Well now it's an Apache security rodeo...

Lisa Kachold lisakachold at obnosis.com
Sat Jul 4 00:52:01 MST 2009 

On Fri, Jul 3, 2009 at 11:41 PM, Bob Elzer <bob.elzer at gmail.com> wrote:

>  You might want to try installing webmin.   http://www.webmin.com/
>
> It makes it easier to maintain you apache config file, webmin knows where
> the files are for the different distros, so it will edit the correct ones
> for you.
>
Webmin is a way to break things really badly and might require more work
than just configuring and learning Apache right.

The version of his webserver documents will be all he needs.
Webmin also has a great many security issues if not installed right.

>
>
>
>  ------------------------------
> *From:* plug-discuss-bounces at lists.plug.phoenix.az.us [mailto:
> plug-discuss-bounces at lists.plug.phoenix.az.us] *On Behalf Of *Lisa Kachold
> *Sent:* Friday, July 03, 2009 11:32 PM
> *To:* Main PLUG discussion list
> *Subject:* Re: Well now it's an Apache security rodeo...
>
>
>
> On Fri, Jul 3, 2009 at 8:03 PM, Jim March <1.jim.march at gmail.com> wrote:
>
>> On Fri, Jul 3, 2009 at 7:49 PM, Lisa Kachold<lisakachold at obnosis.com>
>> wrote:
>> > Verify your server will allow .htaccess file overrides:
>> >
>> > # locate httpd.conf
>> > # vi /etc/httpd/conf/httpd.conf (or whereever it is)
>> >
>> > <beware some versions of apache/apache2 use include files rather than
>> place
>> > Directory configuration in httpd.conf>
>>
>> Well I found the file (just one) but it's zero bytes...?
>
>
> YOU must have either a httpd.conf or an apache.conf file in a ServerRoot
> directory. (Usually /etc/apache or /etc/httpd/)
> It could also be servername.conf check your /etc/init.d/httpd file or
> /etc/rc.local (whereever it's started from) and version.
> What is your version of Apache?
>
> Your DocumentRoot is going to be /var/www/ and you must have a <Directory
> entry for it!
>
> That directory entry must have the statement "AllowOverride All" like
> below:
>
>>
>>
>> > 1) Directory
>> > Find your section with the <Directory > tag and add "AllowOverride All"
>> >
>> > <Directory /var/www/html/htaccess-enabled>
>> >     Options FollowSymLinks
>> >     AllowOverride All
>> >
>> > </Directory>
>> >
>> > Refs: http://httpd.apache.org/docs/1.3/mod/core.html#allowoverride
>> >
>> > http://www.sitedeveloper.ws/tutorials/htaccess.htm
>>
>> OK, done, about to reboot...but first...
>>
>> > 2) Security
>> >
>> > Should be fine, but check out this post:
>> >
>> > http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
>>
>> Ah.  'Kay, just for starters I added:
>>
>
> That denies everyone!
>
>>
>> ---
>> # secure htaccess file
>> <Files .htaccess>
>>  order allow,deny
>>  deny from all
>> </Files>
>> ---
>>
> # secure htaccess file
> # Enter htpasswd information and auth stuff here
> <Files .htaccess>
>  order deny,allow
>  deny from all
>  allow from 192.168.1.0/24
>  allow from 74.183.9.76
> </Files>
>
>
>>
>> ALSO: should I assume that an .htaccess file at /var/www will also
>> control access to, say, /var/www/events?
>
> No, that .htaccess file is not hierarchial since it's not setup in your
> configuration globally, just for the directory.
> <Note in your first htpasswd file you had a path and directory that were
> being protected, you would use the same syntax.> Experiment to learn.
> You can have a <Directory > entry for each of your areas in your
> httpd(apache)conf files.
>
>>
>>
>> THANKS!
>>
>> Jim
>
> Sure anytime.  Email me off list or call or whatever you need.
>
>>
>>
>> > 3) Restart
>> >
>> > # apachectl restart
>> >
>> > On Fri, Jul 3, 2009 at 7:12 PM, Jim March <1.jim.march at gmail.com>
