Old:4.0-Mona: Security & passwords: Difference between revisions

From The Uniform Server Wiki
Jump to navigation Jump to search
(New page: {{Nav 4.0-Mona}} '''Security and passwords''' New users may find Uniform Server’s security features a little bewildering this page attempts to explain their use and when passwords are r...)
 
(Punctuation and grammatical changes; some clarification.)
Line 2: Line 2:
'''Security and passwords'''
'''Security and passwords'''


New users may find Uniform Server’s security features a little bewildering this page attempts to explain their use and when passwords are required.
New users may find Uniform Server’s security features a little bewildering. This page attempts to explain their use and when passwords are required.


'''''[[#top | Top]]'''''
== Default installation ==
== Default installation ==
After extracting Uniform Server 4.0-Mona it’s ready to run and very secure. Apache and MySQL servers are locked down allowing only local access. No external access allowed from either Intranet or Internet hence while connected to these you can safely develop a web site.
After extracting Uniform Server 4-Mona it’s ready to run and very secure. Apache and MySQL servers are locked down allowing only local access. No external access is allowed from either Intranet or Internet, so even though you are connected to these you can safely develop a web site.


Uniform Server 4.0-Mona achieves this lock down through the use of '''.htaccess''' files placed in each folder that is protected. The file also '''protects''' any '''sub-folders''' in that folder.
Uniform Server 4-Mona achieves this lock down through the use of '''.htaccess''' files placed in each folder that is protected. The file also '''protects''' any '''sub-folders''' in that folder.


Each of these folders contains an .htaccess file:
Each of these folders contains an .htaccess file:
Line 16: Line 15:
\UniServer\udrive\ssl            – Server secure web-root (your secure web site)
\UniServer\udrive\ssl            – Server secure web-root (your secure web site)
</pre>
</pre>
Open either of the .htacces files and you will find these three lines  
Open either of the .htaccess files and you will find these three lines  
<pre>
<pre>
Order Deny,Allow
Order Deny,Allow
Line 26: Line 25:
The second line denies access to every one (all)
The second line denies access to every one (all)


The third line is very specific and allows access from IP address 127.0.0.1 this is the IP address of the local machine. Hence Apache is locked down allowing only localhost access. (IP address 127.0.0.1 is also referred to as the local loop back address)
The third line is very specific and allows access from IP address 127.0.0.1. This is the IP address of the local machine. Hence Apache is locked down allowing access only from this IP. (IP address 127.0.0.1 is also referred to as the local loopback address).


'''''[[#top | Top]]'''''


== Allowing external access ==
== Allowing external access ==
To put your servers on-line you need to allow external access this is achieved by commenting (adding a hash “#” to the beginning of each line) the three lines as shown below:
To put your servers on-line you need to allow external access. This can be achieved by commenting (adding a hash “#” to the beginning of each line) the three lines as shown below:
<pre>  
<pre>  
#Order Deny,Allow
#Order Deny,Allow
Line 39: Line 37:
Alternatively you could delete the three lines.
Alternatively you could delete the three lines.


With the lines commented everyone connected to the Internet or Intranet has access to the folders that the .htaccess file was protecting.
With the lines commented out, everyone connected to the Internet or Intranet has access to the folders that the .htaccess file was protecting.


Your web site or sites are placed in the folders:
Your web site or sites are placed in the folders:
Line 48: Line 46:
These are now available and pages will be served by Apache from these folders.
These are now available and pages will be served by Apache from these folders.


However modifying the '''.htaccess''' file in folder '''\UniServer\udrive\home\admin\www''' you will have allowed everyone access to your server’s control panel (kiss your servers goodbye). OK I was after a dramatic impact there are additional security features that prevents this however I recommend you do not place Apanel on-line, if you must! Make sure you enable name/password protection.   
However by modifying the '''.htaccess''' file in folder '''\UniServer\udrive\home\admin\www''' you will have allowed everyone access to your server’s control panel (kiss your servers goodbye. OK, I was after a dramatic impact.) There are additional security features that prevent this, however I recommend you do not place Apanel on-line.  If you must do it, make sure you enable name/password protection.   


