Posted by aaron on April 1, 2010 at 2:40pm
As is stated at http://groups.drupal.org/node/59163 : "changed registration_timeout to unlimited. Default is 600 seconds. The server should wait 5 minutes before they can register a second new user. Together with open registering this is really a security problem, a hacker can register milliens of new user in a short time!"
I see the issue there, yet have not yet been able to determine a suitable form of registration. Ideally, I would like to have a way to block registration to all servers but our web server (assuming it's on another machine), perhaps with a firewall. However, using http_bind, we only have the one option.
Perhaps we should use xmlrpc? I haven't gotten that working yet, but it appears it may be viable.
Comments
Actually, to answer my own
Actually, to answer my own question, you should be able to set up a firewall on port 5222, which is what the server uses to communicate with XMPP, as opposed to clients, which are bound to 5280.
Aaron Winborn
Drupal Multimedia (my book, available now!)
AaronWinborn.com
Advomatic
Found some information
Here: http://lists.jabber.ru/pipermail/ejabberd/2009-April/004830.html
Your users now register using mod_register, which implements XEP-0077: In-Band Registration
mod_register does not implement filtering by IP, and you can't use a network firewall because XEP-0077 is used over the standard 5222 port. A solution would be to use a web registration service in a custom port, so you can filter access using a firewall. One web page could be mod_register_web. I describe that possibility now.
Requirements:
* ejabberd trunk SVN (or ejabberd 2.1.0 or newer, once released)
* mod_register_web from ejabberd-modules SVN
* firewall to block the port to certain IP addresses
Screenshots:
http://www.ejabberd.im/mod_register_web
Brief how-to:
1. Install ejabberd trunk SVN
2. Configure ejabberd_captcha
3. Install mod_register_web, and configure to listen in port 5283 (for example)
4. Check you can register accounts using http://yourserver:5283/register/
5. Disable account registration in mod_register
6. Using firewall, filter what IPs can access the port 5283
A better solution...
... would be to set:
{access, register, [{deny, all}]}.
We need a new function registerNewUser()
which:
* logs in as admin user of the jabber server
* add a new user, password
* roster?
* and logs out
I tried that, but was
I tried that, but was unsuccessful. I talked w/ badlop (a maintainer of ejabberd), and he explained that mod_register simply determines which usernames are allowed to be registered, and doesn't actually restrict username registration per account (as one might expect). maybe something got lost in translation from the original russian?
Aaron Winborn
Drupal Multimedia (my book, available now!)
AaronWinborn.com
Advomatic
Strange, documentation says
Strange, documentation says here: http://www.process-one.net/en/ejabberd/guide_en#htoc56
But maybe also the admin user can't create new users?
ejabberd security
First I'd like to thank you for your DXMPP - Module.
I've played around with the XMPP-Framework - Module and dislike the pop-up window of XWChat -allthough it works.
What in my opinion is a great advantage related to security is the external authentification implemented by XMPP-Framework and the unreleased module at http://github.com/athoune/Drupal-Strophe .
This way, the in-band registration of ejabberd can be disabled by setting
{access, register, [{deny, all}]}.additionally this way the mod_register can by completly disabled
{modules,[
...
%% {mod_register, [{access, register}]},
...
]}.
By that way, the registration of new users is managed solely by your drupal installation.
Both of them authenticate against the drupal database via
{auth_method, external}.{extauth_program, "/etc/ejabberd/ejabberd_via_drupal_db_auth.phps"}.
This way, there's no need to register users twice in Drupal-DB and ejabberd without opening your ejabberd-server to the public.
For a working implementation of an external auth-script see e.g. athoune's module at http://github.com/athoune/Drupal-Ejabberd-Auth which does a good job or have a look at http://www.ejabberd.im/check_drupal_php .
Hope this helps,
keep the good work up,
regards,
henryIV
thanks. that works if the
thanks. that works if the xmpp server is ejabberd, and is on the same as the drupal server. that should definitely be one of the options. won't work for everyone, unfortunately.
Aaron Winborn
Drupal Multimedia (my book, available now!)
AaronWinborn.com
Advomatic
doesn't that mod simply serve
doesn't that mod simply serve up those registration pages? if so, that would not work for automatic registrations :(
Aaron Winborn
Drupal Multimedia (my book, available now!)
AaronWinborn.com
Advomatic
you don't need to register nor opening port 5280
http://github.com/athoune/Drupal-Ejabberd-Auth
Users are handled by drupal.
A proxy (apache mod_proxy or lighttpd) forward bosh trafic from port 80 to ejabberd port 5280.
M.
thanks. that works if the
thanks. that works if the xmpp server is ejabberd, and is on the same as the drupal server. that should definitely be one of the options. won't work for everyone, unfortunately.
Aaron Winborn
Drupal Multimedia (my book, available now!)
AaronWinborn.com
Advomatic
that's not true
First:
I have a working setup where ejabberd is running on a seperate (virtual) machine.
Drupal reaches ejabberd via apache2 mod_proxy redirect.
As in /etc/apache2/sites-enabled/drupal
...
ProxyVia on
ProxyRequests off
ProxyPreserveHost on
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /http-bind http://chat.drupal:5280/http-bind
ProxyPassReverse /http-bind http://chat.drupal:5280/http-bind
...
Honestly, I'm not sure about the meaning of all these settings, but i works.
Second:
As you can find in
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/...
or
http://www.tigase.org/content/drupal-authentication-added
there's at least a external database integration implemented in two other XMPP-Servers which both are published under the GPL-license.
I didn't test those two, as I'm happy with ejabberd.
Regards,
henryIV
mod_register
Hey,
i spoke to one of the developers and he releases a patched mod_register file. With that one you can restrict the registration to one or several ip-adresses like localhost or so.
check this: https://support.process-one.net/browse/EJAB-915
here is the file: https://git.process-one.net/ejabberd/mainline/blobs/raw/2.1.x/src/mod_re... -> compile this like any other contribution. Those who installed with the .bin - installer check the comments here: http://www.ejabberd.im/ejabberd-modules
I think that this feature will be integratet in ejabberd 2.1.6.