[linux-help] Re: web server security
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
On Mon, 31 Jul 2000, John Reinke wrote:
> On Mon, 31 Jul 2000, Jeff Schaller wrote:
>
> > > Is there an alternative way to set this up to make it more secure? Are
> > > there any alternatives to htaccess for protecting web pages?
> >
> > 1) don't give shell accounts on the web server
> > 2) run the web server as a particular user (not nobody, not root)
> > 3) put the htpasswd file outside the doc root of the web server
> > 4) don't run an ftp server on the web server (see apache's
> > defacement)
> > 5) others...
>
> While this might not always be the case, I'm doing this on a
> school account, with 100s of students also having accounts on
> the same system, and I have no root access. :-(
>
> It sounds like htaccess won't be safe in my situation so you
> can therefore ignore my first question. Are there any other
> ways to protect password protect web pages besides htaccess?
Well, there's different levels of paranoia, I suppose. If you
can't guarantee the security of the web server, you're just
pissing in the wind with the rest of it. Use https:// if you
can. Use strong encryption if you can. Use LDAP authentication to
a directory you own.
To directly answer your second question, though:
1) apache is (can be) modular, and authentication is one of those
modules. If the sysadmin built and installed apache such that:
a) authentication is a module
b) authoverride is on for your site
then you can re-do how authentication works for your site.
2) https://
3) firewall?
???
As usual with security, there are levels and there are spheres
of influence. Do what you can with what you have, and be aware
of where you're exposed.
-jeff
--
I yam Popeye of Borg. You will be askimiligrated, heehee!
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
|
|