'''''[[#top | Top]]'''''


== Name Password protection ==
== Name/Password protection ==
You may wish to prevent other Internet users accessing your server (a personal web server) this can be achieved by forcing a user to enter a name and password. Uniform Server has this facility pre-configured, '''Apanel''' allows you to set a name and password for three specific areas of the server. Under '''Configurations''' (left menu) you will find these three links:  
You may wish to prevent other Internet users accessing your server (a personal web server) this can be achieved by forcing a user to enter a name and password. Uniform Server has this facility pre-configured, '''Apanel''' allows you to set a name and password for three specific areas of the server. Under '''Configurations''' (left menu) you will find these three links:  


Line 59: Line 56:
* Private Secure Server Configuration
* Private Secure Server Configuration


After setting a name and password they do not become effective '''unless enabled''' in the '''appropriate .htaccess''' file, lets look at these in more detail.  
Even after setting a name and password, they do not become effective '''unless enabled''' in the '''appropriate .htaccess''' file. Let's look at these in more detail.  


'''''[[#top | Top]]'''''
=== A) Admin Panel Configuration ===
=== A) Admin Panel Configuration ===
If you have placed Apanel on-line it must be protected with a name and password as follows:
If you have placed Apanel on-line it ''must'' be protected with a name and password as follows:


Edit file: \UniServer\udrive\home\admin\www\'''.htaccess'''
Edit file: \UniServer\udrive\home\admin\www\'''.htaccess'''


At the bottom of this file un-comment (remove the hash”#”) the last four lines as shown
At the bottom of this file, un-comment (remove the hash”#”) the last four lines as shown:
<pre>
<pre>
AuthName "Uniform Server - Admin Panel 2.0"
AuthName "Uniform Server - Admin Panel 2.0"
Line 80: Line 76:
Third line is the location of the file containing the name/password pair
Third line is the location of the file containing the name/password pair


The forth line forces Apache to instruct a browser a name and password are required.   
The fourth line tells Apache to instruct a browser that a name and password are required.   


Change name and password using Apanel, click on the link “'''Admin Panel Configuration'''” a new page opens showing current name/password. Enter new name/password click change.
To change name and password using Apanel, click on the link “'''Admin Panel Configuration.'''” A new page opens showing current name/password. Enter the new name and password click change.


Alternatively edit file  /htpasswd/home/admin/www/'''.htpasswd''' and enter a name and password in the following format.
Alternatively, edit file  /htpasswd/home/admin/www/'''.htpasswd''' and enter a name and password in the following format:


'''aname:apassword'''  
'''aname:apassword'''  
Line 102: Line 98:
'''''Note'':''' Default name and password are '''root:root'''
'''''Note'':''' Default name and password are '''root:root'''


'''''[[#top | Top]]'''''
=== B) Private Server Configuration ===
=== B) Private Server Configuration ===
You can protect you web site with a name and password as follows:
You can protect your web site with a name and password as follows:


Edit file: \UniServer\udrive\www\'''.htaccess'''
Edit file: \UniServer\udrive\www\'''.htaccess'''


At the bottom of this file un-comment (remove the hash”#”) the last four lines as shown
At the bottom of this file, un-comment (remove the hash”#”) the last four lines as shown:
<pre>
<pre>
AuthName "Uniform Server - Server Access"
AuthName "Uniform Server - Server Access"
Line 121: Line 116:
Third line is the location of the file containing the name/password pair
Third line is the location of the file containing the name/password pair


The forth line forces Apache to instruct a browser a name and password are required.  
The fourth line tells Apache to instruct a browser that a name and password are required.


Change name and password using Apanel, click on the link “'''Private Server Configuration'''” a new page opens showing current name/password. Enter new name/password click change.
To change name and password using Apanel, click on the link “'''Private Server Configuration.'''” A new page opens showing current name/password. Enter new name/password click change.


