7.5. Security Notes

Previous page
Table of content
Next page

7.5. Security Notes

There are several directives in the /etc/httpd/conf/httpd.conf configuration file used to control the server's security. These directives can also be used in the .htaccess file. These are the following:

  • AuthType parameter Indicates the type of user authentication. The parameter value can be one of the following: Basic or Digest.

  • AuthGroupFile file path Specifies the name of the file, in which the list of user groups is stored.

  • AuthUserFile file path Specifies the file containing user names and passwords. It is advisable to create this list using the htpasswd utility.

  • AuthAuthoritative On Off Specifies the access rights check method. The default value is On. If the directive is set to Off and the user does not provide a name, user authentication is carried out by other methods , for example, using the IP address.

  • AuthDBMGroupFile and AuthDBMUserFile These directives are analogous to the AuthGroupFile and AuthUserFile directives except that the parameter is specified as a Berkley-DB database file.

These directives can help you configure the user-authentication process when accessing certain directories. For example, for a directory that only authorized users can access, you can specify a password file that will be used by the server to control access to the directory.

7.5.1. The .htaccess Files

If a Web server directory must have special permissions, it is advisable to create in this directory an .htaccess file. Permissions described in this file apply to the directory in which it is located. The following listing is an example of the contents of an .htaccess file: 

 AuthType Basic AuthName "By Invitation Only" AuthUserFile /pub/home/flenov/passwd Require valid-user

In this file, the authentication type for the current directory is specified as Basic. This means that the authentication will be carried out by requesting the user login and password. The text specified in the AuthName directive will be shown in the title of the authentication window (Fig. 7.2).

image from book
Figure 7.2: The user authentication window

The AuthUserFile directive specifies the file containing the list of names and passwords of the site's users. Finally, the Require directive is used with the valid-user argument. This means that only successfully authenticated users will be able to open files in the current directory.

In this simple way, unauthorized access to directories containing restricted data (e.g., administrator scripts) can be limited.

As already mentioned, directives such as allow from ( considered in Section 7.3 ) can be used in the .htaccess file.

For example, access from only a certain IP address, say, 101.12.41.148, can be allowed as follows : 

 allow from 101.12.41.148

Combining the allow from directive with user authentication will greatly complicate the job for hackers trying to break into the server. Although the password can be stolen, faking the specific IP address necessary to access the directory requires significant effort.

These permissions can also be specified in the .htaccess file: 

 <directory /path> AuthType Basic AuthName "By Invitation Only" AuthUserFile /pub/home/flenov/passwd Require valid-user </directory>

Which of these two files you choose to use is up to you. I prefer working with .htaccess files because in this case security settings are stored in the directory, to which they apply. But this is not safe, because hackers can obtain access to this file.

The central httpd.conf file is preferable from the security standpoint, because it is located in the /etc directory, which is outside the scope of the Web server root directory, and access to it must be forbidden to regular users.

7.5.2. Password Files

In this section, you will learn how to create and control Apache password files. The file specified in the AuthUserFile directive is a simple text file containing user name and password entries in the following format: 

 flenov:{SHA}1ZZEBtPy4/gdHsyztjUEWbOd90E=

There are two fields in the preceding entry, separated by a colon . The first field contains a user name, and the second field contains the user password encrypted using the MD5 algorithm. It is difficult to edit this file manually; moreover, there is no need for this because the htpasswd utility is intended for this task.

The utility can encrypt passwords using both the MD5 algorithm and the system's crypt () function. Both types of passwords can be stored in the same file.

If you store user names and passwords in a DMB database file (specified by the AuthDBMUserFile directive in .htaccess files), use the dbmmanage command to manage the database.

The htpasswd utility is invoked as follows: 

 htpasswd arguments file name password

Use of the password and file switches is optional, depending on the specified options. The utility takes the following main switches:

  • -c Creates a new file. If the specified file already exists, it is overwritten and its old contents are lost. The following is an example of the command's use: 

     htpasswd -c .htaccess robert

When this directive is executed, a prompt to enter and then confirm the password for the user robert will be displayed. After successful completion of this procedure, an .htaccess file will be created that contains an entry for the user robert and the corresponding specified password.

  • -m Specifies that passwords are to be created using the Apache modified MD5 algorithm. A password file created using this algorithm can be ported to any other platform (Windows, UNIX, BeOS, etc.), on which an Apache server is running. This switch is handy for a heterogeneous operating system network, because the same password file can be used on machines running different operating systems.

  • -d Indicates that passwords are to be encrypted using the crypt() system function.

  • -s Specifies that passwords are to be encrypted by the Secure Hash Algorithm (SHA) used by the Netscape platform.

  • -p Indicates no password encryption. I don't recommend using this switch; using it is not prudent for security.

  • -n Don't update the file; only display the results.

A new user can be added to the file by executing the command without any switches, only passing the file and the user names as the arguments: 

 htpasswd .htaccess Flenov

There are two restrictions on using the htpasswd command: First, a user name cannot contain a colon, and second, a password can be no longer than 255 characters . These are rather mild restrictions, and both can be lived with. Unless you have masochistic tendencies, it is doubtful you will want to use a password anywhere close to 255 characters long. As for the colon, you'll just have to do without it.

7.5.3. Authentication Problems

Authentication is too simple a method to provide reliable security. When passwords are sent, they are encoded using the basic Base64 algorithm. If the packet containing the user name and password encrypted in this way is intercepted, it can be deciphered in no time. All that is needed to decipher the text encoded using Base64 is to apply a simple function to the text, which produces practically instant results.

A truly secure connection should be encrypted. The stunnel utility or HTTPS, which uses SSL, can be used for this purpose. The s tunnel utility and HTTPS are discussed in more detail in Section 5.2 .

7.5.4. Server Side Processing

HTML files can be processed directly on the server, the same as PHP files. On one hand, this is convenient , because PHP code can be embedded into HTM files. On the other hand, HTML files present a potential security problem. If hackers modify them, the server can become vulnerable to a break-in.

The AddHandler directive is used to allow the server to execute files with a certain extension. The following entries containing this directive can be found in the httpd.conf configuration file: 

 AddHandler cgi-script .cgi AddHandler server-parsed .shtml

If you do not have Perl interpreter installed, you should comment out the first line so that it does not bother you. The second entry presents no danger, but allowing the server to work with HTM or HTML files in this way is not safe. The following line in your configuration file should be either deleted or commented out: 

 AddHandler server-parsed .html

If there is a need to allow execution of HTML documents, you can do this in the corresponding .htaccess file. Server processing of HTML files in other directories should be explicitly prohibited . You can do this by adding the following line either to the httpd.conf configuration file or to the .htaccess file in each directory: 

 RemoveHandler .html .htm

In this way, you will prohibit execution of HTML files by the server without affecting the SSI instruction. For example, the following code in a SHTML file will be executed: 

 <!--#include virtual="filename.shtml" -->

If you do not use SSI (and, accordingly , SHTML files) comment out the following line (by default, it is enabled): 

 AddHandler server-parsed .shtml

Previous page
Table of content
Next page
Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141
Authors: Michael Flenov
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
VBScript Programmers Reference
Microsoft VBScript Professional Projects
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
Java Concurrency in Practice
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy