5.0-Nano: Security features: Difference between revisions
(New page: {{Nav 5.0-Nano}} '''Security features - Security Center''' Regarding security Apanel provides two pages of importance '''Home''' (initial opening page) and '''Security Center''' at first ...) |
mNo edit summary |
||
Line 201: | Line 201: | ||
To enable this feature edit file: UniServer\www\'''.htaccess''' | To enable this feature edit file: UniServer\www\'''.htaccess''' | ||
{| | {| | ||
|- | |- | ||
Line 233: | Line 233: | ||
If you are running your server in Production Mode, Skip this one. If not and you would like to add more security to the server by blocking it using the Auth method, then change this in by editing the C:/UniServer/ssl/.htaccess file. | If you are running your server in Production Mode, Skip this one. If not and you would like to add more security to the server by blocking it using the Auth method, then change this in by editing the C:/UniServer/ssl/.htaccess file. | ||
|} | |} | ||
Server (ssl) is currently locked down for local access only. It is not name/password protected hence the '''Unsecure''' status. | Server (ssl) is currently locked down for local access only. It is not name/password protected hence the '''Unsecure''' status. | ||
Revision as of 19:36, 11 September 2009
5-Nano: Introduction | Install and Run | Control | DtDNS | Cron| Security features | Enable SSL | Multi-Servers | Perl | UniTray | Security and passwords | Known Issues | Support
|
|
Security features - Security Center
Regarding security Apanel provides two pages of importance Home (initial opening page) and Security Center at first sight they look intimidating and give the impression Uniform Server is insecure especially with all those red links on each page.
Before continuing I must stress Uniform Server is locked down allowing local access only. If connected to the Internet or Intranet the servers are inaccessible hence are very secure. This configuration is ideal when using Uniform Server as a development server but pretty useless for a production Web server (Well! No one can view your Web site).
If you are not indenting to put the servers on-line you can safely ignore the above two pages. Even with your servers on-line most of these warnings can be ignored with one exception always set the MySQL password.
Its import to understand Uniform Server security features you will then appreciate these pages provide reminders that you have not set something correctly.
Home page
At the bottom of this page you are presented with a Security Checklist
- Change the username/password for the Admin Panel here
- Change the username/password for the server here
- Change the username/password for the SSL server here
- Change the root password for mysql by editing here
- Run the Security Console and see if everything is OK.
This is a reminder that all the usernames and passwords contain their defaults values which is ”root”
With the exception of MySQL password there is no need to worry about these until you enable a server feature that uses them.
Change MySQL Password
Now would be a good time to change the MySQL password, click the here link. This opens MySQL Server Configuration page. It displays the current MySQL password root change this to a new value and click Change a confirmation page is displayed. Return to the Home page the checklist entry for MySQL password has been removed confirming you are not using the default.
If you had viewed the security center page first under User Management Security the link to the right of MySQL Server would have displayed unsecure. Clicking this link would have taken you to the MySQL Server Configuration page. After changing the password it displays secure
Note 1: The new password takes effect immediately however I would recommend stopping the servers and closing your browser. This removes any potential problems associated with sessions and browser cache.
Note 2: The remaining list of entries for name/password; function in a similar way, once changed, are removed from the list and the corresponding link on the security center page changes accordingly.
You can work down this list and change the name/password pairs; they have no effect until you enable a particular server feature, covered further down this page.
Security Center
This page is accessed either from the Home page or the left menu link Server Security
It summaries the server security status for enabled features and provides additional information.
User Management Security
Under this (first) section there are five entries as follows:
- Admin Panel username/password
- Personal Server username/password
- Personal Secure Server (SSL) username/password
- Server Certificate and Key (SSL) Unsecure indicates no server certificate
- MySQL Server password
To the right of these you will see either Secure indicating that option has been enabled or a link named Unsecure indicating that option has not been enabled. The link offers a short cut to enable that option if you wish to do so.
I have covered the MySQL password this sets the MySQL password for user root. The first three entries just set a name/password pair. These do not become effective until the corresponding feature has been enabled see next section.
The fourth entry Server Certificate and Key (SSL) enables the SSL server. A new server Certificate and key are created this enables the SSL server; for full details check out Enable SSL
Server Security
Under this (second) section there are five entries as follows:
Local View
Due to the fact that some PC's have a different hostname set rather than localhost, we use the IP method here. This checks to make sure that you are viewing the Admin Panel (this) from local. |
Requires no explanation.
PHP Safe Mode
This checks to see if PHP is running in SAFE MODE. Now, PHP does not have to run in SAFE MODE, but if you want the extra security, you can set it by clicking on the UNSECURE link. |
The explanation is clear just want to add that some third party scripts will not run if safe mode enabled.