Alternatively edit file  /htpasswd/www/'''.htpasswd''' and enter a name and password in the following format. '''aname:apassword'''  
Alternatively, edit file  /htpasswd/www/'''.htpasswd''' and enter a name and password in the following format: '''aname:apassword'''  


'''''Note'':''' Do not add any additional characters or carriage return (enter key) after the password.
'''''Note'':''' Do not add any additional characters or carriage return (enter key) after the password.
Line 141: Line 136:
'''''Note'':''' Default name and password are '''root:root'''
'''''Note'':''' Default name and password are '''root:root'''


'''''[[#top | Top]]'''''
=== C) Private Secure Server Configuration ===
=== C) Private Secure Server Configuration ===
You can protect you secure web site with a name and password as follows:
You can protect you secure web site with a name and password as follows:
Line 160: Line 154:
Third line is the location of the file containing the name/password pair
Third line is the location of the file containing the name/password pair


The forth line forces Apache to instruct a browser a name and password are required.  
The fourth line tells Apache to instruct a browser that a name and password are required.  


Change name and password using Apanel, click on the link “Private Secure Server Configuration” a new page opens showing current name/password. Enter new name/password click change.
To change name and password using Apanel, click on the link “'''Private Secure Server Configuration.'''” A new page opens showing current name/password. Enter new name/password click change.


Alternatively edit file  /htpasswd/ssl/.htpasswd and enter a name and password in the following format. '''aname:apassword'''  
Alternatively, edit file  /htpasswd/ssl/.htpasswd and enter a name and password in the following format: '''aname:apassword'''  


'''''Note'':''' Do not add any additional characters or carriage return (enter key) after the password.
'''''Note'':''' Do not add any additional characters or carriage return (enter key) after the password.
Line 182: Line 176:
'''''Note'' 2:''' Make sure you have generated a '''new server certificate and key''' as detailed on [[4.0-Mona: Enable SSL | this page]].
'''''Note'' 2:''' Make sure you have generated a '''new server certificate and key''' as detailed on [[4.0-Mona: Enable SSL | this page]].


'''''[[#top | Top]]'''''


== MySQL Password ==
== MySQL Password ==
Line 198: Line 191:
'''''Note'' 3:''' If you need to quickly back-up your databases no need to use phpMyAdmin or any other tool just back-up folder '''UniServer\udrive\usr\local\mysql\data''' this contains all databases.
'''''Note'' 3:''' If you need to quickly back-up your databases no need to use phpMyAdmin or any other tool just back-up folder '''UniServer\udrive\usr\local\mysql\data''' this contains all databases.


'''''[[#top | Top]]'''''


== Summary ==
== Summary ==
In terms of security if you are using the server for development there is nothing to do.
In terms of security, if you are using the server for development there is nothing to do.


If you are putting the servers on-line they need to be enabled first by editing each of the '''.htaccess''' contained in each web-root folder (www and or ssl). Comment the lines as shown:
If you are putting the servers on-line, they need to be enabled first by editing each of the '''.htaccess''' files in each web-root folder (www and/or ssl). Comment the lines as shown:
<pre>
<pre>
#Order Deny,Allow
#Order Deny,Allow
Line 209: Line 201:
#Allow from 127.0.0.1
#Allow from 127.0.0.1
</pre>
</pre>
If you want a personal server with name/password access uncomment the last four lines in the above '''.htaccess''' files. Remember to change the name/password pairs using Apanel or manually edit the appropriate file.
If you want a personal server with name/password access, uncomment the last four lines in the above '''.htaccess''' files. Remember to change the name/password pairs using Apanel or manually edit the appropriate file.


