Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links

Categories

Supported by
Bestel Een wereld vol denkers door Sebastiaan Mathôt via bol.com

Deleting initial admin user?

[Deleted User][Deleted User]
in JATOS

For security reasons, I'd like to replace the 'admin' user with a user of a different name with admin privileges. Is this possible?

Thanks!

Comments

  • krikri

    No, the initial 'admin' user cannot be deleted - only its password be changed. I'm curious, do you think it's a security thread? A potential attacker still has to figure out the password and you can set this arbitrary difficult.

    Best,

    Kristian

  • [Deleted User][Deleted User]

    Thanks for letting me know!

    I am new to administrative best practices, but I do think that 'admin' is a common user ID to attempt to brute force attack with, so I believe it is good idea to change. While we have a very strong password, the server is publicly accessible, so there is a possibility of attack (I see unknown IPs attempting to log in relatively frequently in the logs.)

    Other things (probably more important than changing the name) I would suggest to address this:

    • Being able to make an IP ban after several incorrect logins.
    • Two-factor authentication

    Just a possible suggestion! Or if you could point me to resources to figure out how to do this myself, I just don't have much experience, but I could try to figure out.

  • krikri

    I don't think brute force attacks are a thread if you use a proper password. One could argue that having a known username makes denial-of-service attacks more efficient since it takes more of the server's resources to compare a password (via hash) than just comparing a username - but I think this is marginal. And to see unknown IPs attempting to log in is a common sight in public servers. Public IPs get automatically scanned en masse for weaknesses, like the most common username/password combinations.

    Being able to make an IP ban after several incorrect logins.

    Something similar JATOS has already: after 3 failed log-in attempts one gets banned for 1 minute for doing any other attempt with this username. It's effective, although blocking by IP would be even better.

    Two-factor authentication

    I agree it would be nice. We are about to add tokens to make JATOS' API more accessible (https://github.com/JATOS/JATOS/issues/257). Maybe we can add two-factor-auth too when we are already on it. If you want to give it a try: the three most important resources are

    Best,

    Kristian

  • [Deleted User][Deleted User]

    Many thanks, Kristian! This all makes perfect sense.

    Being able to make an IP ban after several incorrect logins.

    Is this a built in feature, or something I need to toggle on? Just checking to make sure I have it. But that is a great thing, thanks!

  • krikri

    This banning-by-username-after-3-failed-login-attempts comes out of the box.

    Btw. there is a config that you might want to turn on to increase security: https://www.jatos.org/Configure-JATOS-on-a-Server.html#user-session-configuration

    Best,

    Kristian

Sign In or Register to comment.
Sebastiaan Mathôt » v2.0.18 » Copyright 2011 — 2019 » Vanilla flavored » License