Brute Force in WSO2 carbon - wso2-api-manager

How can prevent wso2 carbon or publisher or store Brute Force??
for example have a captcha
or have maximum try for example lock user for 5 fault try
or any thing can prevent Brute Force?
I use free wso2 and I don't have WUM , ...

You can lock an account based on the following use cases.
Account locking by failed login attempts
Account locking by an administrative user
Please refer https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/user-account-management/#account-locking for more details

I assume you are using last or one of the lastest versions of WSO2 API Manager. If you deploy it with WSO2 Identity Server as AM Key Manager you can set up captcha for login porpuoses if you set up devportal (store) and publisher with SSO. It is the regular solution for the problem you are describing.
https://is.docs.wso2.com/en/latest/learn/setting-up-recaptcha/
In addition you may use a specialiced tool to avoid DoS/DDoS and brute force attacks. Here there is a list:
https://serverguy.com/security/open-source-web-application-firewall/

Related

If log in with SSO, the role will continue to be overwritten

In WSO2 API Manager, we try to access Subscriber UI and Publisher UI through SSO. The SSO connection works fine, but Admin gave a special user the publisher creator permission. but If that user accesses the Subscriber UI again through SSO, the newly given permission(publisher creator) is lost and reset to the initial setting. What should I do in this case?
As per the description, I believe that you have created multiple Identity Providers to log in to Publisher and Devportal. Also, have enabled the Just-In-Time provisioning at the Identity Providers.
If yes, try adding the following configuration in the APIM's deployment.toml and try out the scenario
[authentication.framework.extensions]
provisioning_handler = "org.wso2.carbon.identity.application.authentication.framework.handler.provisioning.impl.SystemRolesRetainedProvisionHandler"
The default provisioning handler removes any additional roles that have been assigned to the logged-in user performing the sign-in process. The above-given Provisioning Handler is an extended version to not remove the additional (custom) assigned roles from the user using the login process.

Account Locked in API Manager Store & Publisher 2.1.0

Is there a way to lock a user's account after a certain number of failed login attempts to the API Store and API Publisher? I already check at FAQ API Manager, but then the documentation redirect to Identity Server files.
Its there any method on how to solve this issues?
Thank You.
You can change the following properties in APIM_HOME/repository/conf/identity/identity-mgt.properties file.
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts
Authentication.Policy.Password.Expire.Time=0
# If account verification is not enabled, following property will decide where user must be lock or not after user is created
Authentication.Policy.Account.Lock.On.Creation=false
Authentication.Policy.Account.Lock.Time=0
Authentication.Policy.Account.Lock.On.Failure=false
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=0
You should first install following Identity Feature in WSO2 API Manager.
Account Recovery and Credential Management
version : 5.7.5
Then you will get the identity-mgt.properties file in your /repository/conf/identity directory.
By changing the following property value to the preferred number you can achive the account locking after several attempts.
Authentication.Policy.Account.Lock.On.Failure.Max.Attempts=0
Note :
To install the above feature,
Login to Management Console of API Manager 2.1.0 (httpso://localhost:9443/carbon)
Go to Configure > Features > Repository Management and add the following repository.
http://product-dist.wso2.com/p2/carbon/releases/wilkes/
Then search for "Account Recovery and Credential Management Feature".
Select and install the version 5.7.5 as below.
Restart the Server.

firebase admin multi-factor login

excited about Firebase, my admins must use multi-factor login for the account dashboard (policy issue). Is this possible? Is it a setting I can't find? Can I login to account dashboard using Google (and thus force mult-factor)?
Disclaimer: I work for Firebase
Firebase's log in system is separate from Google's and does not offer two-factor auth. We are looking to enhance this, but currently these are constraints.
If you want your application administrators to go through a more stringent log in process than Firebase allows for its account dashboard, you might want to consider setting up an application-administration dashboard. This is just a separate section of your application that you build. So that also means you have full control over the access mechanism, through a custom token generator.

Symfony2 - I can't get gmail mail transport get to work ... authentication fails

I have a mailer configuration based on http://symfony.com/doc/current/cookbook/email/gmail.html but when I'm sending the email from custom symfony console command I'm getting this error:
[2015-03-16 20:38:09] app.ERROR: Exception occurred while flushing email queue: Failed to authenticate on SMTP server with username "?????????" using 1 possible authenticators
I tried two gmail accounts for authentiaction but no luck ... Any idea whats wrong here?
SOLVED: The problem was this
https://support.google.com/accounts/answer/6010255?hl=en ... I simply enabled it ...
Credit to #David Marko:
You have either to upgrade to a more secure app that uses the most up to date security measures. All Google products, like Gmail, use the latest security measures. (https://www.google.com/settings/security/lesssecureapps)
Or to Allow less secure apps and choose “Allow” to let less secure apps access your Google account. We don't recommend this option because it may make it easier for someone to gain access to your account.
Source : https://support.google.com/accounts/answer/6010255?hl=en

Alfresco : ldap sync after user login authentication

After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false

Resources