Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If I use .htaccess and .htpasswd to control access to the content of a directory for my webserver, am I able to rest fairly easy that it is secured assuming I am using an uncompromised password? Also, is the password transmitted as plain text from client to server??? Thanks.
Whether the password is sent in plain text or not is not dependent on the apache authentication. It's dependent on whether you use https or not. As for if you can be sure that the apache authentication is uncompromisable, there's obviously no guarantee. Make sure you update your apache often and change password at even intervals.
I didn't explain it clearly enough. As far as I know, all passwords are encrypted when using htpasswd or htdigest. This means someone can't pull your .htpasswd and just read all your password. Not easily anyway, they can still run a dictionary or brute-force attack on it. The best is to prevent someone from pulling the file.
Anyway, with HTTPS I mean that you need to start the apache server in SSL mode. This means all connections to and from the server are encrypted . For info on how to implement this, look here: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
thank you. This has been really helpful. I am probably going to stick with the .htaccess method because I am thinking https may be a little overkill for what I am looking for. you've been helpful bakfupai.
Remember that using the Basic authentication type (mod_auth_basic) sends usernames and passwords in cleartext:
Quote:
From the apache Authentication, Authorization, and Access Control howto:
It is important to be aware, however, that Basic authentication sends the password from the client to the server unencrypted. This method should therefore not be used for highly sensitive data, unless accompanied by mod_ssl.
If you want encrypted usernames/passwords use Digest authentication instead.
.htaccess authentication only stops http attempts to access. Does nothing for ftp or ssh.
Thats all I need. My intention is to stop individuals from accessing some of my directories through HTTP. I don't want to be arrogant, but I don't think SSH is at all compromised.
Sidenote! I have been wrong in the past. Someone took over and changed the password on a router I was using on the internet side to re-enable port forwarding to my open relay mail server. Too bad my server is off site. That was bummer for me. Open relay has since been fixed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
