How to secure Websites hosted on Apache

Protecting your Linux box

How to secure Websites hosted on Apache

Postby squid » Sun Sep 07, 2003 9:54 am

Hi folks my previous post give me such a break that now i am into.. well this time i want to secure my websites (password protected) hosted on Apache. Ne proper reference or tag.. plz
squid
Lance Naik
 
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby cwackked » Sun Sep 07, 2003 10:21 am

id start with separating the needs and wants....
get the unnecessary stuff out....
learn how to use iptables...
build up a strict firewall rule..preferably a script with all the rules...
if you want to stretch an extra bit...configure your eth* to accept forwarded packets and log them with a good sniffer...(tcpdump,....etc) maintain the logs regularly update them..get the patches on time...
edit the httpd.conf to allow only specific requests...remove the server information from the error tags and any other messages...use ssh instead of ftp for remote uploading/downloading...and an infinitum of more tasks...:)..security is a relative term...and theres no limits to how secure you can be...you can get the certified secure linux by nsa.gov which comes with minimal packages and "less leaks"
you can burn your webserver on a cd and run it from there...and i can go on and on and on :p
hope this gives you something to start with
-umer
cwackked
Lance Naik
 
Posts: 33
Joined: Sat Aug 30, 2003 7:23 am
Website: http://desimart.net
WLM: cwackked@hotmail.com

Postby squid » Mon Sep 08, 2003 11:32 pm

BOSS JUST i need to secure via Apache..
squid
Lance Naik
 
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Re: How to secure Websites hosted on Apache

Postby lambda » Tue Sep 09, 2003 1:42 am

squid wrote:well this time i want to secure my websites (password protected) hosted on Apache. Ne proper reference or tag.. plz


how about reading apache's documentation? http://httpd.apache.org/docs/ second column, first link. or http://httpd.apache.org/docs-2.0/ third column, first link.
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby farhantoqeer » Wed Sep 10, 2003 2:54 pm

What do you really want to do? what i understand, you want to restrict users to explore directories. If i am true explore the following link, i hope it will help you.

http://apache-server.com/tutorials/ATusing-htaccess.html
farhantoqeer
Major General
 
Posts: 917
Joined: Thu Jun 27, 2002 5:45 pm
Website: http://www.emergen.biz
Location: Karachi

Postby squid » Sat Sep 13, 2003 4:14 pm

well i need that only authenticated users can access their sites hosted on that server...
squid
Lance Naik
 
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby zafarameer » Sat Sep 13, 2003 7:38 pm

what kind of security you need for Apache?
Be A Helping Hand 4 Others...
zafarameer
Cadet
 
Posts: 9
Joined: Mon Mar 03, 2003 1:54 am
ICQ: 166614508
WLM: schonde@hotmail.com
Yahoo Messenger: zafarameer@yahoo.com
Location: Sukkur

Postby fawad » Sun Sep 14, 2003 10:52 pm

squid,
If you need to authenticate using user/password, you need 'Basic Authentication'. Read the Apache docs on that. Basically, you'll need to add a .htaccess file to the directory to be protected, create a user (and optionally a groups) file, and link the .htaccess to the user files.
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

Postby squid » Mon Sep 15, 2003 1:11 am

fawad wrote:squid,
If you need to authenticate using user/password, you need 'Basic Authentication'. Read the Apache docs on that. Basically, you'll need to add a .htaccess file to the directory to be protected, create a user (and optionally a groups) file, and link the .htaccess to the user files.


yea i guess so.. have to read the given link thx...
squid
Lance Naik
 
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby fawad » Mon Sep 15, 2003 10:13 pm

squid, to make it easier on yourself, you can use webmin's httpd module to configure the access control. I edit the conf files by hand myself, but I know that the webmin module works really nicely.
fawad
Site Admin
 
Posts: 918
Joined: Wed Aug 07, 2002 8:00 pm
ICQ: 17672437
Website: http://www.fawad.net
WLM: fawadhalim@hotmail.com
Yahoo Messenger: fawad2048
AOL: fawadhalim
Location: Addison, IL

Re:

Postby LinuxFreaK » Fri Sep 19, 2003 8:29 am

Dear All PLUCian's
Salam,

Dear Squid,

I am posting the step by step procedure how to authrenticate user/pass.

Step 1:

Create Password File from Utility htpasswd and Give them Permission:

Code: Select all

htpasswd -c /usr/local/apache/passwd/passwords username

chown root.nogroup /usr/local/apache/passwd/passwords
chmod 640 /usr/local/apache/passwd/passwords

Step 2:

Set the Apache Configuration File:

Code: Select all

vi /etc/httpd/conf/httpd.conf or path to your httpd.conf file


if you were running a hosting server then:

Code: Select all

<VirtualHost _default_:80>
      DocumentRoot "/home/httpd/exam"
      ServerName www.example.com
      ServerAdmin admin@example.com
      AuthType Basic
      AuthName "By Invitation Only"
      AuthUserFile /usr/local/apache/passwd/passwords
      ErrorLog /var/log/httpd/example_error_log
      Require valid-user or Require username blah blah
</VirtualHost>


Step 3:

What are you waiting for dude try it now :!

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby squid » Sun Sep 21, 2003 11:59 pm

man really thx for ur great support. If u dont mind can i contact u on ur numbers...
squid
Lance Naik
 
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Re:

Postby LinuxFreaK » Mon Sep 22, 2003 2:54 am

Dear Squid,
Salam,

Sir you can contact me at my mobile no but in Evening Timings....

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby squid » Sat Sep 27, 2003 4:41 am

sure sir probably after few dayz...
squid
Lance Naik
 
Posts: 20
Joined: Fri Sep 05, 2003 10:15 am

Postby Saeeds » Tue Jan 06, 2004 4:13 am

Dear All,
I have tried to restrict access to my MRTG pages using .htaccess. I have done the following :
Created a file called .htaccess in the /home/httpd/mrtg from where the pages are displayed .
Created a passwd file in /home/passwd/.htpasswd
for user saeed by htpasswd -c /home/passwd/.htpasswd saeed
The .htaccess file contains the following :

AuthUserFile /home/passwd/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic

<Limit GET>
require user saeed
</Limit>

when i see the .htpasswd file it shows saeed:s7Eprekt6bU5s

i have also restarted httpd but still the web page doesnt ask for any username and passwd . plz tell wat mistake i am commiting, does apache requires any configuration changes ?

Regards,
Saeed
Saeeds
Cadet
 
Posts: 9
Joined: Thu Dec 04, 2003 7:01 pm


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron