi Mar,

Personally, I would be much more concerned about the security of the
server itself. I get dozens of attempted forced entry attempts on
servers I manage each day. I know servers where DHIS2 has been setup
have been taken over due to weak passwords on the server.

It really depends on the security requirements of the organization.
DHIS password requirements are pretty insecure (at least 8 characters,
one caps, one number) and well known, so of course, this is a
weakness. This of course could be changed to suit your own needs, but
would require alteration of the source code to do so. Best to get an
exact security requirement from them.

Regards,
Jason

···

On Fri, Mar 9, 2012 at 6:50 AM, Mark Spohr <mhspohr@gmail.com> wrote:

Thanks for this
Some here are worried about unauthorized access to the system using easily
guessed names and password combos.
Has that been a problem?

Mark Spohr MD

On Mar 8, 2012 8:28 PM, "Jason Pickering" <jason.p.pickering@gmail.com> > wrote:

Hi Mark,

I think you answered your own question. I use HTTPS for end users, as
it does not require them to do anything, and VPN in situations where
direct access to the remote database may be required.

There is some information in the user manual on setting up DHIS with
SSL/HTTPS.

For Apache, some stuff is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011

For Nginx, some more info is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html

For VPN,I would reccomend OpenVPN . A little tricky to setup, but
extremely powerful and secure.

https://openvpn.net

Regards,
Jason

On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr <mhspohr@gmail.com> wrote:
> What strategies do people use for securing DHIS over the internet?
> VPN?
> HTTPS?
>
> Mark Spohr MD
>
>
> _______________________________________________
> Mailing list: DHIS 2 Users in Launchpad
> Post to : dhis2-users@lists.launchpad.net
> Unsubscribe : DHIS 2 Users in Launchpad
> More help : ListHelp - Launchpad Help
>

Hi Mark,

I’d use HTTPS/SSL for web access and definitely use SSH (preferably using both certificates and passwords) for server access (for people administering the linux installations).

Even if you may not strictly need HTTPS/SSL, it covers your back in case there was an attempted attack. Not using it might be seen as unprofessional by many.

A large part of security for the server is also to keep it up to date with security patches. This is often forgotten. And of course backups etc, which is also a security precaution.

Note that if you’re using the mobile clients, this may put some extra requirements on which SSL certificate registrars you use, as the cheaper ones give errors or simply don’t work on mobile phones. So although Verisign and Thawte are more expensive, it might be worth using these.

Lars

···

2012/3/9 Jason Pickering jason.p.pickering@gmail.com

Hi Mar,

Personally, I would be much more concerned about the security of the

server itself. I get dozens of attempted forced entry attempts on

servers I manage each day. I know servers where DHIS2 has been setup

have been taken over due to weak passwords on the server.

It really depends on the security requirements of the organization.

DHIS password requirements are pretty insecure (at least 8 characters,

one caps, one number) and well known, so of course, this is a

weakness. This of course could be changed to suit your own needs, but

would require alteration of the source code to do so. Best to get an

exact security requirement from them.

Regards,

Jason

On Fri, Mar 9, 2012 at 6:50 AM, Mark Spohr mhspohr@gmail.com wrote:

Thanks for this

Some here are worried about unauthorized access to the system using easily

guessed names and password combos.

Has that been a problem?

Mark Spohr MD

On Mar 8, 2012 8:28 PM, “Jason Pickering” jason.p.pickering@gmail.com > > > wrote:

Hi Mark,

I think you answered your own question. I use HTTPS for end users, as

it does not require them to do anything, and VPN in situations where

direct access to the remote database may be required.

There is some information in the user manual on setting up DHIS with

SSL/HTTPS.

For Apache, some stuff is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch10s04.html#d5e1011

For Nginx, some more info is here

http://apps.dhis2.org/ci/job/dhis-documentation/ws/target/site/en/implementer/html/ch08s02.html

For VPN,I would reccomend OpenVPN . A little tricky to setup, but

extremely powerful and secure.

https://openvpn.net

Regards,

Jason

On Fri, Mar 9, 2012 at 3:23 AM, Mark Spohr mhspohr@gmail.com wrote:

What strategies do people use for securing DHIS over the internet?

VPN?

HTTPS?

Mark Spohr MD


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp


Lars Kristian Roland

Research Fellow, Department of Informatics, University of Oslo

Email: lars@roland.bz - roland@ifi.uio.no

Phone: +47 90733036

I'd use HTTPS/SSL for web access and definitely use SSH (preferably using
both certificates and passwords) for server access (for people administering
the linux installations).

SSH is a must. I would also move it to a non-standard port, and
disable remote access with passwords, and disable the root user from
being able to login over SSH. You will still get a lot of bot attacks,
but using certificates (with a password) will greatly increase the
security of the server.

I'd use HTTPS/SSL for web access and definitely use SSH (preferably using
both certificates and passwords) for server access (for people administering
the linux installations).

SSH is a must. I would also move it to a non-standard port, and
disable remote access with passwords, and disable the root user from
being able to login over SSH. You will still get a lot of bot attacks,
but using certificates (with a password) will greatly increase the
security of the server.

what certificates? I just use my public and private key combination
ie. copy my public key into ~/ssh/authorized_keys on the server.

Disabling remote access with passwords is really important, but
sometimes it takes a bit of time getting people used to using keys.
Worth the effort though. Don't lose the keys.

···

On 9 March 2012 11:52, Jason Pickering <jason.p.pickering@gmail.com> wrote:

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-users
Post to : dhis2-users@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-users
More help : https://help.launchpad.net/ListHelp

I mean keys when I say certificate. I believe they’re used interchangeably, but that might be incorrect. Thanks for your clarification.

However, I think it’s an important point that the key should be protected by a passphrase. If someone breaks into the PC where the private key is stored and they can use that without a passphrase to log into DHIS, it creates a network of possible failures that is hackable. I doubt everyone has the same security policy on their local machine as they should have on the state DHIS server, so a key without a passphrase would be dangerous (please let me know if you disagree). I guess alternatively it’s possible to still have a password on a server and require both a password and a ssh key? This might be even safer.

Lars

···

2012/3/9 Bob Jolliffe bobjolliffe@gmail.com

On 9 March 2012 11:52, Jason Pickering jason.p.pickering@gmail.com wrote:

I’d use HTTPS/SSL for web access and definitely use SSH (preferably using

both certificates and passwords) for server access (for people administering

the linux installations).

SSH is a must. I would also move it to a non-standard port, and

disable remote access with passwords, and disable the root user from

being able to login over SSH. You will still get a lot of bot attacks,

but using certificates (with a password) will greatly increase the

security of the server.

what certificates? I just use my public and private key combination

ie. copy my public key into ~/ssh/authorized_keys on the server.

Disabling remote access with passwords is really important, but

sometimes it takes a bit of time getting people used to using keys.

Worth the effort though. Don’t lose the keys.


Mailing list: https://launchpad.net/~dhis2-users

Post to : dhis2-users@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-users

More help : https://help.launchpad.net/ListHelp


Lars Kristian Roland

Research Fellow, Department of Informatics, University of Oslo

Email: lars@roland.bz - roland@ifi.uio.no

Phone: +47 90733036