New Users: Security: Difference between revisions
(New page: <div style="font-size:10pt; font-wight:bold; padding:0;margin:0; border-bottom:3px inset #000000"> MPG UniCenter [[New Users Home 3.5-Apollo | New Users Home]...) |
(No difference)
|
Revision as of 20:28, 19 May 2008
Uniform Server 3.5-Apollo's admin panel provides an easy way to tailor your server’s security features. At the bottom of apanel’s home page you will find a security check list, click on the appropriate link to set that security feature. To check security settings run Security Console (bottom of security check list) or use the Server Security link on the left menu (located below the home page link). |
Note: This page provides in-depth information and not intended to be read from top to bottom. To highlight specific parts of Uniform Servers security features I link into it from other pages. It’s more of a tour around apanel’s security console hence click a few links and discover what it provides.
Security Console
Security Console when run for the first time you may be alarmed to find with the exception of local view your servers are Unsecured.
The security status is referring to the situation when you allow others access to your servers either physically (PC access) or remotely (putting your servers online).
I must stress a default installation of UniServer is secure since you are the only person with physical access to your PC and it is locked down to localhost access.
Allowing online access to your servers requires changing the .htaccess file in folder www. Always change your MySQL root password make it the first action on installing a new copy of UniServer.
Security Checklist
The security check list is shown below, for a full description of each function click the appropriate link. You will find some details within each section have been duplicated this is ensure each section is complete and independent.
Note: On the home page once you have taken the appropriate action that entry is removed from the list.
- Change the username/password for the Admin Panel here
- Change the username/password for the server here
- Change the root password for mysql by editing here
- Run the Security Console and see if everything is OK.
Admin Panel Configuration
This page allows you to set-up a username and password to access Admin Panel. To use this feature you need to activate it in the file /home/admin/www/.htaccess file I have provided a detailed description how to do this see below.
Defaults
Name | Default value | |
Username: | root | This form displays current settings, which is “root” for both name and password. |
Password: | root | When you choose your own make sure they are different. |
After saving your user name/password pair you can find them in file .htpasswd this file is located in folder *\Uniform Server\udrive\htpasswd\home\admin\www
Security
A very important point to note, for security reasons folder htpasswd is placed outside of the root folder www. Apache only serves data from designed root folders UniServer’s default installation has one public root folder www; hence apanel's name and password cannot be severed to the Internet.
Automatic protection
UniServer's admin root folder (*\Uniform Server\udrive\home\admin\www) contains a special file named .htaccess it protects this root folder and all folders and files below it. The default Apache command settings within this file restrict access to localhost. The name/password pair set above have no effect until enabled in the .htaccess file see below.
Name/password pair access
Enabling Apache commands in .htaccess you can force a user on your machine (or Internet) to enter a name and password to gain access to the admin area.
Do not add your own Apache commands to this file. The file provided splits into three main sections, understanding their interaction is important especially when you want to access apanel from the Internet. (For a production server I personally would not recommend Internet access to apanel however the choice is yours.)
.htaccess - Apanel
The remainder of this section looks at the file .htaccess in more detail. It is a text file; to edit open in any text editor but never use a word processor they add special characters and screw text files up badly.
Uniform server uses several .htaccess files, each protecting a particular area of the server. This one protects apanel and can be found in folder: *\Uniform Server\udrive\home\admin\www
The file looks like this:
# This file provides security to the server limiting access to the localhost only. # Comment to deactivate. Order Deny,Allow Deny from all Allow from 127.0.0.1 # To disallow execution of cgi scripts in this directory comment next two lines. AddHandler cgi-script .bat .exe .pl .cgi Options +ExecCGI #-- # Activate this to use the Admin Panel Feature! #-- # To lock Admin Panel, uncomment the next 4 lines. # Defaults: Username - root; Password - root #AuthName "Uniform Server - Admin Panel 2.0" #AuthType Basic #AuthUserFile /htpasswd/home/admin/www/.htpasswd #Require valid-user
I have split the above into three sections, describing each section in detail at the end I combined all three section.