'''''Note 1'':''' All names and passwords are set to a value of '''root'''
'''''Note 1'':''' All names and passwords are set to a value of '''root'''


'''''Note 2'':''' Additional information can be found on the [[4.0-Mona: Security features | Security features]] page this includes Apanel's '''Security Center''' page  
'''''Note 2'':''' Additional information can be found on the [[4.0-Mona: Security features | Security features]] page, which includes Apanel's '''Security Center''' page.


'''''[[#top | Top]]'''''


----
----


[[Category: Uniform Server 4.0-Mona]]
[[Category: Uniform Server 4.0-Mona]]

Revision as of 20:33, 7 June 2011

 

The Uniform Server 4-Mona

Security and passwords

New users may find Uniform Server’s security features a little bewildering. This page attempts to explain their use and when passwords are required.

Default installation

After extracting Uniform Server 4-Mona it’s ready to run and very secure. Apache and MySQL servers are locked down allowing only local access. No external access is allowed from either Intranet or Internet, so even though you are connected to these you can safely develop a web site.

Uniform Server 4-Mona achieves this lock down through the use of .htaccess files placed in each folder that is protected. The file also protects any sub-folders in that folder.

Each of these folders contains an .htaccess file:

\UniServer\udrive\home\admin\www – Control panel for the server
\UniServer\udrive\www            – Server web-root folder (your web site ) 
\UniServer\udrive\ssl            – Server secure web-root (your secure web site)

Open either of the .htaccess files and you will find these three lines

Order Deny,Allow
Deny from all
Allow from 127.0.0.1 

The first line informs Apache to look for the next two lines and execute them in that order (Deny and then Allow)

The second line denies access to every one (all)

The third line is very specific and allows access from IP address 127.0.0.1. This is the IP address of the local machine. Hence Apache is locked down allowing access only from this IP. (IP address 127.0.0.1 is also referred to as the local loopback address).


Allowing external access

To put your servers on-line you need to allow external access. This can be achieved by commenting (adding a hash “#” to the beginning of each line) the three lines as shown below:

 
#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Alternatively you could delete the three lines.

With the lines commented out, everyone connected to the Internet or Intranet has access to the folders that the .htaccess file was protecting.

Your web site or sites are placed in the folders:

 
\UniServer\udrive\www  – Server web-root folder (your web site ) 
\UniServer\udrive\ssl  – Server secure web-root (your secure web site)

These are now available and pages will be served by Apache from these folders.

However by modifying the .htaccess file in folder \UniServer\udrive\home\admin\www you will have allowed everyone access to your server’s control panel (kiss your servers goodbye. OK, I was after a dramatic impact.) There are additional security features that prevent this, however I recommend you do not place Apanel on-line. If you must do it, make sure you enable name/password protection.


Name/Password protection

You may wish to prevent other Internet users accessing your server (a personal web server) this can be achieved by forcing a user to enter a name and password. Uniform Server has this facility pre-configured, Apanel allows you to set a name and password for three specific areas of the server. Under Configurations (left menu) you will find these three links:

  • Admin Panel Configuration
  • Private Server Configuration
  • Private Secure Server Configuration

Even after setting a name and password, they do not become effective unless enabled in the appropriate .htaccess file. Let's look at these in more detail.

A) Admin Panel Configuration

If you have placed Apanel on-line it must be protected with a name and password as follows:

Edit file: \UniServer\udrive\home\admin\www\.htaccess

At the bottom of this file, un-comment (remove the hash”#”) the last four lines as shown:

AuthName "Uniform Server - Admin Panel 2.0"
AuthType Basic
AuthUserFile /htpasswd/home/admin/www/.htpasswd
Require valid-user

First line is the text displayed in the browser pop-up

Second line informs Apache the type of authentication (Basic)

Third line is the location of the file containing the name/password pair

The fourth line tells Apache to instruct a browser that a name and password are required.

To change name and password using Apanel, click on the link “Admin Panel Configuration.” A new page opens showing current name/password. Enter the new name and password click change.

