You are here:
Home 
Linux Apache Security - Pt 1
Linux Apache Security - Pt 1
Linux Apache Security - Pt 1
| Apache Security: Step 1 |
|
Apache Server and Security This article was written for newbie's like me who need help with Apache on Linux FC4 computers. Apache is, without a doubt, the single most used internet server today. Apache is also known as ”Open Source Software". This doesn’t mean it is free necessarily, but it is free to optimize and if you can, improve the software. With Apache on Linux, it becomes very affordable to own your very own internet server. However, alone with wide use of Apache comes the need for security. Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints.In my own exploration of Apache and its security I found it very easy to have access allowed to certain clients. Let’s explore Apache.. For more information about Apache and commands used in the .htaccess file, visit the official Apache web site. Part one of this series will show how to place security on a folder and limit access to that folder to a single name and have Apache prompt you for a user name and password. This is the most basic level of security you can establish but well worth the effort. There are more advanced techniques you can use for different levels of security. We will discuss more advanced levels as we accomplish each step. As I began studying Apache’s security I realized a lot of the information I had learned didn’t make sense but started falling into place as I began using them. The first thing we need to do is create a folder we can use as a test folder. You need to have a general understanding of users on Linux. In this article we are going to use FD4 and we are going to create a user named ‘neo’ and a folder called ‘matrix’. htaccess files must be uploaded as ASCII mode, not BINARY. You may need to CHMOD the htaccess file to 644 or (RW-R--R--). This makes the file usable by the server, but prevents it from being read by a browser, which can seriously compromise your security. We will type the lines below into a file using text editor in FC4. We will save this file as .htaccess and save it in the folder called matrix. ex. /var/www/html/morganswebworks/matrix/.htacess AuthType Basic The authentication type is 'Basic" The phrase "Follow the White Rabbit'' will be displayed in the password pop-up box, where the user will have to type their credentials. The password is stored, encrypted, in this folder and this is where Apache will look for it and finally, "Neo" will be the only person able to login, even though other users may have credentials to log on to this server. This password file is created by Apache and we will cover that later on. The next time that you load a file from that directory, you will see the familiar username/password dialog box pop up, requiring that you type the username and password before you are permitted to proceed. Directives placed in .htaccess files take effect immediately, since .htaccess files are parsed each time files are served. Note that in addition to specifically listing the users to whom you want to grant access, you can specify that any valid user should be let in. This is done with the valid-user keyword: AuthType Basic AuthName "Follow the White Rabbit" AuthUserFile /usr/local/apache/passwd/passwords As mentioned earlier you must create a encrypted password file. Apache will do this; however, you need to decide where you want to place this file. Access to this file needs to be limited t the server only. Some places that are good are under /usr/local/apache/passwds. To have Apache create such a file in this directory, use the command: # htpasswd -c /usr/local/apache/passwds/.htpasswd neo
The -c option creates a password file and encrypts the password for "Neo". If you have already created a password file and now are adding another user, do not use the -c option, if you do, you will create a new password file and all of your previous passwords will be erased. # htpasswd /usr/local/apache/passwds/.htpasswd morpheus The password is stored in the password file, in encrypted form, so that users on the system will not be able to read the file and immediately determine the passwords of all the users. Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file so that the web server itself can read the file. For example, if your server is configured to run as user nobody and group nogroup, then you should set permissions on the file so that only the web server can read the file and only root can write to it: # chown root.nogroup /usr/local/apache/passwd/passwords This wraps up basic authentication using htaccess files. Contrary to popular belief, the Apache folks recommend not using htaccess files if you have root access to your web server. It is much more secure than htaccess files. We will explore that and other options in "Part 2". |
55°F
Clear
Humidity: 100%
Wind: N at 4 mph