Localhost access to Apanel
The securest way to access apanel is using localhost (UniServer’s default) note the last three lines in section one shown below are uncommented making them active. These three Apache instructions are what I would call a cosey little group meaning you will always find then arranged this way.
The first line states that the next two instructions will be executed in this order Deny and then Allow. If you had twenty Allow instruction followed by one Deny all those Allow instructions would be ignored and the Deny would be executed. Apache would then look for the first occurrence of Allow and execute it.
You must have that first line. It is normal practice to write the next two instructions in the order stated.
Deny from all, means just that no one has access to the Apache server. Now we make one exception Allow from port 127.0.0.1 this is localhost IP adress (the PC that Apache is running on)
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. Order Deny,Allow |
Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders Note: This is the default for all Uniform Servers .htaccess files. |
Internet access to Apanel
If you must have access to apanel over the Internet enable password protection see section three. You must also disable local protection by commenting out the last three lines in section one. Doing this allows public access; anyone on the Internet now has access to your admin panel's area. If you have enabled password protection they are restricted from this area until a name/password pair are entered.
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. #Order Deny,Allow |
Section 1) The last three lines are commented this means they are inactive and not protecting the folder or its sub-folders Note: You MUST uncomment the last four lines in section 3) and have changed the name and password for apanel. |
Script execution
For completeness I have included this section however you must not change any part of it for correct operation of apanel and your server.
All root folders by default are not allowed to run cgi scripts. In order to run scripts you need to inform Apache accordingly the two lines in htaccess section 2 do this.
Apache has no concept of user file extensions your Perl scripts could have the extension .plug, .zap or whatever. To cater for this Apache has a number of small helper programs that handle this situation. The handler program for cgi scripts is named “cgi-script” you pass information to this program by following the name with the file extensions that you are using for your scripts. For example cgi-script .zap .pl the handler program informs Apache that these files are cgi scripts and to be treated accordingly.
To run the handler program it needs adding to Apache using the command AddHandler. As a user you need to inform Apache what you want to do with the scripts. You have two options either to run or not run the scripts.
To allow execution of scripts you use the following option +ExecCGI the default is –ExecCGI
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
# To disallow execution of cgi scripts in this directory comment next two lines. AddHandler cgi-script .bat .exe .pl .cgi |
Section 2) DO NOT change this section it allows execution of scripts and programs. Note: Only shown for completeness. |
Name Password Protection
The final section of htaccess deals with apanel name and password protection by default this is disabled. If you have disabled localhost protection (see section 1) you must enable this section otherwise anyone on the Internet can view and use apanel and destroy your server.
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
#-- #AuthName "Uniform Server - Admin Panel 2.0" |
Section 3) All lines are commented out this becomes unsafe if you have disabled localhost protection see section 1). Note: This is Uniform Server's default remember that localhost protection is enabled by default hence is safe. |
Uncomment the last four lines to enable password protection. Any user trying to view apanel will be requested to enter a name and password. This is the name/password pair you entered from apanel using the above form.
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
#-- AuthName "Uniform Server - Admin Panel 2.0" |
Section 3) Last four line are uncommented this enables name/password protection and makes it safer. |
The first line AuthName "Uniform Server - Admin Panel 2.0" contains text that is displayed in the authentication required pop-up window, change this to match your web site.
- AuthType Basic - The name and password are not saved encrypted plain text is used hence why they are not stored in the root folder.
- AuthUserFile /htpasswd/home/admin/www/.htpasswd - This is the path to apanel's password file and informs Apache where to find it.
- Require valid-user - This informs Apache authentication must be used to access this folder (apanel's pages).
Note: Its not just the root folder that is protected all folders and files within it are protected. Typing any page name directly into a browser that is within apanel's folder will require authentication for first time access.
Summary - Apanel
To make it 100% clear I have show two complete .htaccess files the default for local access only and the changes required for Internet access to apanel.
