Hardening Apache Based Installations

Sometimes you want to test some server-side software on public server but don't want be hit by automated scripts that explore known vulnerabilities in software. The simplest solution is to add additional protection using Apache-based access restrictions.

Enable .htaccess in Apache

Changing configuration can be very flexible and as simple as placing special file in directory you want to protect. Special files ".htaccess" are fragments of Apachec configuration that can be placed in your WWW directory structure. But you have to enable them in apache config (/etc/apache2/sites-available/default):

        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all

Restrict by login / password

We would like to protect application installed under given path with additional login/password. We use digest method to protect password from sniffing even with HTTP connections.

First of all we need mod_auth_digest to be enabled in Apache (a module must be enabled):

# a2enmod auth_digest
# /etc/init.d/apache2 restart

Then we will create file with user passwords:

$ htdigest -c /home/www-data/.htpasswd app admi

And finally we need to point to that file (fill .htaccess in appropriate directory):

AuthType Digest
AuthName "app"
AuthUserFile /home/www-data/.htpasswd
Require user admin

Then browser should show you authentication window.

Even if installed software probably has some bugs and exploits you can safely test it on public site as long as you trust your users won't try to hack this site (site access is not public, requires Apache login).

This entry was posted in en and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>