5.0-Nano: Security features

From The Uniform Server Wiki
Revision as of 18:57, 31 August 2011 by BobS (talk | contribs) (→‎PHP Safe Mode: Deprecation explanation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

 

Security features - Security Center

Regarding security Apanel provides two pages of importance Home (initial opening page) and Security Center at first sight they look intimidating and give the impression Uniform Server is insecure especially with all those red links on each page.

Before continuing I must stress Uniform Server is locked down allowing local access only. If connected to the Internet or Intranet the servers are inaccessible hence are very secure. This configuration is ideal when using Uniform Server as a development server but pretty useless for a production Web server (Well! No one can view your Web site).

If you are not indenting to put the servers on-line you can safely ignore the above two pages. Even with your servers on-line most of these warnings can be ignored with one exception always set the MySQL password.

Its import to understand Uniform Server security features you will then appreciate these pages provide reminders that you have not set something correctly.

Top

Home page

At the bottom of this page you are presented with a Security Checklist

  • Change the username/password for the Admin Panel here
  • Change the username/password for the server here
  • Change the username/password for the SSL server here
  • Change the root password for mysql by editing here
  • Run the Security Console and see if everything is OK.

This is a reminder that all the usernames and passwords contain their defaults values which is ”root

With the exception of MySQL password there is no need to worry about these until you enable a server feature that uses them.

Top

Change MySQL Password

Now would be a good time to change the MySQL password, click the here link. This opens MySQL Server Configuration page. It displays the current MySQL password root change this to a new value and click Change a confirmation page is displayed. Return to the Home page the checklist entry for MySQL password has been removed confirming you are not using the default.

If you had viewed the security center page first under User Management Security the link to the right of MySQL Server would have displayed unsecure. Clicking this link would have taken you to the MySQL Server Configuration page. After changing the password it displays secure

Note 1: The new password takes effect immediately however I would recommend stopping the servers and closing your browser. This removes any potential problems associated with sessions and browser cache.

Note 2: The remaining list of entries for name/password; function in a similar way, once changed, are removed from the list and the corresponding link on the security center page changes accordingly.

You can work down this list and change the name/password pairs; they have no effect until you enable a particular server feature, covered further down this page.

Top

Security Center

This page is accessed either from the Home page or the left menu link Server Security

It summaries the server security status for enabled features and provides additional information.

User Management Security

Under this (first) section there are five entries as follows:

  1. Admin Panel username/password
  2. Personal Server username/password
  3. Personal Secure Server (SSL) username/password
  4. Server Certificate and Key (SSL) Unsecure indicates no server certificate
  5. MySQL Server password

To the right of these you will see either Secure indicating that option has been enabled or a link named Unsecure indicating that option has not been enabled. The link offers a short cut to enable that option if you wish to do so.

I have covered the MySQL password this sets the MySQL password for user root. The first three entries just set a name/password pair. These do not become effective until the corresponding feature has been enabled see next section.

The fourth entry Server Certificate and Key (SSL) enables the SSL server. A new server Certificate and key are created this enables the SSL server; for full details check out Enable SSL

Top

Server Security

Under this (second) section there are five entries as follows:

Top

Local View

Due to the fact that some PC's have a different hostname set rather than localhost, we use the IP method here. This checks to make sure that you are viewing the Admin Panel (this) from local.

Requires no explanation.

Top

PHP Safe Mode

This checks to see if PHP is running in SAFE MODE. Now, PHP does not have to run in SAFE MODE, but if you want the extra security, you can set it by clicking on the UNSECURE link.

The explanation is clear. Some third party scripts will not run if safe mode is enabled. However, what's more important is that Safe Mode is deprecated. The PHP developers will be eliminating it in PHP version 6. The reason is that there are other methods that work better, and many users have falsely believed that safe mode was a sufficient security measure, which it is not.

Admin Panel Access

While this is another feature that is not throughly important as other features are in place against outside access to the Admin Panel, this checks to see if your Admin Panel is secured using the Auth method. Please change this by editing the C:/UniServer/home/admin/www/.htaccess file.

Apanel is currently locked down for local access only. It is not name/password protected hence the Unsecure status.

Annoying

It really becomes annoying if you enable password protection when only local access is allowed.

