licensed2kill Posted November 24, 2003 Posted November 24, 2003 I thought I'd post a clear guide as most of the guides I found on this issue are very vague. This guide describes how to protect your Admin directory so strangers would not get into your osCommerce site and screw things up from the browser. This is a very abstract guide. You need to dig in more for further customization. This is specific to the following, and could be different for other releases. Installed on RedHat 8.0 osCommerece 2.2 Apache Assumptions: You've your osCommerece suite in; /home/osC You've your /admin directory in; /home/osC/admin ################Steps##################### 1) Goto your /home/osC/admin directory which you want to password protect. There should already be a file named ".htaccess". Edit it, if not create the file. Add the following lines as shown below between the "*************": Comments are in "//" ************************************************ AuthName MySecuredStuff //could be any name AuthType Basic //authentication protocol type. Don't change it. AuthUserFile /var/www/html/users //the file which holds the login/pw which is //called 'users' conveniently here. require user yourName //yourName is the login name. ************************************************* 2) Creating the login/pw. Use the linux program "htpasswd" to create user login/pw pairs. See below for an example: ************************************* htpasswd -c /var/www/html/users userName ************************************* Here "-c" is for to create a new authentication file named "users" in the "/var/www/html/" path. userName here is the user's name you're going to be using. After pressing enter, you'll be prompted to enter your password. Enter your password. And verify it. The encrypted password is now saved in /var/www/html/users file which is relevant to LINE #3 from step #1. The user name you created is relevant to LINE #4 from step #1 3) Changing the Permissions for the 'users' file. To make Apache (webserver) access your 'users' file which contains the login information, you need to change the permissions. Issue the following commands. ************************************* chmod o+r users ************************************* or ************************************* chown apache users chmod u+r users ************************************* 4) No, we are not done yet. ;) Edit the "httpd.conf" file which should be located under the path "/etc/httpd/conf/httpd.conf". Under your "Vitual Host" settings right under the appropriate domain look for the following lines between the ****************: ************************************* <Directory "some entry" > AllowOverride AuthConfig /Directory> ************************************* Here the "some entry" should be your path of your "admin" directory. If you don't have an entry like above, and most of you won't, add it to look like this below: ************************************* <Directory "/home/osC/admin" > AllowOverride AuthConfig /Directory> ************************************* Make sure you add these entries under your domain name, and dont' forget the "AllowOverride AuthConfig" override variable. And of course, the path should reflect your own /admin path which is in between the quotes. Give it a kick to Apache by restarting with; ************************************* service apache reload ************************************* And you're set. Now, for every session, you'll be prompted to enter your login info when trying to access the /admin directory on your web. Feel free to add any comments if I've missed anything. Jey XOR Solutions Canada
jrwrestling Posted November 24, 2003 Posted November 24, 2003 Nice post, this should be helpful to many people here, thanks.
todd987 Posted December 5, 2003 Posted December 5, 2003 Yea, well I don't have htpasswd, b/c I'm on NT. How do I do it through windows?
OceanRanch Posted December 5, 2003 Posted December 5, 2003 You should have htpasswd.exe that came with apache in apache\bin HTH
ajpeters Posted December 11, 2003 Posted December 11, 2003 I believe I have done all of this, but password access is not work. It just comes up without challange. I will move my password file after I get a challange response. .htaccess [root@otg-dss admin]# more .htaccess AuthUserFile "/home/httpd/html/OTG-DSS/su/catalog/admin/passwd" AuthName "Chapps Store Administration" require ajpeters Satisfy All order deny,allow passwd test:$1$tA2.yp0.$1yPlmitZ0MQ1Vy2FK33qw1 ajpeters:$1$h.AzFIcz$GEMj2wsqiYroIPF.RZAw./ subuetz:$1$mIxBjcMY$SKptfooz8GNdwNefYVZ0t1 httpd.conf parts. # # Each directory to which Apache has access, can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # permissions. # <Directory /> Options FollowSymLinks AllowOverride </Directory> # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. # # # This should be changed to whatever you set DocumentRoot to. # <Directory "/home/httpd/html"> # # This may also be "None", "All", or any combination of "Indexes", # "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # Options Indexes FollowSymLinks ExecCGI # # This controls which options the .htaccess files in directories can # override. Can also be "All", or any combination of "Options", "FileInfo", # "AuthConfig", and "Limit" # AllowOverride All # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory> . . . . . .<VirtualHost 209.32.151.7> DocumentRoot /home/httpd/html/OTG-DSS ServerName OTG-DSS.COM ServerAlias www.otg-dss.com DirectoryIndex index.html index.htm default.html default.htm index.php Alias /berkness /storage/httpd/html/BERKNESS </VirtualHost> <Directory "/home/httpd/html/OTG-DSS/su/catalog/admin" > AllowOverride AuthConfig </Directory> Where do I look next? <_<
ajpeters Posted December 11, 2003 Posted December 11, 2003 I am on a Caldera eServer 2.3 running Apache 1.3.9. Who do I check to see if I have auth mod turned on in my configuration? I have loaded an auth..so in my httpd.conf file.
