Can specific user logins be restricted to certain ports? (or, how to allow logins from outside firewall, but restrict administrator access to inside firewall)

Added by Chris Metzler 14 days ago

Hi. I posted this in the "Open" general area, but I think I should have posted it here. Any mods can feel free to zap the copy that's over there.

Anyway.

We have been using Redmine for project management for years. One of our projects is expanding, and will soon include participants from other organizations. Since up to this point, the project has been internal, no one outside our organization needed to connect to the Redmine server so we kept it inside our organization's firewall. But now, with folks participating from outside, we would need to configure our firewall so that the Redmine server is exposed. (Long story, but having everyone VPN in is not an option.)

My security folks are OK with us exposing Redmine in this way, provided that Redmine can be configured so that the Redmine accounts with administrator privileges cannot be logged-into through the exposed port. In other words, under this hypothetical configuration, the server may perhaps allow access through more than one ports; but any port that's visible outside the firewall does not allow users with Redmine administrator access to log in. Users with Redmine administrator status would only be able to authenticate to Redmine via a port that's not visible outside the firewall.

Can this be done? If this is not possible, can anyone think of another way to effect the same result?

The only thing I've been able to come up with is to not have any accounts with Redmine administrator status. Then, when administration of Redmine is necessary, we'd take the machine off the net from its console and then edit/replace configuration files to give an account administrator privileges in Redmine, and then use that to do admin stuff. Then, when done, remove that administrator/status and go back to the no-admin user setup before putting the machine back onto the net. But that's a huge pain. Does anyone have any other ideas on how to accomplish this?

Without preventing Redmine administrator logins from outside the firewall, we can't make Redmine available outside the firewall; and without that, we can't use it. We have a lot invested in Redmine at this point, but we'd be forced to migrate off Redmine and onto another project management/issue tracking application.

Thanks much for any help!

Replies (2)

RE: Can specific user logins be restricted to certain ports? (or, how to allow logins from outside firewall, but restrict administrator access to inside firewall) - Added by Chris Metzler 11 days ago

Hi. Just a bump. Anyone with any ideas here?

If no one has any suggestions, can anyone suggest any other sources of assistance with Redmine that I might try?

I think the IT folks are going to make their decision on forcing us to migrate off of Redmine at the end of this week, and I really don't wanna do it.

RE: Can specific user logins be restricted to certain ports? (or, how to allow logins from outside firewall, but restrict administrator access to inside firewall) - Added by Bernhard Rohloff 11 days ago

It feels odd to me because it seems hard to guess an account name plus a password but, well... Policy is policy, right? :-)

So to my sparse knowledge Redmine doesn't have something like this in place out of the box. But as it is a ROR based application it should definitely be possible to get it behaving like you described above. I would also whitelist the admin account rather on your local IP range than on a different port number.

Here is a link for a Rails example you might find interesting:
https://www.driftingruby.com/episodes/restricting-access-by-ip-address

(1-2/2)