NexusOSS Security

Hi,

i am using nexusoss v.2 and i am trying to figure out the options to secure this server.
i have 1 npm repository allowed to be Read Only and browsed.
except for the default users, i have configured authentication through LDAP and AD Groups only for NPM Repositories.
Problems:

  1. authentication is BASIC, meaning that credentials are sent in clear text. will solve this when I’ll move to SSL but i want to change this BASIC Auth.
  2. Management UI. by default, each developer that have access to the repository can open the UI and brute force the Admin account and gain access to the server configuration. is there a way to deny that ? other then disable the admin account and create another admin privileged user…

does Nexus Professional address this problems ?

Udi

Almost all client build tools (maven, npm, etc.) use http basic authentication. So you’re going to have to allow it. Enable SSL for inbound connections is the best course of action. Additionally, the pro version does have a feature that allow users to avoid encoding their real login credentials into build configuration files;

https://help.sonatype.com/display/NXRM3/Security+Setup+with+User+Tokens

Management UI. by default, each developer that have access to the repository can open the UI and brute force the Admin account and gain access to the server configuration. is there a way to deny that ?

I don’t understand this question. How will someone “brute force the admin” account? Can you clarify?