Guest Posted December 13, 2003 Posted December 13, 2003 I would never stray from using .htpasswd or some other .htusers or .htwhatever as a password file. Seems like I remember there being something in Apache, some directive or something built in, that handles anything ".ht" specially... treating them as hidden files and not displaying them in a web browser or something... can't really remember more than that. May want to check out Apache.org to check this out. Not to mention a file with a "." at the beginning is a hidden file on *nix systems.
gaia Posted December 14, 2003 Posted December 14, 2003 AJPeters: You posted a helluva lot of sensitive info up there. If you don't understand the full implications of what you posted, then please edit out your password hashes and your directories or ask an admin to do it. If you do understand the implications and what you posted is of no consequence (and you are very sure of this) then I'll just leave this as a warning to anyone else who might read. Please do NOT post directory paths to sensitive data, and do not post the sensitive data itself. I'll not go into it too much, but you could potentially be handing a cracker the keys to your account (even if it was a throw-away password on a test setup).
Guest Posted December 17, 2003 Posted December 17, 2003 Hi experts, I've set all things as descript... the login screen comes up as well... But... the problem is, I key in the username and password which I created and still cant get in. I have tried many times with many different combination of username and password. PLEASE HELP !!
tim_o_boy Posted December 20, 2003 Posted December 20, 2003 Just a small point about creating a htpasswd. Not everyone will be able to do it the way that was outlined, but put "htpasswd" into a search engine to find a generator online. My hosting company provides this facility as well.
trendyfashion Posted December 20, 2003 Posted December 20, 2003 Man thats alot of work to password protect something. Glad my host has a "password protect" installed....hehehe. I just log in, pick the folder, give a user/password and it's done. Got to love unix, microsoft sux. The Wiki Docs: Read them, live them and be thankful for them!
Guest Posted December 22, 2003 Posted December 22, 2003 Ahh........ That answers my question. I don't know much about this stuff but was gonna ask what the difference was between this and just going to my cpanel and clicking on the password protect for admin dir. I'm guessing it is the same thing only some people must not have that option.
trendyfashion Posted December 22, 2003 Posted December 22, 2003 Yup your in luck.....most all vitual hosts have this feature. The Wiki Docs: Read them, live them and be thankful for them!
Guest Posted December 23, 2003 Posted December 23, 2003 Seems like I remember there being something in Apache, some directive or something built in, that handles anything ".ht" specially... treating them as hidden files and not displaying them in a web browser or something... can't really remember more than that. Checkout using the following directive in your .htaccess file such as IndexIgnore .htaccess IndexIgnore *.ihtml IndexIgnore *.jpg IndexIgnore *.jpeg IndexIgnore *.png these should prevent these files being listed in any directory that is missing the index.html or index.php files. etc etc. HTH
licensed2kill Posted January 19, 2004 Author Posted January 19, 2004 This is for BT Cheng's Q If that's the case, then it's mostly related to not setting the permission to read/write/eXe the "user" file which holds the l:p pair. It can be found under /var/www/html directory.
Guest Posted February 2, 2004 Posted February 2, 2004 If you have access to the servers httpd.conf file - DONT USE .HTACCESS FILES!! Use the Directory directive in the configfile instead. Why? Because For more information, see the apache documentation
Guest Posted February 5, 2004 Posted February 5, 2004 I use Ipowerweb if anyone is familiar with it. This is what I did to secure my admin directory: All i did was password protected the admin folder, is that all i do? Please advise, thanks
♥ecartz Posted February 6, 2004 Posted February 6, 2004 All i did was password protected the admin folder, is that all i do?Yes, in web hosts that support it, you can just use their directory password protection. Usually, it just does the stuff in this thread for you. Hth, Matt Always back up before making changes.