>> wrote:
>> >>
>> >> Sigh.  OK, I've got all the IP/router stuff done.  Kewl.  Now to give
>> >> it some password security!
>> >>
>> >> First thing I tried was the security settings within Zoneminder.
>> >> Looked good, got to where login was needed for user "admin" on a
>> >> password I set, cool, except couldn't see any images anymore - local
>> >> or remote.  Checked the security restrictions on user "admin", it's
>> >> supposed to have all possible rights per the ZM management screens.
>> >> WTF?  Turn off login security in ZM and sure enough, I can see my
>> >> cameras again.
>> >>
>> >> God.  Dammit.
>> >>
>> >> Well by now I'm convinced that ZM is buggier than an ant farm anyways,
>> >> so to heck with it, this thing is running Apache, I oughta be able to
>> >> control it there, right?
>> >>
>> >> Heh.
>> >>
>> >> I ask about it on TFUG and Matt was kind enough to provide a link to a
>> >> decent-looking tutorial on Apache security:
>> >>
>> >> On Fri, Jul 3, 2009 at 4:57 PM, Matt Jacob<matt at mattjacob.com> wrote:
>> >> > If you're running Apache as your web server, it's fairly trivial to
>> >> > set up HTTP Basic Authentication:
>> >> >
>> >> > http://httpd.apache.org/docs/2.2/howto/auth.html
>> >> >
>> >> > Matt
>> >>
>> >> Ehhhh...it ain't working.
>> >>
>> >> Hmmmm.  So let's go over what I did, see if I blew it?  (Given I've
>> >> never run the back-end to a website EVER, not unlikely...)
>> >>
>> >> OK, here's exactly what I did:
>> >>
>> >> 1) I figured out where my web-stuff was sitting (including index.html):
>> >> /var/www
>> >>
>> >> 2) I put a file there name of .htaccess containing:
>> >>
>> >> ---
>> >> AuthType Basic
>> >> AuthName "Restricted Files"
>> >> # (Following line optional)
>> >> AuthBasicProvider file
>> >> AuthUserFile /usr/local/apache/passwd/passwords
>> >> Require user zmuser
>> >> ---
>> >>
>> >> 3) I made sure the directory /usr/local/apache/passwd/passwords
>> >> existed with everybody-can-read-it permissions (only root can write).
>> >>
>> >> 4) I ran the command:
>> >>
>> >> sudo htpasswd -c /usr/local/apache/passwd/passwords zmuser
>> >>
>> >> ...and gave it a password DIFFERENT from the user login password (user
>> >> is logging into XUbuntu as zmuser and passwords are NOT default).
>> >>
>> >> And...shouldn't that have done it?  Yet it acts like there's still no
>> >> security at all.
>> >>
>> >> There's directories under /var/www that contain data being served -
>> >> should I copy that .htaccess file down into them?
>> >>
>> >> Note that I don't need separate user access levels for multiple
>> >> users...there's just the shop owner going to use this.
>> >>
>> >> Thanks!
>> >>
>> >> Jim
>> >> ---------------------------------------------------
>> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> >> To subscribe, unsubscribe, or to change your mail settings:
>> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >
>> >
>> >
>> > --
>> > (503)754-4452 wiki.obnosis.com
>> > scientology.obnosis.com
>> >
>> >
>> >
>> >
>> >
>> > ---------------------------------------------------
>> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> > To subscribe, unsubscribe, or to change your mail settings:
>> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>> >
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (503)754-4452 wiki.obnosis.com
> scientology.obnosis.com
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(503)754-4452 wiki.obnosis.com
scientology.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090704/fc4fb7a6/attachment.htm

More information about the PLUG-discuss mailing list