ansaurus

Question

Securing administrative section of my website

Answer 1

+2 A:

If anybody else has access shell to the server, you should be very careful with permissions.

Otherwise, basic Apache auth is OK, but keep in mind that if you are using an unencrypted connection (not SSL), you password is sent as clear text across the web, so there's always the possibility of it being sniffed.

To enable SSL you need:

mod_ssl enabled on your apache
a self-signed (free) certificate
Change your apache configuration to include SSL port

You can refer to this tutorial on how to enable SSL on Debian.

vassilis 2010-09-19 14:47:45

@vassilis: I am not experienced in security, but I know of SSL a little bit. How should I set it up? I have no SSL today. Today when I enter username and pass, it says it is using port 80. Is there any specific line I need to add in the apache2.conf file? How is the connection secured?

Camran 2010-09-19 14:57:18

I've added some more info in my answer on how to setup SSL

vassilis 2010-09-19 16:44:45

+1 use SSL. It's a no-brainer and if you insist that your admin is hosted only on SSL, then give the admins https-only links to use, the passwords should not be exposed, even if the use (for example) public wifi to connect.

MarkR 2010-09-19 17:00:23

Answer 2

+1 A:

A better option, on top of the usual password protection, IP restrictions, SSL, etc... is to host the tools on a completely seperate domain. Someone might guess that you have example.com/admin and try to brute force their way in, but hosting a simple login page on somecompletelydifferentdomain.com with no branding/markings to relate it to example.com is a better defence yet.

Marc B 2010-09-19 16:06:45

A proper robots.txt should also be used. Gets worthless it your site (even blan site) gets into google

DrColossos 2010-09-19 16:48:16

Answer 3

A:

Apache auth can also restrict by IP address, so if you have a static IP, using that and a password should be pretty safe. I would also use AuthDigestFile instead of AuthUserFile if you're worried about attacks.

This page explains it well: Unlike basic authentication, digest authentication always sends the password from the client browser to the server as an MD5 encryted string making it impossible for a packet sniffer to see the raw password.

dj_segfault 2010-09-19 17:22:38

Answer 4

A:

If you must have direct remote access to the administrative tools, find an out-of-band way to prevent the web server from running them at all when they're not needed. You might, for example, do a chmod 000 /var/www/adm under normal circumstances, change it to something usable (say, 500) when you need to use them and back to 000 when you're done.

Better would be to secure the entire path between you and the administrative tools:

Use port knocking to enable SSH on some port other than 22 (e.g., 2222).
Lock down the sshd on that port to whatever your requirements.
Run a separate instance of your web server that listens on a port other than 80 (e.g., 8080) that can't be seen from the outside and has configuration to allow access to /var/www/adm but restrict access to the local host only.

When it comes time to use the administrative tools:

Knock to open the SSH port.
SSH into port 2222 and establish a tunnel from 8080 on the remote host to port 8080 on the server.
Use the remote browser to visit localhost:8080 and access your tools. The server will see the connection as coming from the local system.

Blrfl 2010-09-19 17:41:13

ansaurus

tags:

views:

answers:

Securing administrative section of my website

related questions