LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   apache .htaccess file...Is my site safe? (https://www.linuxquestions.org/questions/linux-security-4/apache-htaccess-file-is-my-site-safe-576354/)

jimbo1708 08-11-2007 09:31 AM
apache .htaccess file...Is my site safe?
 
If I use .htaccess and .htpasswd to control access to the content of a directory for my webserver, am I able to rest fairly easy that it is secured assuming I am using an uncompromised password? Also, is the password transmitted as plain text from client to server??? Thanks.

- Jim

bakfupai 08-11-2007 11:10 AM
Whether the password is sent in plain text or not is not dependent on the apache authentication. It's dependent on whether you use https or not. As for if you can be sure that the apache authentication is uncompromisable, there's obviously no guarantee. Make sure you update your apache often and change password at even intervals.

jimbo1708 08-11-2007 03:55 PM
thanks bakfupai. Any idea what to look for in apache to make the password encrypted. I know when I run
Code:
htpasswd -c .htpasswd user
It is implied that the -d flag is thrown to force CRYPT encryption. Thanks again.

- Jim

bakfupai 08-12-2007 05:57 AM
I didn't explain it clearly enough. As far as I know, all passwords are encrypted when using htpasswd or htdigest. This means someone can't pull your .htpasswd and just read all your password. Not easily anyway, they can still run a dictionary or brute-force attack on it. The best is to prevent someone from pulling the file.

I suggest you look at this:
http://httpd.apache.org/docs/2.2/howto/htaccess.html

Anyway, with HTTPS I mean that you need to start the apache server in SSL mode. This means all connections to and from the server are encrypted . For info on how to implement this, look here:
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html

jimbo1708 08-13-2007 07:25 AM
thank you. This has been really helpful. I am probably going to stick with the .htaccess method because I am thinking https may be a little overkill for what I am looking for. you've been helpful bakfupai.

- Jim

jiml8 08-14-2007 06:17 PM
.htaccess authentication only stops http attempts to access. Does nothing for ftp or ssh.

Capt_Caveman 08-14-2007 08:55 PM
Remember that using the Basic authentication type (mod_auth_basic) sends usernames and passwords in cleartext:
Quote:
From the apache Authentication, Authorization, and Access Control howto:
It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl.
If you want encrypted usernames/passwords use Digest authentication instead.

jimbo1708 08-15-2007 07:57 AM
Quote:
Originally Posted by jiml8 (Post 2859077)
.htaccess authentication only stops http attempts to access. Does nothing for ftp or ssh.
Thats all I need. My intention is to stop individuals from accessing some of my directories through HTTP. I don't want to be arrogant, but I don't think SSH is at all compromised.

Sidenote! I have been wrong in the past. Someone took over and changed the password on a router I was using on the internet side to re-enable port forwarding to my open relay mail server. Too bad my server is off site. That was bummer for me. Open relay has since been fixed.

Thanks jim18,

- Jim


All times are GMT -5. The time now is 07:48 PM.