RE: Well now it's an Apache security rodeo...

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Lisa Kachold at <-
MMJim March at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Bob Elzer
Date:  
To: 'Main PLUG discussion list'
Subject: RE: Well now it's an Apache security rodeo...
You might want to try installing webmin. http://www.webmin.com/

It makes it easier to maintain you apache config file, webmin knows where
the files are for the different distros, so it will edit the correct ones
for you.



_____

From:
[mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Lisa
Kachold
Sent: Friday, July 03, 2009 11:32 PM
To: Main PLUG discussion list
Subject: Re: Well now it's an Apache security rodeo...




On Fri, Jul 3, 2009 at 8:03 PM, Jim March <> wrote:


On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold<> wrote:
> Verify your server will allow .htaccess file overrides:
>
> # locate httpd.conf
> # vi /etc/httpd/conf/httpd.conf (or whereever it is)
>
> <beware some versions of apache/apache2 use include files rather than
place
> Directory configuration in httpd.conf>


Well I found the file (just one) but it's zero bytes...?


YOU must have either a httpd.conf or an apache.conf file in a ServerRoot
directory. (Usually /etc/apache or /etc/httpd/)
It could also be servername.conf check your /etc/init.d/httpd file or
/etc/rc.local (whereever it's started from) and version.
What is your version of Apache?

Your DocumentRoot is going to be /var/www/ and you must have a <Directory
entry for it!

That directory entry must have the statement "AllowOverride All" like below:





> 1) Directory
> Find your section with the <Directory > tag and add "AllowOverride All"
>
> <Directory /var/www/html/htaccess-enabled>
>     Options FollowSymLinks
>     AllowOverride All

>
> </Directory>
>
> Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
>
> http://www.sitedeveloper.ws/tutorials/htaccess.htm


OK, done, about to reboot...but first...


> 2) Security
>
> Should be fine, but check out this post:
>
> http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/


Ah. 'Kay, just for starters I added:



That denies everyone!



---
# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
---


# secure htaccess file
# Enter htpasswd information and auth stuff here
<Files .htaccess>
order deny,allow
deny from all
allow from 192.168.1.0/24
allow from 74.183.9.76
</Files>



ALSO: should I assume that an .htaccess file at /var/www will also
control access to, say, /var/www/events?

No, that .htaccess file is not hierarchial since it's not setup in your
configuration globally, just for the directory.
<Note in your first htpasswd file you had a path and directory that were
being protected, you would use the same syntax.> Experiment to learn.
You can have a <Directory > entry for each of your areas in your
httpd(apache)conf files.




THANKS!

Jim

Sure anytime. Email me off list or call or whatever you need.





> 3) Restart
>
> # apachectl restart
>
> On Fri, Jul 3, 2009 at 7:12 PM, Jim March <> wrote:
>>
>> Sigh. OK, I've got all the IP/router stuff done. Kewl. Now to give
>> it some password security!
>>
>> First thing I tried was the security settings within Zoneminder.
>> Looked good, got to where login was needed for user "admin" on a
>> password I set, cool, except couldn't see any images anymore - local
>> or remote. Checked the security restrictions on user "admin", it's
>> supposed to have all possible rights per the ZM management screens.
>> WTF? Turn off login security in ZM and sure enough, I can see my
>> cameras again.
>>
>> God. Dammit.
>>
>> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
>> so to heck with it, this thing is running Apache, I oughta be able to
>> control it there, right?
>>
>> Heh.
>>
>> I ask about it on TFUG and Matt was kind enough to provide a link to a
>> decent-looking tutorial on Apache security:
>>
>> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<> wrote:
>> > If you're running Apache as your web server, it's fairly trivial to
>> > set up HTTP Basic Authentication:
>> >
>> > http://httpd.apache.org/docs/2.2/howto/auth.html
>> >
>> > Matt
>>
>> Ehhhh...it ain't working.
>>
>> Hmmmm. So let's go over what I did, see if I blew it? (Given I've
>> never run the back-end to a website EVER, not unlikely...)
>>
>> OK, here's exactly what I did:
>>
>> 1) I figured out where my web-stuff was sitting (including index.html):
>> /var/www
>>
>> 2) I put a file there name of .htaccess containing:
>>
>> ---
>> AuthType Basic
>> AuthName "Restricted Files"
>> # (Following line optional)
>> AuthBasicProvider file
>> AuthUserFile /usr/local/apache/passwd/passwords
>> Require user zmuser
>> ---
>>
>> 3) I made sure the directory /usr/local/apache/passwd/passwords
>> existed with everybody-can-read-it permissions (only root can write).
>>
>> 4) I ran the command:
>>
>> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
>>
>> ...and gave it a password DIFFERENT from the user login password (user
>> is logging into XUbuntu as zmuser and passwords are NOT default).
>>
>> And...shouldn't that have done it? Yet it acts like there's still no
>> security at all.
>>
>> There's directories under /var/www that contain data being served -
>> should I copy that .htaccess file down into them?
>>
>> Note that I don't need separate user access levels for multiple
>> users...there's just the shop owner going to use this.
>>
>> Thanks!
>>
>> Jim
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> --
> (503)754-4452 wiki.obnosis.com
> scientology.obnosis.com
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss





--
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com





---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-RE: Ummm...need a little bit of router config help...Re: Well now it's an Apache security rodeo...->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)