# How to Harden Your Application

# Enable Twofactor SMS authentication

## <span class="mw-headline" id="bkmrk-understanding-two-fa-1">Understanding two factor authentication</span>

Two factor security will require authenticated user to

1. Provide a passcode sent to their cell phone
2. Login from one the office IP addresses ("Office IP")
3. Login from an IP that they have succesfully logged in from X times before ("Home IP")

The IP based requirements are optional, and HomeIP is a subset of the OfficeIP solution.

Note: This functionality is still considered BETA

## <span class="mw-headline" id="bkmrk-preparation-1">Preparation</span>

To enable 2 factor authentication for users you will need to prepare the following:

- List of IP's that should not require 2 factor authentication
- An messaging URL for sending SMS's

Optionally you will also enter cellphone numbers for all employees in their user user profiles.

## <span class="mw-headline" id="bkmrk-step-by-step-setup-1">Step by step setup</span>

### <span class="mw-headline" id="bkmrk-system-configuration-1">System configuration</span>

First you will setup the system to run in testmode, so that all messages are sent for you. After checking everything works, disable the testmode.

Change server configurations

- Set **smsConnectUrl** to your connection URL
- Check that **smsParamMessage** fits the parameter name of your SMS provider
- Check that **smsParamNumber** fits the parameter name of your SMS provider

Optionally you can allow IP based exceptions from the rules

- Set **passcodeTrustedIp** to true
- Set **passcodeTrustedIpList** to contain your office IP's

Furthermore you can allow multiple logins from the same IP to

- Set **passcodeUserIpHistory** to true
- Set **passcodeUserIpHistoryCount** to minimum succesfull logins

### <span class="mw-headline" id="bkmrk-activate-passcode-fi-1">Activate passcode filters</span>

Stop the application server

Go to the application folder and dive into: &lt;application&gt;\\WEB-INF\\web.xml

Uncomment the section containing the servlet mapping

```xml
 <filter>
    <filter-name>TwoFactorAuthentication</filter-name>
    <filter-class>dk.tempusserva.passcode.SmsVerificationFilter</filter-class>
 </filter>
 <filter-mapping>
    <filter-name>TwoFactorAuthentication</filter-name>
    <url-pattern>/main</url-pattern>
 </filter-mapping>
```

Start the application server

### <span class="mw-headline" id="bkmrk-test-and-go-live-1">Test and go live</span>

Validate that two factor login works as intended.

Change server configurations

- Set **smsTestMode** to false

# Hardening Tomcat

### <span class="mw-headline" id="bkmrk-secure-ssl-ciphers-1">Secure SSL ciphers</span>

If you are running your Tomcat installation behind a reverse proxy, these recommendations will not be needed, as Tomcat is not terminating SSL/TLS.

Change the HTTP connector please use the following ciphers (&lt;tomcat&gt;\\conf\\server.xml)

```
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256
```

List updated: 2018-02-07

### <span class="mw-headline" id="bkmrk-secure-headers-1">Secure headers</span>

<span class="mw-headline">If you are running your Tomcat installation behind a reverse proxy, these recommendations will not be needed, as Tomcat is not terminating SSL/TLS.</span>

In the SERVER web.xml (&lt;tomcat&gt;\\conf\\web.xml) uncomment the following sections

```xml
<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>antiClickJackingOption</param-name>
    <param-value>SAMEORIGIN</param-value>
  </init-param>
</filter>
```

```xml
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
```

### <span class="mw-headline" id="bkmrk-additional-crsf-filt-1">Additional CRSF filtering</span>

The TS platform is already safe from CRSF attacks. CRSF tokens are generated at login and required for all data altering transactions.

The TS implementation does not use rotating or page specific CRSF tokens, so if additional security is needed use the [OWASP implementation](https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project).

### <span id="bkmrk-"></span><span class="mw-headline" id="bkmrk-additional-security--1">Additional security filters</span>

Tempus Serva comes with multiple additional security features

- Lock user session to IP
- Lock service to listed countries
- Use passcode sent by SMS

The filters are activated by uncommenting the code in the applications /WEB-INF/web.xml.

Note that the filters can be set any part of the application: login, designer, webinterface and rest.

### <span class="mw-headline" id="bkmrk-validating-your-site-1">Validating your site</span>

You can use the following services to check the security of your installation

#### <span class="mw-headline" id="bkmrk-test-ssl-1">Test SSL</span>

Tip: Remember to check "Do not show the results on the boards"

[https://www.ssllabs.com/ssltest/](https://www.ssllabs.com/ssltest/)

[https://sikkerpånettet.dk/](https://xn--sikkerpnettet-vfb.dk/)

#### <span class="mw-headline" id="bkmrk-test-headers-1">Test Headers</span>

[https://tools.geekflare.com/report/header-security-test](https://tools.geekflare.com/report/header-security-test)