httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Wort <...@pobox.com>
Subject Re: [users@httpd] Password protect sections of website
Date Tue, 04 Feb 2003 15:32:00 GMT
On Tue, 4 Feb 2003, Jason L Michael wrote:

> Guys,
>
> I'm using PHP and MySQL, running on Apache.  For sections of the site where
> I want to restrict access, I'm using the htaccess functions of Apache, which
> works beautifully.  As I understand it, I just put sensitive stuff in a
> special folder, call it "guarded", and then whenever I link to anything in
> "guarded", the user's browser presents them with a login/password dialog to
> gain access.  Since these values are stored in a flatfile outside the reach
> of the browser (not anywhere in the htdocs path), I can assume that gaining
> access to this section of my site without being given a password would
> require compromising Apache, and more specifically, the box Apache is
> running on.
>
> Am I correct in my assumption?

If you are not using SSL then the password is still passed to Apache in
the clear (no encryption) so it is possible to "sniff" the password off
the wire.



>
> Hard coding login/password pairs into the .htpassword file seems to be a bit
> primitive, and since gaining access to any set would grant you access to
> anything in the protected folder, is this really such a good idea?  Should
> htaccess be reserved for "Admins" and another method be used for "trusted
> users"?  I have tried using PHP, with a MySQL query for login/password
> (encrypted) and an HTTP header (WWW_Authenticate), but I don't think this is
> so secure, as it simply passes the return values of the dialog to the SQL
> query, and one could then use this interface to hack the SQL query and gain
> access to the SQL database.
>
> What other methods for securing sections of your website have you used with
> success?  Which methods are the most secure?  Is granting a login/password
> to "trusted users" via htaccess such a good idea?  Do webmasters normally
> write some kind of script to edit the .htpassword file?
>

Well, I would first secure the box Apache is running on, limit the number
of user, say a admin user and no other logins, run the apache user without
a shell (assuming UNIX here), use SSH for all logins, use sudo for root
(if not for the restricting root access, then for the logging). Disable
all services that are not required (telent, ftp cargen etc). Remove all
software that is not required on the system, don't leave compilers laying
around on a production system etc. Consider tripwire or similar products
(AIDE). This is called "harden the system".  I would use SSL for the
"restricted" directories so that the password is then encrypted in a SSL
tunnel.

Monitor security sites that post vunerbilities, keep Apache, the OS and
any other software patched and up to date, READ your log files, centralize
logging to a log server if possible.

Remember, things change everyday so security is a on going process and no
security is perfect but you can make it very hard to compromise a box.



> Thanks in advance,
>
> Jason L Michael
> 105A Maple
> Arlington TX, 76011
> http://www.jason-michael.com
> jason@jason-michael.com
>
> West of House
> You are standing in an open field west of a white house, with a boarded
> front
> door.
> There is a small mailbox here.
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
=        Inkling Research Inc.      =
=    Tim.Wort@InklingResearch.com   =
=        Tim.Wort@pobox.com         =
=                                   =
=        Eschew Obfuscation         =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message