Guest Posted February 6, 2004 Posted February 6, 2004 osc jed as you have put in big letters to not use htaccess files and some who come here may not have enough savvy about the Directory directive, perhaps you could expand upon it more.
Guest Posted February 6, 2004 Posted February 6, 2004 If you have access to the servers httpd.conf file - DONT USE .HTACCESS FILES!! Use the Directory directive in the configfile instead. Basically what he's saying is that the .htaccess files incur a slight performance hit to the server. If you own the server or have root access (which usually only happens when you own the server) it's better to use the directory directives for performance reasons (and from keeping those pesky users from changing stuff around in the space they rent). I would say that the majority of people likely won't have access to the server configuration files. So if you have an account with a web hosting service, this wouldn't apply to you. Also, some of the contributions that enable email/password protection provide additional protection above the .htaccess level, which is a pretty basic security level. -C.
♥ecartz Posted February 6, 2004 Posted February 6, 2004 Also, some of the contributions that enable email/password protection provide additional protection above the .htaccess level, which is a pretty basic security level.This doesn't read right to me, from that statement, it sounds like the contributions provide *stronger* protection than does htpasswd, which is incorrect. The contributions provide a weaker form of protection (they rely on including code in each file to keep the file from being accessed; the htpasswd method prevents access to the entire directory tree for those who can't authenticate) but allow more *complicated* protection schemes. For example, one of the contributions allows admins to have different levels of access. Thereby, one admin might be able to add products but not view orders while another admin might be able to view orders but not add products. The htpasswd method could not do this, as it protects whole directories at a time. Btw, while I would agree that httpd.conf <DIRECTORY> directives are more efficient, I'm not sure that I would recommend them for those who aren't sure of what they are doing. There are several .htaccess files that come with the standard osC distribution. If you turn off .htaccess to use <DIRECTORY>, then you need to port those .htaccess files into httpd.conf. This is not terribly difficult, but it can leave the store insecure if you do it incorrectly. One can use both .htaccess and <DIRECTORY> together, but that still gives the performance hit. The performance hit is caused by having .htaccess checking on...it doesn't really matter if it is used once it is on. Hth, Matt Always back up before making changes.
tedych Posted February 6, 2004 Posted February 6, 2004 I use Windows and O'Reilly WebSite as a testing server. There the method of securing the /admin directory is totally different in manner of steps, its using just three sheets. But my question is: Why do the admin area have to rely on web server's directory protection?! It would be very nice and much more reliable and troublefree to have implemented a simple challenge-based login page for admins, where the admins are just the highest-level access persons in a two, or three level tiered authentication system. The way with server's controlled access, there is no Log out possibility except for closing the borwser, so someone sits after me and voila - has access to my admin area ;( I'm working on my own e-shop software where all security/access/auth is controlled by the script rather than relying on web server. But until it's done, I'll use osCommerce because it is really the best I got after many days of investigating for such software.
♥ecartz Posted February 6, 2004 Posted February 6, 2004 Two things: 1. There are contributions to provide file based password protection. 2. As I mentioned above, file based password protection is strictly less effective than directory based password protection, as it relies on the *file* to protect itself. With directory based protection, it automatically protects all files in that directory (and subdirectories). Thus, directory based protection is more reliable than file based protection. Also, it's not vulnerable to things like the password reset vulnerability that almost got Microsoft fined a trillion dollars (ok, almost might be pushing it; it was mentioned though). The disadvantage of directory based protection is that it protects all files equally. You can't give access to one person but withhold it from another. Cheers, Matt Always back up before making changes.
rodcul Posted February 15, 2004 Posted February 15, 2004 newbie needs help...... I have bought a 12 mth plan for godaddy.com to host my oscommerce page, and they don't support htaccess!!!! There is EXTREMELY limited control panel for my settings, and there is no way to password protect a directory (they say) Does anyone know what i can fo??? (without changing hosting account!) function over form
Recommended Posts
Archived
This topic is now archived and is closed to further replies.