apache .htaccess file...Is my site safe?
If I use .htaccess and .htpasswd to control access to the content of a directory for my webserver, am I able to rest fairly easy that it is secured assuming I am using an uncompromised password? Also, is the password transmitted as plain text from client to server??? Thanks.
- Jim |
Whether the password is sent in plain text or not is not dependent on the apache authentication. It's dependent on whether you use https or not. As for if you can be sure that the apache authentication is uncompromisable, there's obviously no guarantee. Make sure you update your apache often and change password at even intervals.
|
thanks bakfupai. Any idea what to look for in apache to make the password encrypted. I know when I run
Code:
htpasswd -c .htpasswd user - Jim |
I didn't explain it clearly enough. As far as I know, all passwords are encrypted when using htpasswd or htdigest. This means someone can't pull your .htpasswd and just read all your password. Not easily anyway, they can still run a dictionary or brute-force attack on it. The best is to prevent someone from pulling the file.
I suggest you look at this: http://httpd.apache.org/docs/2.2/howto/htaccess.html Anyway, with HTTPS I mean that you need to start the apache server in SSL mode. This means all connections to and from the server are encrypted . For info on how to implement this, look here: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html |
thank you. This has been really helpful. I am probably going to stick with the .htaccess method because I am thinking https may be a little overkill for what I am looking for. you've been helpful bakfupai.
- Jim |
.htaccess authentication only stops http attempts to access. Does nothing for ftp or ssh.
|
Remember that using the Basic authentication type (mod_auth_basic) sends usernames and passwords in cleartext:
Quote:
|
Quote:
Sidenote! I have been wrong in the past. Someone took over and changed the password on a router I was using on the internet side to re-enable port forwarding to my open relay mail server. Too bad my server is off site. That was bummer for me. Open relay has since been fixed. Thanks jim18, - Jim |
All times are GMT -5. The time now is 07:48 PM. |