How to secure Websites hosted on Apache

Protecting your Linux box
squid
Lance Naik
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

How to secure Websites hosted on Apache

Postby squid » Sun Sep 07, 2003 9:54 am

Hi folks my previous post give me such a break that now i am into.. well this time i want to secure my websites (password protected) hosted on Apache. Ne proper reference or tag.. plz

cwackked
Lance Naik
Posts: 33
Joined: Sat Aug 30, 2003 7:23 am
Contact:

Postby cwackked » Sun Sep 07, 2003 10:21 am

id start with separating the needs and wants....
get the unnecessary stuff out....
learn how to use iptables...
build up a strict firewall rule..preferably a script with all the rules...
if you want to stretch an extra bit...configure your eth* to accept forwarded packets and log them with a good sniffer...(tcpdump,....etc) maintain the logs regularly update them..get the patches on time...
edit the httpd.conf to allow only specific requests...remove the server information from the error tags and any other messages...use ssh instead of ftp for remote uploading/downloading...and an infinitum of more tasks...:)..security is a relative term...and theres no limits to how secure you can be...you can get the certified secure linux by nsa.gov which comes with minimal packages and "less leaks"
you can burn your webserver on a cd and run it from there...and i can go on and on and on :p
hope this gives you something to start with
-umer

squid
Lance Naik
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby squid » Mon Sep 08, 2003 11:32 pm

BOSS JUST i need to secure via Apache..

lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Re: How to secure Websites hosted on Apache

Postby lambda » Tue Sep 09, 2003 1:42 am

squid wrote:well this time i want to secure my websites (password protected) hosted on Apache. Ne proper reference or tag.. plz


how about reading apache's documentation? http://httpd.apache.org/docs/ second column, first link. or http://httpd.apache.org/docs-2.0/ third column, first link.

farhantoqeer
Major General
Posts: 917
Joined: Thu Jun 27, 2002 5:45 pm
Location: Karachi
Contact:

Postby farhantoqeer » Wed Sep 10, 2003 2:54 pm

What do you really want to do? what i understand, you want to restrict users to explore directories. If i am true explore the following link, i hope it will help you.

http://apache-server.com/tutorials/ATusing-htaccess.html

squid
Lance Naik
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby squid » Sat Sep 13, 2003 4:14 pm

well i need that only authenticated users can access their sites hosted on that server...

zafarameer
Cadet
Posts: 9
Joined: Mon Mar 03, 2003 1:54 am
Location: Sukkur
Contact:

Postby zafarameer » Sat Sep 13, 2003 7:38 pm

what kind of security you need for Apache?
Be A Helping Hand 4 Others...

fawad
Site Admin
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
Location: Addison, IL
Contact:

Postby fawad » Sun Sep 14, 2003 10:52 pm

squid,
If you need to authenticate using user/password, you need 'Basic Authentication'. Read the Apache docs on that. Basically, you'll need to add a .htaccess file to the directory to be protected, create a user (and optionally a groups) file, and link the .htaccess to the user files.

squid
Lance Naik
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby squid » Mon Sep 15, 2003 1:11 am

fawad wrote:squid,
If you need to authenticate using user/password, you need 'Basic Authentication'. Read the Apache docs on that. Basically, you'll need to add a .htaccess file to the directory to be protected, create a user (and optionally a groups) file, and link the .htaccess to the user files.


yea i guess so.. have to read the given link thx...

fawad
Site Admin
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
Location: Addison, IL
Contact:

Postby fawad » Mon Sep 15, 2003 10:13 pm

squid, to make it easier on yourself, you can use webmin's httpd module to configure the access control. I edit the conf files by hand myself, but I know that the webmin module works really nicely.

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Fri Sep 19, 2003 8:29 am

Dear All PLUCian's
Salam,

Dear Squid,

I am posting the step by step procedure how to authrenticate user/pass.

Step 1:

Create Password File from Utility htpasswd and Give them Permission:

Code: Select all

htpasswd -c /usr/local/apache/passwd/passwords username

chown root.nogroup /usr/local/apache/passwd/passwords
chmod 640 /usr/local/apache/passwd/passwords

Step 2:

Set the Apache Configuration File:

Code: Select all

vi /etc/httpd/conf/httpd.conf or path to your httpd.conf file


if you were running a hosting server then:

Code: Select all

<VirtualHost _default_:80>
      DocumentRoot "/home/httpd/exam"
      ServerName www.example.com
      ServerAdmin admin@example.com
      AuthType Basic
      AuthName "By Invitation Only"
      AuthUserFile /usr/local/apache/passwd/passwords
      ErrorLog /var/log/httpd/example_error_log
      Require valid-user or Require username blah blah
</VirtualHost>


Step 3:

What are you waiting for dude try it now :!

Best Regards.
Farrukh Ahmed

squid
Lance Naik
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby squid » Sun Sep 21, 2003 11:59 pm

man really thx for ur great support. If u dont mind can i contact u on ur numbers...

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Mon Sep 22, 2003 2:54 am

Dear Squid,
Salam,

Sir you can contact me at my mobile no but in Evening Timings....

Best Regards.
Farrukh Ahmed

squid
Lance Naik
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby squid » Sat Sep 27, 2003 4:41 am

sure sir probably after few dayz...

Saeeds
Cadet
Posts: 9
Joined: Thu Dec 04, 2003 7:01 pm

Postby Saeeds » Tue Jan 06, 2004 4:13 am

Dear All,
I have tried to restrict access to my MRTG pages using .htaccess. I have done the following :
Created a file called .htaccess in the /home/httpd/mrtg from where the pages are displayed .
Created a passwd file in /home/passwd/.htpasswd
for user saeed by htpasswd -c /home/passwd/.htpasswd saeed
The .htaccess file contains the following :

AuthUserFile /home/passwd/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

<Limit GET>
require user saeed
</Limit>

when i see the .htpasswd file it shows saeed:s7Eprekt6bU5s

i have also restarted httpd but still the web page doesnt ask for any username and passwd . plz tell wat mistake i am commiting, does apache requires any configuration changes ?

Regards,
Saeed


Return to “Security”

Who is online

Users browsing this forum: No registered users and 1 guest