Local access (default)
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. |
Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders Note: This is the default for all Uniform Servers .htaccess files. |
# To disallow execution of cgi scripts in this directory comment next two lines. |
Section 2) DO NOT change this section it allows execution of scripts and programs. Note: Only shown for completeness. |
#-- |
Section 3) Last four lines are commented this disables name/password protection. Note: For local access there really is no point in enabling this section! If you like annoying pop-ups you can enable this however its real purpose is for Internet access protection. |
Internet access
File .htaccess Located in folder *\Uniform Server\udrive\home\admin\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. |
Section 1) To allow access to apanel over the Internet comment the last three lines in this section.
|
# To disallow execution of cgi scripts in this directory comment next two lines. |
Section 2) DO NOT change this section it allows execution of scripts and programs. Note: Only shown for completeness. |
#-- |
Section 3) To password protect apanel uncomment the last four lines in this section.
Note: Both local and Internet access will now require authentication. |
Private Server Configuration
This page allows you to set-up a username and password making your web page server private (restricts access to the root folder www). To use this feature you need to activate it in the file /www/.htaccess I have provided a detailed description how to do this see below.
Defaults
Name | Default value | |
Username: | root | This form displays current settings, which is “root” for both name and password. |
Password: | root | When you choose your own make sure they are different. |
After saving your user name/password pair you can find them in file .htpasswd this file is located in folder *\Uniform Server\udrive\htpasswd\www
Security
A very important point to note, for security reasons folder htpasswd is placed outside of the root folder www. Apache only serves data from designed root folders UniServer’s default installation has one public root folder www; hence apanel's name and password cannot be severed to the Internet.
Automatic protection - Web page server
Uniform Server serves web pages from the root folder www (*\Uniform Server\udrive\www) it contains a special file named .htaccess This protects the root folder and all folders and files below it. The default Apache command settings within this file restrict access to localhost. The name/password pair set above have no effect until enabled in the .htaccess file see below.
Name/password pair access
Enabling Apache commands in .htaccess you can force a user on your machine (or Internet) to enter a name and password to gain access to pages on your server.
You can add your own Apache commands to this file. The file provided splits into three main sections, understanding their interaction is important especially when you want to put your servers on-line or make your server private.
.htaccess - Private or public server
The remainder of this section looks at the file .htaccess in more detail. It is a text file; to edit open in any text editor but never use a word processor they add special characters and screw text files up badly.
Uniform Server uses several .htaccess files, each protecting a particular area of the server. This one protects your web-site and can be found in folder: *\Uniform Server\udrive\www
The file looks like this:
# This file provides security to the server limiting access to the localhost only. # Comment to deactivate. Order Deny,Allow Deny from all Allow from 127.0.0.1 # To allow execution of cgi scripts in this directory uncomment next two lines. AddHandler cgi-script .pl .cgi Options +ExecCGI #-- # Activate this to use the Private Server Feature! #-- # To lock server, uncomment the next 4 lines. # Defaults: Username - root; Password - root #AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile /htpasswd/www/.htpasswd #Require valid-user
I have split the above into three sections, describing each section in detail at the end I combined all three section. Top
Public Server
To create a public server the quickest but not the best way is to delete the htaccess file. This removes any restrictions imposed, anyone on the Internet or local network can access all the folders and files in the root folder www.
Deleting the htaccess file is a bit draconian you loose flexibly and control for example lets look at the first section of this file.
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. #Order Deny,Allow |
Section 1) The last three lines are commented this means they are inactive and not protecting the folder or its sub-folders If this was the only section it has the same effect as deleting the file. Alternatively you could delete all lines in this section the effect would still remain the same. |
My real point using just three comments you have put your server online, remove the comments and you are back to square one, its that flexibility I am talking about. Delete the lines next time you wish to use them you may have to look up the format for the commands. Lets look at those three lines in more detail.
Localhost
The securest way to develop a web-site is to run the servers with localhost access only (UniServer’s default) note the last three lines in section one shown below are uncommented making them active. These three Apache instructions are what I would call a cosey little group meaning you will always find then arranged this way.
The first line states that the next two instructions will be executed in this order Deny and then Allow. If you had twenty Allow instruction followed by one Deny all those Allow instructions would be ignored and the Deny would be executed. Apache would then look for the first occurrence of Allow and execute it.
You must have that first line. It is normal practice to write the next two instructions in the order stated.
