You might want to try installing webmin. http://www.webmin.com/ It makes it easier to maintain you apache config file, webmin knows where the files are for the different distros, so it will edit the correct ones for you. _____ From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Lisa Kachold Sent: Friday, July 03, 2009 11:32 PM To: Main PLUG discussion list Subject: Re: Well now it's an Apache security rodeo... On Fri, Jul 3, 2009 at 8:03 PM, Jim March <1.jim.march@gmail.com> wrote: On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold wrote: > Verify your server will allow .htaccess file overrides: > > # locate httpd.conf > # vi /etc/httpd/conf/httpd.conf (or whereever it is) > > Directory configuration in httpd.conf> Well I found the file (just one) but it's zero bytes...? YOU must have either a httpd.conf or an apache.conf file in a ServerRoot directory. (Usually /etc/apache or /etc/httpd/) It could also be servername.conf check your /etc/init.d/httpd file or /etc/rc.local (whereever it's started from) and version. What is your version of Apache? Your DocumentRoot is going to be /var/www/ and you must have a 1) Directory > Find your section with the tag and add "AllowOverride All" > > > Options FollowSymLinks > AllowOverride All > > > > Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride > > http://www.sitedeveloper.ws/tutorials/htaccess.htm OK, done, about to reboot...but first... > 2) Security > > Should be fine, but check out this post: > > http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/ Ah. 'Kay, just for starters I added: That denies everyone! --- # secure htaccess file order allow,deny deny from all --- # secure htaccess file # Enter htpasswd information and auth stuff here order deny,allow deny from all allow from 192.168.1.0/24 allow from 74.183.9.76 ALSO: should I assume that an .htaccess file at /var/www will also control access to, say, /var/www/events? No, that .htaccess file is not hierarchial since it's not setup in your configuration globally, just for the directory. Experiment to learn. You can have a entry for each of your areas in your httpd(apache)conf files. THANKS! Jim Sure anytime. Email me off list or call or whatever you need. > 3) Restart > > # apachectl restart > > On Fri, Jul 3, 2009 at 7:12 PM, Jim March <1.jim.march@gmail.com> wrote: >> >> Sigh. OK, I've got all the IP/router stuff done. Kewl. Now to give >> it some password security! >> >> First thing I tried was the security settings within Zoneminder. >> Looked good, got to where login was needed for user "admin" on a >> password I set, cool, except couldn't see any images anymore - local >> or remote. Checked the security restrictions on user "admin", it's >> supposed to have all possible rights per the ZM management screens. >> WTF? Turn off login security in ZM and sure enough, I can see my >> cameras again. >> >> God. Dammit. >> >> Well by now I'm convinced that ZM is buggier than an ant farm anyways, >> so to heck with it, this thing is running Apache, I oughta be able to >> control it there, right? >> >> Heh. >> >> I ask about it on TFUG and Matt was kind enough to provide a link to a >> decent-looking tutorial on Apache security: >> >> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob wrote: >> > If you're running Apache as your web server, it's fairly trivial to >> > set up HTTP Basic Authentication: >> > >> > http://httpd.apache.org/docs/2.2/howto/auth.html >> > >> > Matt >> >> Ehhhh...it ain't working. >> >> Hmmmm. So let's go over what I did, see if I blew it? (Given I've >> never run the back-end to a website EVER, not unlikely...) >> >> OK, here's exactly what I did: >> >> 1) I figured out where my web-stuff was sitting (including index.html): >> /var/www >> >> 2) I put a file there name of .htaccess containing: >> >> --- >> AuthType Basic >> AuthName "Restricted Files" >> # (Following line optional) >> AuthBasicProvider file >> AuthUserFile /usr/local/apache/passwd/passwords >> Require user zmuser >> --- >> >> 3) I made sure the directory /usr/local/apache/passwd/passwords >> existed with everybody-can-read-it permissions (only root can write). >> >> 4) I ran the command: >> >> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser >> >> ...and gave it a password DIFFERENT from the user login password (user >> is logging into XUbuntu as zmuser and passwords are NOT default). >> >> And...shouldn't that have done it? Yet it acts like there's still no >> security at all. >> >> There's directories under /var/www that contain data being served - >> should I copy that .htaccess file down into them? >> >> Note that I don't need separate user access levels for multiple >> users...there's just the shop owner going to use this. >> >> Thanks! >> >> Jim >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > -- > (503)754-4452 wiki.obnosis.com > scientology.obnosis.com > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- (503)754-4452 wiki.obnosis.com scientology.obnosis.com