To prove my point edit file UniServer\home\admin\www\.htaccess

1) Locate these lines:   2) Uncomment the lines by removing the hash “#” as shown
#AuthName "Uniform Server - Admin Panel 2.0"
#AuthType Basic
#AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd
#Require valid-user

 

AuthName "Uniform Server - Admin Panel 2.0"
AuthType Basic
AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd
Require valid-user

Now every time you access Apanel you need to enter a name and password.

More annoying

What’s more annoying! Can you remember the name/password you entered for Admin Panel! I assumed you worked through the list mentioned on the Home page and forgot it.

Well you have just enabled a feature that uses it and locked yourself out.

Using Apanel you can view the current name/password pairs they are displayed in each set-up page however being locked out that’s not an option. You could disable the above lines which would give you access alternatively open this file UniServer\htpasswd\home\admin\www\.htpasswd to view current settings.

One reason for showing this, notice the file path maps (home\admin\www\) to the location of the .htaccess file. This applies to the other password files.

Essential

Note: It is essential to enable this feature if you put Apanel on-line

Top

Put Apanel on-line

Although I never recommend this you can put Apanel on-line allowing access from either the Internet or Intranet.

Edit file UniServer\home\admin\www\.htaccess

1) Locate these lines:   2) Disable local access only by commenting each line with an hash "#" as shown
Order Deny,Allow
Deny from all
Allow from 127.0.0.1

 

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Top

Server Access

If you are running your server in Production Mode, Skip this one. If not and you would like to add more security to the server by blocking it using the Auth method, then change this in by editing the C:/UniServer/www/.htaccess file.

Server (www) is currently locked down for local access only. It is not name/password protected hence the Unsecure status.

Top

Put Server on-line

Production server means you have put your server on-line to do this edit the following file:

UniServer\www\.htaccess

1) Locate these lines:   2) Disable local access only by commenting each line with an hash "#" as shown
Order Deny,Allow
Deny from all
Allow from 127.0.0.1

 

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Note: No need to restart the server changes are Automatically picked up by Apache.

Top

Personal Server

A personal server means you have restricted access using a name and password.

To enable this feature edit file: UniServer\www\.htaccess

1) Locate these lines:   2) Uncomment the lines by removing the hash “#” as shown
#AuthName "Uniform Server - Admin Panel 2.0"
#AuthType Basic
#AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd
#Require valid-user

 

AuthName "Uniform Server - Admin Panel 2.0"
AuthType Basic
AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd
Require valid-user

Now every time a user browsers your server from either the Internet or Intranet is challenged for a name and password.

Top

Server Access (SSL)

If you are running your server in Production Mode, Skip this one. If not and you would like to add more security to the server by blocking it using the Auth method, then change this in by editing the C:/UniServer/ssl/.htaccess file.

Server (ssl) is currently locked down for local access only. It is not name/password protected hence the Unsecure status.

Top

Put Secure Server on-line

Production server means you have put your server on-line to do this edit the following file:

UniServer\ssl\.htaccess

1) Locate these lines:   2) Disable local access only by commenting each line with an hash "#" as shown
Order Deny,Allow
Deny from all
Allow from 127.0.0.1

 

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

Note: No need to restart the server changes are Automatically picked up by Apache.

Top

Personal Secure Server

A personal secure server means you have restricted access using a name and password.

To enable this feature edit file: UniServer\ssl\.htaccess

1) Locate these lines:   2) Uncomment the lines by removing the hash “#” as shown
#AuthName "Uniform Server - Admin Panel 2.0"
#AuthType Basic
#AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd
#Require valid-user

 

AuthName "Uniform Server - Admin Panel 2.0"
AuthType Basic
AuthUserFile C:/UniServer/htpasswd/home/admin/www/.htpasswd
Require valid-user

Now every time a user browsers your server from either the Internet or Intranet is challanged for a name and password.

Note: All data and name/password are encrypted before being sent.

Top

Summary

Security-center is a powerful Apanel feature, it collects all user configurable security options in one place. It acts as a reminder and provides short cuts (links) to change passwords. It also allows you to confirm you have enabled a security feature.

The next page covers how to enable SSL this has been fully integrated into 5.0-Nano making the whole process easy.

Top