Fastpath fails with Anonym login disabled

Gaston_Dombiak · June 6, 2008, 11:29pm

Hey Steve,

I was concerned about anonymous users from the internet using our spark server if i leave anonymous users selected. I know that webchat requires it to run the way it does… But i am concerned about some kid on the outside seeing what ports i have opened up on my firewall and then connecting to our server and sending garbage to our employees… I don’t care if they try to do it from the web site persay but if they access it directly via the port they are already up to no good anyway… We have 6 remote locations and a handful of traveling people that login to our server so locking it down by IP address is out of the question.

Oh, I see now what you mean and I agree. Currently there is no way to limit IP addresses that anonymous users could use and leave the rest open for not-anonymous users. If someone is willing to contribute that improvement we would gladly include it and also guide in the development of that feature.

Is an anonymous user anything thats getting exploited yet?

I never heard of that happening before. In fact, I don’t know of any XMPP client that supports anonymous users. However, we do support it in our Smack library. That means that technically someone may exploit this vulnerability.

Am I correct to assume that there will be a sparkweb plugin in the future?

Sparkweb plugin for Fastpath? We do not have plans for that but you are not the first one asking for that. May be someone will contribute that work.

P.S. I love the openfire/wildfire/spark project, you guys rock!

Sweet.

Regards,

– Gato

wroot · June 7, 2008, 8:41am

The least that i can do, is to create a ticket in JIRA: JM-1386

Olexandr_Pokhvalit · June 7, 2008, 2:24pm

Thanx. Our developer will look at this.

At this time we try to limit anonymous logins by some IP’s (networks).

Is there anybody know, how to test easy for anonymous connections availability? I had try to use some jabber clients, but unsuccessfully

Olexandr_Pokhvalit · June 9, 2008, 3:43pm

We resolve this problem (I hope )

The patch is made for Openfire with additional functionality for “Registration and Logins” section.

Anonymous logins will be limited by IP’s. I will submit this patch to OpenFire developers after some testing

steve11 · June 9, 2008, 3:46pm

Awesome. Thanks for the help!

Gaston_Dombiak · June 9, 2008, 4:22pm

Hey Olexandr,

That sounds great. Send me the patch once you are done with the testing.

Thanks,

– Gato

Olexandr_Pokhvalit · June 9, 2008, 4:30pm

OK, I will

Are you got my last patches about archive functionality (monitoring module)? I think, it is nice to have this feature.

Rob_Alexander · June 9, 2008, 7:45pm

spotter wrote:

I was concerned about anonymous users from the internet using our spark server if i leave anonymous users selected. I know that webchat requires it to run the way it does… But i am concerned about some kid on the outside seeing what ports i have opened up on my firewall and then connecting to our server and sending garbage to our employees… I don’t care if they try to do it from the web site persay but if they access it directly via the port they are already up to no good anyway… We have 6 remote locations and a handful of traveling people that login to our server so locking it down by IP address is out of the question. Is an anonymous user anything thats getting exploited yet?

Right, what are you all worried about? I dare any of you to try and exploit the anonymous user functionality. I bet you can’t. It is not as unsecure as it sounds.

Olexandr_Pokhvalit · June 9, 2008, 9:21pm

Rob, if there is no jabber clients with anonymous logins functionality, its does not mean that somebody can’t create it

I see no way for hack system using anonymous logins, but I see a lot possibilities for a spammers. So, a best way to protect myself from rats is blocked all ratholes and open ways

In anyway, in few day patch will be published so I not see any subject of dispute

Olexandr_Pokhvalit · June 10, 2008, 1:10pm

Problem is resolved!

There is a patch for adding anonymous logins restriction by IP addresses

Ben_Willcox · June 10, 2008, 1:44pm

Thank you very much Pallab, your efforts are much appreciated!

I presume this will be incorporated into a future version of Openfire (as I don’t know how to apply the patch otherwise!)?

Thanks,

Ben

Olexandr_Pokhvalit · June 10, 2008, 1:54pm

What OS you use?

If RedHat, I can publish .spec file for rebulding openfire server

Ben_Willcox · June 10, 2008, 2:36pm

I am a Debian user, but I don’t mind waiting a while if the patch will be incorporated into Openfire eventually, as there will be a delay before we actually go live with the Fastpath/Webchat system anyway.

Thanks!

Ben

Olexandr_Pokhvalit · June 10, 2008, 2:49pm

if you have some experience with application rebuilding, you can apply patch to openfire sources and rebuild them.

But pay your attention, that you will need convert two files in sources to unix text format before apply patch, like that:

$ cd openfire_src

$ dos2unix src/java/org/jivesoftware/openfire/net/SASLAuthentication.java

$ dos2unix src/java/org/jivesoftware/openfire/session/LocalClientSession.java

Copy patch file to openfire_src directory and aplly a patch:

$ patch -p1 < anonymous.patch

Next step is building from source. There is a code from rpm .spec file build section:

$ cd build

$ ant openfire

$ ant -Dplugin=search plugin

These commands will rebuild openfire from source. After compiling stop your OpenFire server and replace openfire.jar by new one/ Run your server.

In Admin Console go to Server->Server Settings->Registration and Login

Under Anonymous login section you find a textbox. Use rules from “Restrict Logins” section for filling it.

wroot · August 27, 2008, 7:45pm

This patch was implemented in 3.6.0 http://www.igniterealtime.org/issues/browse/JM-1389