Well now it's an Apache security rodeo...

Lisa Kachold lisakachold at obnosis.com
Fri Jul 3 23:31:55 MST 2009 

On Fri, Jul 3, 2009 at 8:03 PM, Jim March <1.jim.march at gmail.com> wrote:

> On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold<lisakachold at obnosis.com>
> wrote:
> > Verify your server will allow .htaccess file overrides:
> >
> > # locate httpd.conf
> > # vi /etc/httpd/conf/httpd.conf (or whereever it is)
> >
> > <beware some versions of apache/apache2 use include files rather than
> place
> > Directory configuration in httpd.conf>
>
> Well I found the file (just one) but it's zero bytes...?


YOU must have either a httpd.conf or an apache.conf file in a ServerRoot
directory. (Usually /etc/apache or /etc/httpd/)
It could also be servername.conf check your /etc/init.d/httpd file or
/etc/rc.local (whereever it's started from) and version.
What is your version of Apache?

Your DocumentRoot is going to be /var/www/ and you must have a <Directory
entry for it!

That directory entry must have the statement "AllowOverride All" like below:


>
>
> > 1) Directory
> > Find your section with the <Directory > tag and add "AllowOverride All"
> >
> > <Directory /var/www/html/htaccess-enabled>
> >     Options FollowSymLinks
> >     AllowOverride All
> >
> > </Directory>
> >
> > Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
> >
> > http://www.sitedeveloper.ws/tutorials/htaccess.htm
>
> OK, done, about to reboot...but first...
>
> > 2) Security
> >
> > Should be fine, but check out this post:
> >
> > http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
>
> Ah.  'Kay, just for starters I added:
>

That denies everyone!

>
> ---
> # secure htaccess file
> <Files .htaccess>
>  order allow,deny
>  deny from all
> </Files>
> ---
>
# secure htaccess file
# Enter htpasswd information and auth stuff here
<Files .htaccess>
 order deny,allow
 deny from all
 allow from 192.168.1.0/24
 allow from 74.183.9.76
</Files>


>
> ALSO: should I assume that an .htaccess file at /var/www will also
> control access to, say, /var/www/events?

No, that .htaccess file is not hierarchial since it's not setup in your
configuration globally, just for the directory.
<Note in your first htpasswd file you had a path and directory that were
being protected, you would use the same syntax.> Experiment to learn.
You can have a <Directory > entry for each of your areas in your
httpd(apache)conf files.

>
>
> THANKS!
>
> Jim

Sure anytime.  Email me off list or call or whatever you need.

>
>
> > 3) Restart
> >
> > # apachectl restart
> >
> > On Fri, Jul 3, 2009 at 7:12 PM, Jim March <1.jim.march at gmail.com> wrote:
> >>
> >> Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now to give
> >> it some password security!
> >>
> >> First thing I tried was the security settings within Zoneminder.
> >> Looked good, got to where login was needed for user "admin" on a
> >> password I set, cool, except couldn't see any images anymore - local
> >> or remote.  Checked the security restrictions on user "admin", it's
> >> supposed to have all possible rights per the ZM management screens.
> >> WTF?  Turn off login security in ZM and sure enough, I can see my
> >> cameras again.
> >>
> >> God.  Dammit.
> >>
> >> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
> >> so to heck with it, this thing is running Apache, I oughta be able to
> >> control it there, right?
> >>
> >> Heh.
> >>
> >> I ask about it on TFUG and Matt was kind enough to provide a link to a
> >> decent-looking tutorial on Apache security:
> >>
> >> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<matt at mattjacob.com> wrote:
> >> > If you're running Apache as your web server, it's fairly trivial to
> >> > set up HTTP Basic Authentication:
> >> >
> >> > http://httpd.apache.org/docs/2.2/howto/auth.html
> >> >
> >> > Matt
> >>
> >> Ehhhh...it ain't working.
> >>
> >> Hmmmm.  So let's go over what I did, see if I blew it?  (Given I've
> >> never run the back-end to a website EVER, not unlikely...)
> >>
> >> OK, here's exactly what I did:
> >>
> >> 1) I figured out where my web-stuff was sitting (including index.html):
> >> /var/www
> >>
> >> 2) I put a file there name of .htaccess containing:
> >>
> >> ---
> >> AuthType Basic
> >> AuthName "Restricted Files"
> >> # (Following line optional)
> >> AuthBasicProvider file
> >> AuthUserFile /usr/local/apache/passwd/passwords
> >> Require user zmuser
> >> ---
> >>
> >> 3) I made sure the directory /usr/local/apache/passwd/passwords
> >> existed with everybody-can-read-it permissions (only root can write).
> >>
> >> 4) I ran the command:
> >>
> >> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
> >>
> >> ...and gave it a password DIFFERENT from the user login password (user
> >> is logging into XUbuntu as zmuser and passwords are NOT default).
> >>
> >> And...shouldn't that have done it?  Yet it acts like there's still no
> >> security at all.
> >>
> >> There's directories under /var/www that contain data being served -
> >> should I copy that .htaccess file down into them?
> >>
> >> Note that I don't need separate user access levels for multiple
> >> users...there's just the shop owner going to use this.
> >>
> >> Thanks!
> >>
> >> Jim
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> >
> >
> > --
> > (503)754-4452 wiki.obnosis.com
> > scientology.obnosis.com
> >
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090703/908272c7/attachment.htm

More information about the PLUG-discuss mailing list