Deny from all, means just that no one has access to the Apache server. Now we make one exception Allow from port 127.0.0.1 this is localhost IP adress (the PC that Apache is running on)
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. Order Deny,Allow |
Section 1) The last three lines are uncommented this means they are active and protecting the folder, where .htacces resides and all its sub-folders a) Execute the next two commands in this order Deny and the Allow. |
Script execution
All root folders by default are not allowed to run cgi scripts. In order to run scripts you need to inform Apache accordingly the two lines in htaccess section 2 do this.
Apache has no concept of user file extensions your Perl scripts could have the extension .plug, .zap or whatever. To cater for this Apache has a number of small helper programs that handle this situation. The handler program for cgi scripts is named “cgi-script” you pass information to this program by following the name with the file extensions that you are using for your scripts. For example cgi-script .zap .pl the handler program informs Apache that these files are cgi scripts and to be treated accordingly.
To run the handler program it needs adding to Apache using the command AddHandler. As a user you need to inform Apache what you want to do with the scripts. You have two options either to run or not run the scripts.
To allow execution of scripts you use the following option +ExecCGI the default is –ExecCGI
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# To disallow execution of cgi scripts in this directory comment next two lines. AddHandler cgi-script .bat .exe .pl .cgi |
Section 2) Allows scripts execution |
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# To disallow execution of cgi scripts in this directory comment next two lines.
# Options +ExecCGI |
Section 2) Comment the lines as shown to disable script execution |
Name Password Protection
The final section of htaccess deals with user name and password protection by default this is disabled. If you have put your servers online (see section 1) anyone on the Internet can view your web site. If you have restricted your server to localhost (default) anyone with access (physical) to your PC can view your web site.
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
#-- #AuthName "Uniform Server - Server Access" |
Section 3) Comment to disable user name password access to your web site default setting on installing UniServer. |
Uncomment the last four lines to enable password protection. Any user trying to view your web site will be requested to enter a name and password. This is the name/password pair you entered for your personal server.
Please note this section is independent of the settings in section one hence authentication will be required.
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
#-- AuthName "Uniform Server - Server Access" |
Section 3) Uncomment last four lines as shown to enable user name password protection. |
The first line AuthName "Uniform Server - Secure Server Access" contains text that is displayed in the authentication required pop-up window, change this to match your web site.
- AuthType Basic - The name and password are not saved encrypted plain text is used hence why they are not stored in the root folder.
- AuthUserFile /htpasswd/www/.htpasswd - This is the path to your password file and informs Apache where to find it.
- Require valid-user - This informs Apache authentication must be used to access this folder (apanel's pages).
Note: Its not just the root folder that is protected all folders and files within it are protected. Typing any page name directly into a browser that is within your site will require authentication for first time access.
Summary - Private Server
The complete htaccess file is shown below. It is currently configure to allow localhost access (section 1), to run cgi scripts (section 2) and require user authentication (section 3).
File .htaccess Located in folder *\Uniform Server\udrive\www
|
|
Code | Comment |
# This file provides security to the server limiting access to the localhost only. Order Deny,Allow |
Section 1) To put your servers online comment the last three line in this section. The default setting is for localhost access, you can remain connected to the Internet only your local browser will be able to view and access your web-site server. |
# To allow execution of cgi scripts in this directory uncomment next two lines. AddHandler cgi-script .pl .cgi |
Section 2) The default is to allow execution of scripts. If you do not runs CGI scripts comment out the last two lines in this section. |
#-- #AuthName "Uniform Server - Server Access" |
Section 3) For a personal web server the last four lines have been uncommented. To access your web site a user must supply coreect user name and password. To disable this comment the last four lines. This allows every one access with the restriction set in section 1) |
MySQL Server Configuration
This page allows you to set-up the MySQL password. please note that you must shutdown the server using the Stop.bat file and then re-start the server again.
Name | Default value | |
MySQL Password: | root | This form displays current settings, which is “root” default |
Configuration
This security feature is of prime importance and should be the first task you perform on a new installation.
