Where to maintain central source repository?

security svn source mercurial

What is the industry best practice regarding securing access to source code? I am thinking SSL only connections via apache allowed over to our server on an obscure port that doesn't conflict with anything else. The thing that bothers me is storing source code on a public facing server, i.e. not only accessible via a LAN. Moreover, this server has several uses. Apache is serving up some other internal company websites already. I would like everyone to be able to access the source code from anywhere (homes, airport, whatever) so long as they have the correct credentials. Suggestions?


If you're concerned about it being on a public-facing server but would like access from anywhere, you should consider having your developers use a client-based VPN to log into your network remotely to access an internal source control server.


I'm not too sure why people are thinking the VPN approach is the best. It's not necessarily any more secure and only offers one advantage that I can think of.

PPTP for example is known to have less than ideal security, although I believe it's improved somewhat since first introduced... so be careful which VPN solution you use. I'd go with OpenVPN or IPSEC.

However, you can't beat the convenience of SSL/TLS without the VPN (read further down). And to make it even more secure you can make it certificate only.

However, if you think you might offer other services other than source control then consider a VPN solution because you'll tunnel other services over it.

The disadvantage with using a VPN is that your PC becomes effectively part of the network that it's connecting into. That also can be an advantage. But, if you're a million miles away from home and the network connection to home base isn't too speedy then every time you want to do a diff or check in or out code you might find yourself connecting and disconnecting the VPN.

I can speak from personal experience here as I am a developer and it was a real pain in the bum to be doing this!!! Ideally, both options are preferred.

So if you're going to be browsing the web etc then it might make reading the news etc rather slow. But at least you get secure access to email. So consider how you'll be using it first... If I were you I'd consider implementing both.


Actually, I like your suggestion. If you make your source code repository accessible ONLY via SSL/TLS, and you make certain that your developers don't use easy-to-brute-force passphrases (or better yet, use certificates), then that should be as secure as anything.

You could, instead, hide your server inside your LAN and force developers to use a VPN to get access, but that just means your developers need to put their username/password (and/or cert) into a different login box. I would recommend against creating an entry point into your network whose security implications may not always be obvious, just to allow access to a single service. If you already have VPN configured and secured for other uses, then sure, it's a no-brainer, go ahead and use it. Otherwise, it may be simpler, and thus more secure, to make the service itself directly available via SSL/TLS.

Related

fdisk - partition in single line
Software to diagnose (ping) a network over 24h?
Why is nat required when proxy is enough? [closed]
Invalid command 'SSLEngine' Centos
How to enable negotiate authentication for winrm
/etc/passwd shows user in a group, but /etc/group does not
SSH: Safe for client to host private RSA key?
Linux SSH Timeout [closed]
Connect to switch's console port through ethernet patch panel
Exiting SSH sessions suddenly killing Apache
Vmware host time drift
What is LDAP?