SIDVault Security
SIDVault has a number of ways to improve the security of your data. From limited user access to selected fields to limiting machines by IP and the number of connections each can do.
 
The following will describe what is available in SIDVault.
 
Within the SIDVault managers web interface you can see what connections are currently active and also list the 'IP Details' history about the modules. This is located in the 'IP Limiting' section of the 'Site Status'. With the managers web interface you can change/setup the security as needed.
Limiting Access By IP
SIDVault supports the ability to limit protocol connections from selected IP addresses. You can, not only limit IP connections via LDAP protocol but each seperate protocol with a different range of IP addresses.
 
Within your sidvault.ini file will be lines like this:
 
#module manager all 6626 3600 2 manager 127.0.0.1
module ldap all 389 3600 50 main 127.0.0.1,10.0.0.*,192.168.1.*,192.168.0.*
module http all 6680 3600 50 web

The above settings are the SIDVault v1.0k default settings, Which allowing the most common local area network IP addresses. If no IP address are provided then all connections will be accepted.
 
You should setup the IP limits depending on who you wish to provide access. We suggest limiting this to as small trusted group of computers.
Limiting Usage by IP
SIDVault supports the ability to limit protocol connections by IP on how they are used. Where you can:
 
1. Limit Concurrent Connections per ip.
2. Setting to 'ignore' requests if they excceed a certain rate per ip per time.
3. Password Guessing is limited (limit guesses per ip per time).
4. Selected IP's ignore this feature (allow_ip).

Within your sidvault.ini file will be lines like this:
 
# -----------------------------------------------------------------------------
# Module Security
# ---------------
# SIDVault Supports 
#	1) Limit Concurrent Connections per ip.
#	2) Setting to 'ignore' requests if they excceed a certain rate per 
#          ip per time.
#	3) Password Guessing is limited (limit guesses per ip per time)
#       4) Selected IP's ignore this feature (allow_ip)
#
# max_ip_connection mod_id number
# max_ip_rate mod_id number timeframe blocktime
# max_pass_guess mod_id number timeframe blocktime
#
# mod_id = This is the Module ID. (ie main or web)
# timeframe = in seconds
# blocktime = in seconds - All connections from this IP for this 
#                          time are refused.

allow_ip 127.0.0.1,10.0.0.*,192.168.1.*,192.168.0.*

max_ip_connection main 10
max_ip_rate main 50 30 30
max_pass_guess main 3 30 60

# Web Connections also include images downloads
max_ip_connection web 100
#max_ip_rate web 20 60 60
max_pass_guess web 3 60 60

The above settings are the SIDVault v1.0k default settings. The most common local area network IP addresses are setup to bypass these checks so that if you setup apps within the local area network they will not be refused connections for any reason.
 
You can setup seperate rules for each protocol that you setup within SIDVault. In the above example the 'main' ldap server and 'web' server are setup seperately.
 
You can setup mutiple seperate LDAP ports (143, 1143, 2143, ..etc.) each having their own limits, if desired.
Limiting Selected Fields
SIDVault allows you to set fields to have security levels. These security levels rate from 0 (everyone) to 20 (SIDVault admin only).
 
This security level is setup within the schema files themselves, where the default is to allow everyone access is not defined.
 
SIDVault schemas which are setup by default have 4 levels which are setup.
 
8 - All of SurgeMail/SurgeFTP/SurgeNews extended Fields.
10 - User Passwords
(userPassword, pass_answer)
12 - System Settings
(createTimestamp, modifyTimestamp, creatorsName, modifiersName)
20 - SIDVault Admin Only
(Credit Card Details)

The above is just a guide, and you can change these if you wish by changing the schema files. THe schema file example of this is:
 
# All passwords in SIDVault can be encoded
#userPassword = string(128),MATCH-CASE,HIDDEN10
userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SSHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_CRYPT
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_MD5

The 'HIDDENx' tag determines the security level of this field.
 
If you wish to setup a user/pass login to SIDVault to allow access to a selected security level you will need to edit the SIDVault 'user.dat' file, to include the 'Hiddenx' level you wish the user to have access to. An example of the user.dat file is:
 
# Manager Login
manager::*:ALL,HIDDEN20,ADMIN
cn=manager,dc=example,dc=com::*:ALL,HIDDEN20,ADMIN

# My User Login
lynden::*:ALL,HIDDEN10
cn=lynden,dc=example,dc=com::*:ALL,HIDDEN8

In this case the 'manager' as full access, but 'lynden' has only access to level 8, which is just just the main surgemail/surgeftp/surgenews settings. But is not allowed access to the users passwords.
Encoding Passwords
SIDVault allows you to setup the encoding method to be used to store passwords with the LDAP server.
 
SIDVault supports 4 encoding methods as well as clear text passwords.
 
1. SSHA.
2. SHA.
3. Unix Crypt.
4. MD5.
5. Clear Text.

The default schemas are setup to use SSHA encoding. To change this you will need to change the schema files. The example of this is:
 
# All passwords in SIDVault can be encoded
#userPassword = string(128),MATCH-CASE,HIDDEN10
userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SSHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_SHA
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_CRYPT
#userPassword = string(128),MATCH-CASE,HIDDEN10,CODED_MD5

All you need to do is uncomment out the encoding method you would like to use and comment out the SSHA encoding method. Passwords which have already been encoded will not change their encoded unless set again.
 
Not only can you encode passwords you can encode any field on your choosing, where decoding back to the orginal is not required.
 
We suggest that you do not use clear text passwords unless you have applications which requires this.