Well now it's an Apache security rodeo...

Bob Elzer bob.elzer at gmail.com
Fri Jul 3 23:41:51 MST 2009


You might want to try installing webmin.   http://www.webmin.com/
 
It makes it easier to maintain you apache config file, webmin knows where
the files are for the different distros, so it will edit the correct ones
for you.
 
 

  _____  

From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Lisa
Kachold
Sent: Friday, July 03, 2009 11:32 PM
To: Main PLUG discussion list
Subject: Re: Well now it's an Apache security rodeo...




On Fri, Jul 3, 2009 at 8:03 PM, Jim March <1.jim.march at gmail.com> wrote:


On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold<lisakachold at obnosis.com> wrote:
> Verify your server will allow .htaccess file overrides:
>
> # locate httpd.conf
> # vi /etc/httpd/conf/httpd.conf (or whereever it is)
>
> <beware some versions of apache/apache2 use include files rather than
place
> Directory configuration in httpd.conf>


Well I found the file (just one) but it's zero bytes...?


YOU must have either a httpd.conf or an apache.conf file in a ServerRoot
directory. (Usually /etc/apache or /etc/httpd/)
It could also be servername.conf check your /etc/init.d/httpd file or
/etc/rc.local (whereever it's started from) and version.
What is your version of Apache?  

Your DocumentRoot is going to be /var/www/ and you must have a <Directory
entry for it!

That directory entry must have the statement "AllowOverride All" like below:





> 1) Directory
> Find your section with the <Directory > tag and add "AllowOverride All"
>
> <Directory /var/www/html/htaccess-enabled>
>     Options FollowSymLinks
>     AllowOverride All
>
> </Directory>
>
> Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
>
> http://www.sitedeveloper.ws/tutorials/htaccess.htm


OK, done, about to reboot...but first...


> 2) Security
>
> Should be fine, but check out this post:
>
> http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/


Ah.  'Kay, just for starters I added:



That denies everyone! 



---
# secure htaccess file
<Files .htaccess>
 order allow,deny
 deny from all
</Files>
---


# secure htaccess file
# Enter htpasswd information and auth stuff here
<Files .htaccess>
 order deny,allow
 deny from all
 allow from 192.168.1.0/24
 allow from 74.183.9.76
</Files>
 


ALSO: should I assume that an .htaccess file at /var/www will also
control access to, say, /var/www/events?

No, that .htaccess file is not hierarchial since it's not setup in your
configuration globally, just for the directory.
<Note in your first htpasswd file you had a path and directory that were
being protected, you would use the same syntax.> Experiment to learn.
You can have a <Directory > entry for each of your areas in your
httpd(apache)conf files.  




THANKS!

Jim

Sure anytime.  Email me off list or call or whatever you need. 





> 3) Restart
>
> # apachectl restart
>
> On Fri, Jul 3, 2009 at 7:12 PM, Jim March <1.jim.march at gmail.com> wrote:
>>
>> Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now to give
>> it some password security!
>>
>> First thing I tried was the security settings within Zoneminder.
>> Looked good, got to where login was needed for user "admin" on a
>> password I set, cool, except couldn't see any images anymore - local
>> or remote.  Checked the security restrictions on user "admin", it's
>> supposed to have all possible rights per the ZM management screens.
>> WTF?  Turn off login security in ZM and sure enough, I can see my
>> cameras again.
>>
>> God.  Dammit.
>>
>> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
>> so to heck with it, this thing is running Apache, I oughta be able to
>> control it there, right?
>>
>> Heh.
>>
>> I ask about it on TFUG and Matt was kind enough to provide a link to a
>> decent-looking tutorial on Apache security:
>>
>> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<matt at mattjacob.com> wrote:
>> > If you're running Apache as your web server, it's fairly trivial to
>> > set up HTTP Basic Authentication:
>> >
>> > http://httpd.apache.org/docs/2.2/howto/auth.html
>> >
>> > Matt
>>
>> Ehhhh...it ain't working.
>>
>> Hmmmm.  So let's go over what I did, see if I blew it?  (Given I've
>> never run the back-end to a website EVER, not unlikely...)
>>
>> OK, here's exactly what I did:
>>
>> 1) I figured out where my web-stuff was sitting (including index.html):
>> /var/www
>>
>> 2) I put a file there name of .htaccess containing:
>>
>> ---
>> AuthType Basic
>> AuthName "Restricted Files"
>> # (Following line optional)
>> AuthBasicProvider file
>> AuthUserFile /usr/local/apache/passwd/passwords
>> Require user zmuser
>> ---
>>
>> 3) I made sure the directory /usr/local/apache/passwd/passwords
>> existed with everybody-can-read-it permissions (only root can write).
>>
>> 4) I ran the command:
>>
>> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
>>
>> ...and gave it a password DIFFERENT from the user login password (user
>> is logging into XUbuntu as zmuser and passwords are NOT default).
>>
>> And...shouldn't that have done it?  Yet it acts like there's still no
>> security at all.
>>
>> There's directories under /var/www that contain data being served -
>> should I copy that .htaccess file down into them?
>>
>> Note that I don't need separate user access levels for multiple
>> users...there's just the shop owner going to use this.
>>
>> Thanks!
>>
>> Jim
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
> --
> (503)754-4452 wiki.obnosis.com
> scientology.obnosis.com
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss





-- 
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090703/c5f6241c/attachment.htm 


More information about the PLUG-discuss mailing list