THRIFTWEB.com

CHAPTER FOUR - Security

5.1) SECURE WEB PAGES

5.2) SECURE PASSWORDS

5.3) SECURE FTP DIRECTORIES

5.4) SECURE CGI-BIN DIRECTORIES

5.5) SECURE SOCKET LAYER (SSL)

5.1) SECURE WEB PAGES

 Please use the browser control panel interface for password protecting your web pages.

Or via telnet, if your home directory is yourlogin, create a file named .htaccess in your web directory that contains the following:

    AuthUserFile /home/yourlogin/.htpasswd
    AuthGroupFile /dev/null
    AuthName ByPassword
    AuthType Basic
    <Limit GET POST>
    require user pumpkin
    </Limit>

This will enable you to secure the directory so that only user pumpkin can enter this directory.

 You may well want any of the user/password combinations you created in your .htpasswd file to allow access. Just say require valid-user instead of require user xxx in .htaccess and any of the users you created will be able to access the files.

 Note that you want to store the .htpasswd file in your home directory so it is hidden from others. The one drawback to putting your .htpasswd file in your home directory is that you will have to slightly lower the security of your home directory. Go to /home and type chmod +x yourlogin. The web server needs execute permission on to read the .htpasswd file.

5.2) SECURE PASSWORDS

 Make it at least 6 characters long. Include at least one number, capital letter, or punctuation mark in the name. Passwords can be a maximum of 10 digits.

5.3) SECURE FTP DIRECTORIES

 To make a directory named direct that can only be accessed by userid fred, go to the directory above direct and type chown fred direct. If you wish for only fred to read and write in it, type chmod 700 direct. If you wish to allow others to read these files you can type chmod a+rx direct after typing the first command.

The above only works if you are fred. If you not, but fred is in your group, ask us to make a new group for you and fred, your2grp. Then you can chgrp your2grp direct, and chmod g=rwx direct. If you do not wish anyone else to be able to read these files, use chmod o-rx direct.

To list the access permissions of a file, type ls -l file, and for a directory, ls -ld directory. r=read access, x=execute access, w=write access. After the first letter or hyphen (for file type), the first three letters apply to you, the second three letters apply to your group, the last three letters apply to everyone else. Execute access enables you to run programs or enter directories.

Examples of using chmod:     PEOPLE                                    PERMISSIONS     u = the file's user (or owner)            r = read access     g = the file's group                      x = execute access     o = others                                w = write access     a = the user, the group, and others.     chmod a+w =  let everyone write to the file     chmod go-r = don't let people in the file's group or others to read                  the file     chmod g+x =  let people in the file's group execute the file

5.4) SECURE CGI-BIN DIRECTORIES

 To stop people from being able to read your scripts under all circumstances, end your CGI scripts with the name .cgi.

5.5) SECURE SOCKET LAYER (SSL)

 The webpage form that you want to be secure must be called via the secure server. The images in the webpage must also be called via the secure server. This is done by calling the files in the following format: If your file is normally http://www.yourdomain.com/order.htm then the page must be called as https://serversecured.net/~username/order.htm. order.htm can be replaced with any file you are calling, including image files that you are trying to secure. If you get a broken key instead of an image file that should appear, it is because you have secured the page, but have not secured an image or your background.

If the webpage you are trying secure is a form, the action the form performs (form method=post action=http....) must be a secure action as well (form method=post action=https....)