Apache/Security

Apache
Security

Numerous robots use to try to crack some databases (for instance via PhpMyAdmin or WordPress). To be protected from them, we can play on several criteria.

For example, to forbid to visualize a directory files which hasn't got any index (e.g.: .html, .php), add the code: Options -Indexes.

Protection by provenance

Authorize only two IP to read the directory:

whitelist with Require^[1]

    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_authz_core.c>
            <RequireAny>
                Require all denied
                Require ip 127.0.0.1
                Require ip 127.0.0.2
            </RequireAny>
        </IfModule>
    </Directory>

whitelist with allow (obsolete in Apache 2.4)

    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_access_compat.c>
            deny from all
            allow from 127.0.0.1
            allow from 127.0.0.2
        </IfModule>
    </Directory>

If the authorization ranges have some addresses in common with the prohibited ranges, it's better to specify their precedence (the lines order in the .htaccess file doesn't change anything):

order allow, deny: begin by the authorizations and then start the interdictions, by risking to ban what was previously allowed.
order deny, allow: the contrary is less restrictive.

blacklist avec Require^[2]

    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_authz_core.c>
            Require all granted
            Require not ip 127.0.0.1
        </IfModule>
    </Directory>

blacklist avec deny (obsolete in Apache 2.4)

    <Directory /usr/share/phpmyadmin/>
        <IfModule mod_access_compat.c>
            order allow,deny
            allow from all
            deny from 127.0.0.1
        </IfModule>
    </Directory>

Protection by password

Authentication configuration

It's imperative to allow the authentication parameters modifications in the Apache settings.

The directive AllowOverride of a parent directory must contain the option AuthConfig^[3].

The directives to place in the .htaccess are:

AuthType basic: authentication type communally adopted but poorly secured.
AuthName "My message": the text as an invite in the dialog box.
AuthUserFile /etc/apache2/my_passwd: the passwords file path.
Require valid-user: specifies that a valid account is needed to accede to the folder.

We can also use Require user toto sasa to authorize only the two accounts toto & sasa.

The authentication type basic uses not crypted passwords.

Some other more secured types exist, like digest, which is recommended to combine with HTTPS.

The first request is addressed to the protected directory and provokes the displaying of the dialog box, from which the user should identify (with login and password):

If the password is invalid, the dialog will be displayed again.
If it's valid, the navigator can record it, and never ask it again until the next relaunching.

Passwords file

The following command creates a passwords file called with one user toto:

htpasswd -c /home/user/www/.htpasswd toto

To add or modify a user:

htpasswd /home/user/www/.htpasswd sasa

Then, tell to .htaccess the .htpasswd path with:

 AuthName "Protected page"
 AuthType Basic
 AuthUserFile "/home/user/www/.htpasswd"
 Require valid-user

References

[1] ttps://httpd.apache.org/docs/2.4/en/howto/access.html

[2] ttps://httpd.apache.org/docs/2.4/en/upgrading.html

[3] ttp://httpd.apache.org/docs/2.2/mod/core.html#allowoverride

[1]

[2]

[3]