I have deployed os ticket so that it is accessible in the office LAN however it would obviously be useful for users to be able to access the system without having to open a VPN tunnel in to the office (e.g. what if the problem *is* to do with VPN access - how will they submit a ticket?)

The problem I can see if I opened this up to the www is that the system will almost definitely be targeted by bots auto-filling forms... especially as osticket does not require log-in to submit a ticket - how do you deal with this?

Allowing on an IP basis is not an option.

10 days later

You need to give more details on your setup. It really is based on what OS your using.

Generally speaking. I would look up on steps to secure your web server and implement that.

If you do open it up to the cloud you need to have your firewall close all ports except the one's needed 80, 995 etc. The biggest one that most people forget to do is "hide" the apache version your using. A quick google search can get you setup on that.

Personally I like to have a honeypot setup.

You can activate "captcha" when creating tickets. Go to Settings/Tickets...Human verification

Thanks ESWBitto.

I was more interested in protecting the application rather than the server - I just tried the CAPTCHA option now (I did not notice it before) and it does seem nice and useful; doesn't look intrusive at all but it does seem like it wouldn't take much effort for bots to bypass (hardly any noise in the picture)

It would be nice if there were 'levels' of difficulty for the CAPCTHA code to select which would in turn add more noise to the CAPTCHA and make it more difficult for attackers.

Anyway, I will trial this with my users and post back with an update.

We password protected the web site that we installed to. Windows Auth so that they can use their Active Directory usernames/passwords. If you don't run AD or IIS, you could still achieve something similar with an .htaccess file under Apache.

Write a Reply...