Admin Panel Access
While this is another feature that is not throughly important as other features are in place against outside access to the Admin Panel, this checks to see if your Admin Panel is secured using the Auth method. Please change this by editing the C:/UniServer/home/admin/www/.htaccess file. |
Apanel is currently locked down for local access only. It is not name/password protected hence the Unsecure status.
Annoying
It really becomes annoying if you enable password protection when only local access is allowed.
To prove my point edit file UniServer\home\admin\www\.htaccess
1) Locate these lines: | 2) Uncomment the lines by removing the hash “#” as shown | |
#AuthName "Uniform Server - Admin Panel 2.0" #AuthType Basic #AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd #Require valid-user |
|
AuthName "Uniform Server - Admin Panel 2.0" AuthType Basic AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd Require valid-user |
Now every time you access Apanel you need to enter a name and password.
More annoying
What’s more annoying! Can you remember the name/password you entered for Admin Panel! I assumed you worked through the list mentioned on the Home page and forgot it.
Well you have just enabled a feature that uses it and locked yourself out.
Using Apanel you can view the current name/password pairs they are displayed in each set-up page however being locked out that’s not an option. You could disable the above lines which would give you access alternatively open this file UniServer\htpasswd\home\admin\www\.htpasswd to view current settings.
One reason for showing this, notice the file path maps (home\admin\www\) to the location of the .htaccess file. This applies to the other password files.
Essential
Note: It is essential to enable this feature if you put Apanel on-line
Put Apanel on-line
Although I never recommend this you can put Apanel on-line allowing access from either the Internet or Intranet.
Edit file UniServer\home\admin\www\.htaccess
1) Locate these lines: | 2) Disable local access only by commenting each line with an hash "#" as shown | |
Order Deny,Allow Deny from all Allow from 127.0.0.1 |
|
#Order Deny,Allow #Deny from all #Allow from 127.0.0.1 |
Server Access
If you are running your server in Production Mode, Skip this one. If not and you would like to add more security to the server by blocking it using the Auth method, then change this in by editing the C:/UniServer/www/.htaccess file. |
Server (www) is currently locked down for local access only. It is not name/password protected hence the Unsecure status.
Put Server on-line
Production server means you have put your server on-line to do this edit the following file:
UniServer\www\.htaccess
1) Locate these lines: | 2) Disable local access only by commenting each line with an hash "#" as shown | |
Order Deny,Allow Deny from all Allow from 127.0.0.1 |
|
#Order Deny,Allow #Deny from all #Allow from 127.0.0.1 |
Note: No need to restart the server changes are Automatically picked up by Apache.
Personal Server
A personal server means you have restricted access using a name and password.
To enable this feature edit file: UniServer\www\.htaccess
1) Locate these lines: | 2) Uncomment the lines by removing the hash “#” as shown | |
#AuthName "Uniform Server - Admin Panel 2.0" #AuthType Basic #AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd #Require valid-user |
|
AuthName "Uniform Server - Admin Panel 2.0" AuthType Basic AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd Require valid-user |
Now every time a user browsers your server from either the Internet or Intranet is challenged for a name and password.
Server Access (SSL)
If you are running your server in Production Mode, Skip this one. If not and you would like to add more security to the server by blocking it using the Auth method, then change this in by editing the C:/UniServer/ssl/.htaccess file. |
Server (ssl) is currently locked down for local access only. It is not name/password protected hence the Unsecure status.
Put Secure Server on-line
Production server means you have put your server on-line to do this edit the following file:
UniServer\ssl\.htaccess
1) Locate these lines: | 2) Disable local access only by commenting each line with an hash "#" as shown | |
Order Deny,Allow Deny from all Allow from 127.0.0.1 |
|
#Order Deny,Allow #Deny from all #Allow from 127.0.0.1 |
Note: No need to restart the server changes are Automatically picked up by Apache.
Personal Secure Server
A personal secure server means you have restricted access using a name and password.
To enable this feature edit file: UniServer\ssl\.htaccess
1) Locate these lines: | 2) Uncomment the lines by removing the hash “#” as shown | |
#AuthName "Uniform Server - Admin Panel 2.0" #AuthType Basic #AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd #Require valid-user |
|
AuthName "Uniform Server - Admin Panel 2.0" AuthType Basic AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd Require valid-user |
Now every time a user browsers your server from either the Internet or Intranet is challanged for a name and password.
Note: All data and name/password are encrypted before being sent.
Summary
Security-center is a powerful Apanel feature, it collects all user configurable security options in one place. It acts as a reminder and provides short cuts (links) to change passwords. It also allows you to confirm you have enabled a security feature.
The next page covers how to enable SSL this has been fully integrated into 5.0-Nano making the whole process easy.