- Start the server using Server_Start.bat
- From apanel RUN MySQL
- Click on MySQL Server Configuration left menu
- Enter a new root password
- Click on change
- Click on Stop MySQL (left menu)
- Shutdown the server using Stop.bat
- Restart the servers and check access using phpMyAdmin (left menu in apanel)
Note: If you are allowing other users access to your MySQL server restrict them to a single database with limited privileges.
Either of the following two methods can be used to acheive this: Example user mpg is restricted to use a database fred. You can use either MySQL console or phpMyAdmin.
Take the easy option and use phpMyAdmin if you like CLI I explain this first.
How to use MySQL console (CLI)
First make sure you have started both Apache and MySQL servers.
Start a cmd prompt start > run > type in cmd > click OK
In this window type the following text highlighted in black.
C:\Documents and Settings\work3>w:
W:\>cd usr\local\mysql\bin
W:\usr\local\mysql\bin>mysql -uroot -proot
mysql>CREATE DATABASE fred;
Query OK, 1 row affected (0.00 sec)
mysql>GRANT SELECT,INSERT,UPDATE,DELETE ON fred.* TO 'mpg'@'localhost'IDENTIFIED BY 'mpg123';
Query OK, 0 rows affected (0.00 sec)
mysql>FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.02 sec)
mysql>exit
First two lines navigate to the folder containing mysql executable file (program). This file is run with two parameters user root and password root. (If you have changed the root password use that instead).
A mysql prompt is displayed allowing you to enter SQL instructions the first one creates a database named fred.
The next line sets the privileges and creates a user named mpg with password mpg123 finally the most import line flush privileges this instructs MySQL to make and use the changes.
The last line exit ends the program.
Most programmers like to show off their prowess at the keyboard I find the whole process nauseating and prefer to use phpMyAdmin.
How to use phpMyAdmin
My skills at the keyboard are such that entering long lines of code at a command prompt is a recipe for disaster hence I favor phpMyAdmin.
The following instructions show how easy it is to use phpMyAdmin:
- Start both servers.
- Start apanel (type http://localhost/apanel/ into browser address bar)
- Click phpMyAdmin (left menu)
- Type fred into Create new database and click create button
- Select privileges the User overview page is displayed
- Click on Add new user (The Add a new User page is displayed)
- Login Information:
- User name: Use text field: Type in mpg
- Host: Drop down menu select Local
- Password: Use text field: Type in mpg123
- Re-type: mpg123
- Click GO to create the new user (page reloads and expands)
- Scroll down the page to Database-specific privileges
- From the drop down menu select the database fred (opens Database-specific privileges page)
- In the data column check all four privileges Select, Insert, Update and Delete then press GO
- Click Home and then click then on reload privileges this executes SQL flush privileges
Security Console details
Security Console when run for the first time you may be alarmed to find with the exception of local view your servers are Unsecured.
A default installation with you as the only person with physical access to your PC your servers are secure.
The security status is referring to the situation when you allow others access to your servers either physically (PC access) or remotely (putting your servers online).
I have reproduced the Security Center page below click any link to the right for more detail.
» Security Center User Management Security This part of the security center will check all user management settings to make sure that everything is set. It will tell you if something needs to be changed.
Server Security
|
Root folder www
With your server online files placed in folder www are public meaning people can get at them. This is what a web-sever is all about, but think about the implications!
For example when writing PHP code and use include files do not give them the file extension .inc! These are text files and are directly readable using a browser this will compromise your security.
Suppose the file in question connects to your MySQL server and you name it config_db.inc and have the following content:
<? // Database configuration file config_db.php $dbhost = 'localhost'; //server name localhost or 127.0.0.1 $dbuser = 'root'; //User name default root $dbpass = 'fred123'; //Password default root -- Hello world this is my password ''fred123'' ?>
Type something like this into your browser '''http://yourdomain/config_db.inc'''
Your browser displays it as a text file now do you really want to give that information away.
Make sure your include files have the extension of .php the code gets striped before being served as a text file.
Point
My point of showing the above, no matter how secure Uniforms Server's design team makes it you has a user must make sure you do not compromise that security.
Ric 20:28, 19 May 2008 (UTC)