Results 1 to 2 of 2

Thread: Create a nice security for your website

  1. #1
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992

    Exclamation Create a nice security for your website

    Well, I'm gonna try to explain you how to restrict access to a website or a certain part for your website.

    Generally there is a file where you can do lots of things within a website, the .htaccess - file.
    I'm not gonna explain the whole .htaccess thingies, there's lots of stuff easy to find out via Google by
    simply searching on .htaccess.

    OK, simple but pretty good restrictions for a website :

    First we're gonna filter out on ip-adress with the .htaccess file, which you place in your website folder, or in the appropriate dir you wanna secure.
    After that we're gonna throw in a password verification simply via the htpasswd feature. This htpasswd file is best placed outside your website. I mostly put in my home.

    Here's an example of an .htaccess which to place in the website-folder :

    Code:
    <Files>
    Deny from all 
    Allow from 192.168.0.1 #allow a single ip
    Allow from 10.10.10.0/255.255.255.0 #allow a whole subnet, in this case a C - Class 
    
    AuthUserFile /home/test/.htpasswd #path to where your .htpasswd-file, where the userauth is
    AuthGroupFile /dev/null
    AuthName "My Secured Area" # A description of your area, can be anything
    AuthType Basic
    require user test
    
    </Files>
    OK we see some new things, first the allow or denying of the ip's or ranges, which needs to be set before the authentication, so only certain ip's have a chance on even starting to try an authentication.
    Next, we see in this case the user "test" , and the AuthUserFile with a path-to-a-htpasswd-file.
    This file it will be reading to verify the user and pass.
    The AuthGroupFile is pointing to /dev/null cause we use a single user authentication in this case. Maybe more on authenticating more users or groups net time.
    The "require user test" obviously tells the .htaccess to require authentication only for the user "test".

    OK now the .htaccess is in place we need to add a .htpasswd to the /home/test

    This is an example of an authentication entry of the .htpasswd in the example above.

    Code:
     test:92SErC2PadiaQ
    You can see the pass is encrypted, so thats a nice surplus. There are sites that let you easily create a line for your .htpasswd. I always use this site :

    http://www.euronet.nl/~arnow/htpasswd/
    Just enter a user and passwd and it will create you an entryline which you simply set in your /home/test/.htpasswd and save.

    So now you should be able to have a nice restricted site, and it should pop a window where to enter a user and pass, that is if you get passed the ip filtering of course .

    Greetz,

    ***EDIT*** I use Apache 2 Webserver and linux OS, but I believe it should work for a windows webserver too, although I'm not sure of that nor did I test it
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  2. #2
    Member
    Join Date
    Dec 2003
    Posts
    59
    For us proud IIS Windows Users

    http://www.troxo.com/products/iispassword/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •