Enterprise security embrace open source FREEOTP deploy actual combat

Enterprise security embrace open source FREEOTP deploy actual combat. In the process of safety construction, the overall budget, input-output ratio are the first issues to be considered, the lack of development staff, lack of capital budget, open source products has become an inevitable choice.

0 × 01 Foreword

Tiger symbol is the ancient emperor dispatched troops to be deployed with weapons, bronze or gold made of tiger-shaped token, split in half, half handed to the generals, and the other half preserved by the emperor, only two tiger symbols at the same time combined use, Those who hold the token will receive the troop removal. Tiger symbol can generally be seen as an early application of two-factor authentication.

0 × 02 2FA & OTP

2FA, two-factor authentication. First, what do you know, first, what you have or what you are, for example, you need to provide a password, and you also need to provide a dynamic password, or use biometrics such as iris and fingerprint as the second factor to authenticate, of course Fingerprints are easily counterfeited, so many security experts do not recommend it.

Enterprise security management, comprehensive costs, ease of deployment and maintenance and other reasons, OTP is a good choice. OTP full name is One-Time-Password, also known as dynamic password, authentication is more common in areas where the need for strong, common applications are online banking hardware tokens, mobile tokens and so on. With dynamic password function more commercial products, powerful enterprises can choose their own. In this article we choose Freeotp as OTP solution.

Freeotp is an open-source soft token solution from Red Hat that supports HTOP and TOTP, as well as IOS and Android clients. Freeotp is integrated in Freeipa, where we start by deploying Freeipa.

0 × 03 Freeipa installation

test environment

os: centos7

ipa_hostname: ipatest

ipa_domain: example.com

ipa_address 1.1.1.1

IPA NetBIOS: IPATEST

ad_hostname: it-dc01

ad_domain: it.local

ad_address: 2.2.2.2

Deployment process

1, update the system

yum update -y

2, install freeipa related components

yum install -y "* ipa-server" "* ipa-server-trust-ad" bind bind-dyndb-ldap ipa-server-dns

3, the system configuration

echo "1.1.1.1 ipatest.example.com ipatest" >> / etc / hosts

hostname ipatest.example.com

4, ipa service configuration

ipa-server-install -a mypassword1 -p mypassword2 --domain = example.com - realm = EXAMPLE.COM --setup-dns --no-forwarders -U

5, access ipa administrator privileges

kinit admin

6, firewall iptables installation and configuration

chkconfig firewalld off service firewalld stop yum install -y iptables-services chkconfig iptables on echo "* filter"> / etc / sysconfig / iptables echo ": INPUT ACCEPT [0: 0]" >> / etc / sysconfig / iptables echo " FORWARD ACCEPT [0: 0] >> / etc / sysconfig / iptables echo ": OUTPUT ACCEPT [0: 0] >> / etc / sysconfig / iptables echo" -A INPUT -m state --state ESTABLISHED, RELATED - j ACCEPT >> / etc / sysconfig / iptables echo "-A INPUT -p icmp -j ACCEPT >> >> / etc / sysconfig / iptables echo" -A INPUT-i lo -j ACCEPT >> >> / etc / sysconfig / iptables echo "-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -jACCEPT" / etc / sysconfig / iptables echo "# -A INPUT -s ad_ip_address -p tcp -m multiport - -dports 389,636 -mstate --state NEW, ESTABLISHED -j REJECT ">> / etc / sysconfig / iptables echo" -A INPUT -p tcp -m multiport --ports80,88,443,389,636,88,464,53,138,139,445 -m state --state NEW , ESTABLISHED -jACCEPT ">> / etc / sysconfig / iptables echo" -A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state N EW, ESTABLISHED -j ACCEPT ">> / etc / sysconfig / iptables echo" -A INPUT -p udp -j REJECT ">> / etc / sysconfig / iptables echo" -A INPUT -p tcp -j REJECT ">> / etc / sysconfig / iptables echo "-A FORWARD -j REJECT --reject-with icmp-host-prohibited" >> / etc / sysconfig / iptables echo "COMMIT" >> / etc / sysconfig / iptables service iptables restart

Freeipa installation is completed.

Dns server configuration domain name resolution ipatest.example.com after ipa server https: // ipatest.example.com. If you need to integrate with the already deployed MS AD system, you also need to synchronize the account password. For details, refer to:

http://gatwards.org/techblog/ipaactive-directory-sync-configuration

http://directory.fedoraproject.org/docs/389ds/download.html#windows-password-synchronization