I'm working on a rails project and I would ideally like to restrict each user to only be able to access my application with 2 devices (in order to limit username & password sharing). I am currently using Devise for user authentication. I've researched this through SO and the Devise documentation, but haven't found any solutions yet. Surely I can't be the first person with this need. Anyone have any ideas on how this could be accomplished?
You can do this with storing your device unique id in database.
Create a separate table where you can store your logged in device id and check when authentication.
For a hardware dependent identification key, we can also use a MAC address.
A Media Access Control address (MAC address) is a unique identifier
assigned to network interfaces for communications on the physical
network segment. MAC addresses are most often assigned by the
manufacturer of a network interface card (NIC) and are stored in its
hardware, the card's read-only memory, or some other firmware
mechanism. [wikipedia]
Here is a gem for finding mac address:
https://github.com/ahoward/macaddr
Related
I'm currently looking into some ways to identify different machines using my software, I am working with a old gaming console in which I cannot access the typical unique identifiers most people would use (HWID, etc...).
After looking through the SDK required to compile software on this old gaming console I noticed I can get a users DHCP Host Name, (You can view your DHCP Host Name on a windows machine by entering "hostname.exe" within command prompt)
So my question is, would using the DHCP Host Name as a way to uniquely identify different machines accessing my software be effective in differentiating different users?
We're trying to set up a Windows Continuous Integration server in the cloud that has software with a particularly difficult licensing scheme (a certain embedded software compiler). This compiler either lets the user run with a dongle, or node locks the software to run on a specific set of hardware. Seeing as how we can't exactly ship off a dongle to Amazon to plug in to our machine for us, we want to use the node locked licensing scheme with this software.
However, in order for this license to remain valid, my EC2 instance needs to have a set of "static" hardware IDs. We don't actually know which hardware IDs this software will look for (and they won't tell us), but I'd like to know which hardware IDs I should expect to change with instance restarts, and which hardware IDs, if any, I can lock down through proper configuration of my EC2 instance.
For example, I already know that I can lock down the MAC address of the Network Interface using Amazon's Elastic Network Interface (ENI). Is there any other configuration I can do, or need to do, in order to get a set of static hardware IDs?
I have to develop functionality wherein, when USB storage device is connected to Linux machine, my password window will popup. And if user enters the password correctly, device will be proceeded for mounting. If password is wrong device should not be accessible to user. It's like endpoint protection for Linux operating systems.
How can we achieve this in Linux user space only?
Here I don't want to go for kernel mode programming as it is very much time consuming and involves issues related to distribution wide compatibility.
Also the solution should be generic to all kernel versions and Linux distributions.
Thanks in advance.
To restrict any external USB storage media,
blacklist the driver responsible for supporting USB mass storage.
For example on Ubuntu, add the following lines to the end of the file /etc/modprobe.d/blacklist.conf.
# disable usb storage access
blacklist usb_storage
On subsequent reboots usb storage devices will not be supported until the driver is loaded first (which only a superuser can do).
Note that ONLY a superuser account can modify this blacklist file in the first place.
Now you could simply remove the kernel module for USB mass storage as a superuser
rmmod usb_storage
Only a superuser can now modprobe or insmod the usb storage driver to enable USB storage media.
One could write a GUI application running as a superuser that can prompt the user for a password and load/remove the usb_storage.ko as required.
Do note that the application now becomes the target of attacks and depending on how it stores/verifies the password, it could be easily bypassed by a reasonably motivated "attacker".
Also note that with this approach, it is an ALL or nothing feature i.e. once authenticated, then any USB storage media will be accessible on all USB ports until they are disabled back again by unloading the usb_storage.ko module.
To protect data within external USB media,
start using encrypted storage devices with the help of dm-crypt or ecryptfs.
Essentially you need to encrypt the external USB storage media first. Subsequently when it is connected to the system, depending upon the configuration:
the user has to run a couple of commands on the terminal (and provide the password)
OR
the system prompts for the password and once provide, attempts to mount the encrypt disk.
Refer to the following wiki for a step-by-step guide to creating encrypted external disks, and configuring an Ubuntu Linux machine such that it prompts for password and auto-mounts encrypted disks when connected.
I have two systems (A & B) that i need to integrate with each other using web services, so i am thinking of implementing the following security mechanism:-
system B will send a request containing a username and password to system A asking for the one time 64-char password.
System A will send a onetime password containing 64 characters to system B.
System B will call system A web services using the 64 characters password.
System A will check if the 64 -char password is valid.
system A will respond to system B request.
system A will removed the 64 password from the valid password (so incase system B or another system calls system A web services using the previously generated 64-char password the call will fail)
system A will generate a new 64-char password and send it to system B when needed.
system B calls system A web service using the newly 64-password.
So my question will this approach be secure baring in mind that i will implement the communication between the two system to be under https.
Best Regards
There are many security considerations that need to be taken into account. So lets start:
Are both systems publicly accessible ?
Are both systems WS's publicly accessible?
Do you want to implements encrypton ? In transport or Access Control ?
From what I can tell I presume Your systems WS's are not publicly accessible and let's say proxies incorporate some sort of certificate authentication just as an extra layer of control, and some form of Access control Lists to limit IP range of client systems.
Second thing is that You probably want to do some kind of access controll rather than encryption i.e. user A can view doc aa and ab and your system A knows those rules but system B does not but he holds the actual data.
Analyzing your protocol If system A authenticates against system B and gets valid OTP, there are some things to consider
what will be validity period of such otp ?
how will you provide uniquness ?
will they be context dependent ?
All this is needed because you would not want, some more than avarage user to substitute data identifiers and with valid OPT access something that he/she shouldn't. Security is a slippery subject I would recomend Security Engineering by Ross Anderson and Computer Security by Dieter Gollman as starters :).
Is there any reliable geolocation service which could provide me with the latitude and longitude of a mobile device.
I need something like Google Gears(which is unfortunately discontinued) where I can give various data about the carriers cell the device is currently in etc. and get the latitude and longitude.
If the device you have does not support the Location API in HTML5, then you can use the IP address to get the location of the device. Have a look at services like www.maxmind.com. They have a basic free service that does location lookup basedon IP. The free service is accurate to city level. Beware that:
You'll need to implement this server side
It's accuracy is limited, and can be confused by people connecting over corporate networks, or proxies like Opera Mobile Browser.
HTML5 includes a geolocation method: see http://html5demos.com/geo
So it turns out that for a GSM Blackberry device with OS 5 there is no good alternative for getting the location to the standard satellite lock.
WIFI and Cellsite services are not available and unless you have a very good server with huge database with locations of carrier cells all over the world you cannot do anything effective.