Alternatively, edit file /htpasswd/home/admin/www/.htpasswd and enter a name and password in the following format:

aname:apassword

Note: Do not add any additional characters or carriage return (enter key) after the password.

Test: Enter the following into your browser

http://localhost/apanel/

or

http://your_domain/apanel/

In both cases you will be challenged for a name and password.

Note: Default name and password are root:root

B) Private Server Configuration

You can protect your web site with a name and password as follows:

Edit file: \UniServer\udrive\www\.htaccess

At the bottom of this file, un-comment (remove the hash”#”) the last four lines as shown:

AuthName "Uniform Server - Server Access"
AuthType Basic
AuthUserFile /htpasswd/www/.htpasswd
Require valid-user

First line is the text displayed in the browser pop-up

Second line informs Apache the type of authentication (Basic)

Third line is the location of the file containing the name/password pair

The fourth line tells Apache to instruct a browser that a name and password are required.

To change name and password using Apanel, click on the link “Private Server Configuration.” A new page opens showing current name/password. Enter new name/password click change.

Alternatively, edit file /htpasswd/www/.htpasswd and enter a name and password in the following format: aname:apassword

Note: Do not add any additional characters or carriage return (enter key) after the password.

Test: Enter the following into your browser

http://localhost

or

http://your_domain/

In both cases you will be challenged for a name and password.

Note: Default name and password are root:root

C) Private Secure Server Configuration

You can protect you secure web site with a name and password as follows:

Edit file: \UniServer\udrive\ssl\.htaccess

At the bottom of this file un-comment (remove the hash”#”) the last four lines as shown

AuthName "Uniform Server - Server Access" 
AuthType Basic
AuthUserFile /htpasswd/ssl/.htpasswd
Require valid-user

First line is the text displayed in the browser pop-up

Second line informs Apache the type of authentication (Basic)

Third line is the location of the file containing the name/password pair

The fourth line tells Apache to instruct a browser that a name and password are required.

To change name and password using Apanel, click on the link “Private Secure Server Configuration.” A new page opens showing current name/password. Enter new name/password click change.

Alternatively, edit file /htpasswd/ssl/.htpasswd and enter a name and password in the following format: aname:apassword

Note: Do not add any additional characters or carriage return (enter key) after the password.

Test: Enter the following into your browser

https://localhost/

or

https://your_domain/

In both cases you will be challenged for a name and password.

Note 1: Default name and password are root:root

Note 2: Make sure you have generated a new server certificate and key as detailed on this page.


MySQL Password

The MySQL server has been locked down for local access and protected by a password. If you have not put Apache on-line there is no need to change the password (default root). However it is good practice to change this at the earliest opportunity.

With Apache on-line there is a risk either through malicious intent or a rouge script to gain access to the MySQL server’s root user hence change the password. Note access remains local because user root has been restricted to local access.

To change the MySQL password use Apanel, click on the link “MySQL Server Configuration ” a new page opens showing current password (default root). Enter new password click change; there is no need to re-start the server.


Note 1: After changing either the MySQL port or password you may find server access is no longer possible using phpMyAdmin. A common cause is your browser cache close down servers and browser then restart.

Note 2: If for any reason the password becomes corrupted don’t panic use the password recovery link, found under Apanel's Plugin Manager section (left menu). Alternatively check out this page, how to manually create a new password.

Note 3: If you need to quickly back-up your databases no need to use phpMyAdmin or any other tool just back-up folder UniServer\udrive\usr\local\mysql\data this contains all databases.


Summary

In terms of security, if you are using the server for development there is nothing to do.

If you are putting the servers on-line, they need to be enabled first by editing each of the .htaccess files in each web-root folder (www and/or ssl). Comment the lines as shown:

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

If you want a personal server with name/password access, uncomment the last four lines in the above .htaccess files. Remember to change the name/password pairs using Apanel or manually edit the appropriate file.

Note 1: All names and passwords are set to a value of root

Note 2: Additional information can be found on the Security features page, which includes Apanel's Security Center page.