Phine Solutions web work notes

It is quite easy to create web server access restriction using the Cpanel. There is a configuration setting for "Password Protect Directories" in Cpanel for setting up a user name and password for directory access. What this really does is to create a password file and refer it in the .htaccess.

In stead of using Cpanel, one can always run the process through the command line and it may actually be easier.

Create the passwd file

htpasswd is an Apache utility command to create and update the flat-files used to store usernames and password for basic authentication of HTTP users. Since it will create name and password pair(s) in a flat file, the password is encrypted either using a MD5 version from Apache or crypt() system call.

The following command line can be used to generate a file name passwdfile:

htpasswd -c /home/user/etc/passwdfile admin

his will create a NEW passwdfile and add user "admin" in it. The command will also prompt for the password that you wish to give to this user.

To add a new user, the "-c" option cannot be used.

To remove a user, simply open the htpasswd file and delete the line.

Modify .htaccess

To turn the password into effect, you can add  the following lines in the .htacess file:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/home/user/etc/passwdfile"
require valid-user

This will allow anyone in the .htpasswd file to have access.

Besides the flat text password file, one can also use alternate password storage such as DBM or DBD format according to Apache document.

Group the users

There maybe situations that there are a lot of users and they are granted access to different resources. It maybe easier to group the users instead of creating a bunch of .htpasswd files.

A group file is simply a flat file that contains some user names. An admin group file (let's call it admingroup) may look like this:

Admin: admin jdoe mjones

And the .htaccess should include the following:

AuthType Basic
AuthName "Admin Group Only"
AuthUserFile "/home/user/etc/htpasswd" "/home/user/etc/.dmingroup"
Require group Admin

As specified in .htaccess, this is really just a "basic" way for authentication. It is most suitable for a small group of users to access some resource and there is no need to create more sophisticated authenticated method.

If you own a Linux box and use ssh to access it over the internet, chances that it will be under unauthorized login attempt or even brute-force attack. Even you have a strong password for your account, the constant poking from people or evil-bot is some kind of a nuisance to say the least.

Messages like below in /var/log/secure shows how annoying they can be:

Nov 25 23:13:21 —- sshd[21529]: input_userauth_request: invalid user test7

Nov 25 18:13:21 —- sshd[21523]: reverse mapping checking getaddrinfo for h63-210-66-233.seed.net.tw failed - POSSIBLE BREAKIN ATTEMPT!

Nov 25 23:13:30 —- sshd[21607]: input_userauth_request: invalid user test8

Nov 25 18:13:30 —- sshd[21602]: reverse mapping checking getaddrinfo for h63-210-66-233.seed.net.tw failed - POSSIBLE BREAKIN ATTEMPT!

To fully utilize the capability that ssh offers, we should always use public/private key access to a *nix box that is running OpenSSH. Below are some simple steps I used to implement this methodology.

Since I am using PuTTY, the setup and testing are done using putty.exe and puttygen.exe that are downloaded from here.

1. Create public and private key pair.

This can be accomplished using PuTTYgen. Once the program is started, click on the "Generate" button and keep moving your mouse. You can't be lazy here because the it will not proceed until you make your move.

2. save the public and private keys

Once the keys are generated, you need to create a key comment and your private passphrase. The passphrase is tied to your keys so without it your keys are useless. The public key is basically plain text that shows in the box. The private key is in binary form and should be stored with a .ppk extension.

3. place the public key

The public key needs to be stored in the Linux server as $HOME/.ssh/authorized_key2. Since it is plain text you can copy the key from the previous screen and paste them in a Linux editor and save it. An IMPORTANT step is to set the right permission on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys so they aren't more permissive than sshd allows by default, which means they can only be read and write by the current account.

The following command can be used to achieve this: $ chmod go-w $HOME $HOME/.ssh $ chmod 600 $HOME/.ssh/authorized_keys

4. place the private key

In PuTTY, you will need to load the private key to your PuTTY session and save the session:

After this step, yu should be able to try the newly configured ssh access. You should be asked to enter the passphase this time, instead of the password. Once this is verified, you can proceed to next step.

 
5. turn off the password authentication on OpenSSH

In the /etc/ssh/sshd_config, there is an option called "PasswordAuthentication", just set it to "no".

Restart sshd and you should be running more secured ssh now.

Even you are running more securely after these measures, you still can't stop people from scanning port 22 and trying to get authenticated repeatedly using a list of user name and password. To reduce this kind of noise, you can also change the running port of sshd. The port configuration is the first parameter in the /etc/ssh/ssh_config file.

This is a great post about writing secure PHP code and part 2. The articles pretty much cover all the points we need to look at to write secure PHP code.

Additionally this post talks about how hackers can use Google code search and a simple sitemap to gain access to your system.