Hi all
Whats the best practice to set up a secure subversion server? We're currently using visualsvn server with active directory implementation and https. Now we want to provide connection from outside the firewall. what's the security risk about that? is there a possibility to prevent brut-force attacks to login?
greets Roland
We use svn+ssh and encourage using paraphrases on keys. If you can, use an alternate SSH port instead of 22.
I have used apache with mod_dav_svn. VisualSVN server uses Apache. You aren't going to have issues with it not working with VisualSVN client. You can then secure SVN like any other web resource. You can even enforce SSL. This assumes basic auth. You can use anything including LDAP and ActiveDirectory for auth.
<Location /svn>
DAV svn
SVNParentPath /usr/local/svn
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/svn-auth-file
Require valid-user
</Location>
More here
If you're using Active Directory authentication - I should hope that a brute force attack would be thwarted by the normal windows' system of locking out accounts that have had too many password failures on them.
What kind of access are you granting over the firewall? If it's developer access (work from home stuff), you might consider using a VPN. If it's readonly stuff, you might consider exposing a mirror instead of the main server.