Security  
documentation Apache HTTP Authentication
 
Risks
&
threats
  • Exposure of confidential data
  • Loss or destruction of data
  • Modification of data
  • Denial of service
  • Errors in software
  • Repudiation
Exposure of
Confidential Data		 Don't store this on the web server - use a different computer

Design system with security in mind

Remove unnecessary services - each service usually has some vulnerability

Encrypt confidential data that is being transmitted via the Internet.

  • Data being transferred from a web server to an end-user may pass through 10 different machines. (Can find out how many by using the "traceroute" command on Unix machines.) 
  • Web servers often use SSL (Secure Socket Layer), developed by Netscape, to transmit confidential data.  The data will be encrypted before sent and decrypted at its destination.  Fairly low-cost, low-effort form of security.
Loss or Destruction
of Data		 Can be caused by a malicious user, cracker, user error or software error

Should always maintain backups of important data
 
Modification
of Data		 More difficult to detect

Could be modified on your computer or in transit

Encryption and "electronic signature" help ensure that data arrives as intended

Auditing and logging access to certain files and databases can reveal problems
 
Denial
of Service		 DoS occurs when someone's actions make it difficult for users to access a service

Several ways to cause this: installing programs on a target machine that take all that system's resources, reverse spamming - sending mass spamming msgs with the target listed as the sender - will be flooded with angry replies.  There are also automated tools that can be used to cause DoS on another machine.

Guarding against DoS is difficult.  Only really effective defense is to monitor traffic and have countermeasures in place when things occur.
 
Errors
in Software		 Can lead to security breaches, financial losses, and poor customer service.

Common causes for errors in Software:

  • Poor specification and design
  • Faulty assumptions made by developers
  • Poor or inadequate testing
Repudiation This occurs when a party involved in a transaction denies having taken part

Authentication provides some surety about whom you are dealing with.

Digital Certificates of authentication with encryption are better yet.
 
reasons for
outside attacks
  • challenge
  • notoriety
  • sabotage
  • steal money
  • gain free goods or services

 
Most attackers
take advantage		 Easy to guess or find passwords (using defaults in network and firewall security)

Common mis-configurations

Setting up network with default passwords etc.

Old versions of software
Securing the system
  • Keeping backups of important information
  • Having hiring policies that attract honest staff and keep them loyal (most dangerous attacks come from within)
  • Taking software based precautions, such as choosing secure software and keeping it up-to-date
  • Training staff to identify targets and weaknesses
  • Auditing and logging to detect break-ins or attempted break-ins
Basic HTTP
security		  .htaccess & .htpasswd

(HTTP basic authentication)

Apache web server runs the .htaccess script that creates a dialog box to enter a username and password.   

The usernames and passwords are stored in a file outside the web directories usually named .htpasswd
 
  Example 1: HTTP security Example

.htaccess

AuthUserFile /home/other/zimmer/admin/.htpasswd
AuthGroupFile /dev/null
AuthName "web"
AuthType Basic
require valid-user

 

.htpasswd

located in the directory /home/other/~zimmer/admin/
 
 

Try This:  .htaccess & .htpasswd Example

Create a directory public_html/csci304/secure to protect

Using an editor create the .htaccess file (use above as an example).  Save this file in the public_html/csci304/secure directory.

Create the directory home/students/<your username>/admin to store the .htpasswd file

Change the permissions on that directory so that it is only executable
    chmod go-rw  home/students/<your username>/admin

Create the .htpasswd file with an intial username and password (this command should be all on one line)
                    /usr/bin/htpasswd -c
                    /home/students/<your username>/admin/.htpasswd   
                    <username>
                    - you will need to type in the password twice

To add more users use same command but no -c
                    /usr/bin/htpasswd
                    /home/students/<your username>/admin/.htpasswd   
                    <username>
                    - you will need to type in the password twice

Change the permissions on .htpasswd - it should be readable
chmod go+r  home/students/<your username>/admin/.htpasswd

 

More documentation: HTTP Authentication
PHP user
authentication		 php has an encryption method (crypt( )) that provides a way to include password information values in a non plain text form.  It takes two arguments:
  • the value or variable to be encrypted
  • the salt (either "xx", "xy") used in the hashing algorithm

example: crypt("irun5K", "xx") returns the encrypted string
                                                                            "xxE77I3aJPOvs"

A few ways to use this:

Create a form that allows the end-user to enter a username and password. Check the username and encrypted password with server-side encrypted password.  Encrypted server-side username/password values can be

  • stored in php file (hard-coded)
  • stored in flat file as encrypted values
  • stored in a database table - plain text or encrypted
hard coded
username/passwords 

Try This:  PHP hardcoded usernames & passwords Example

Create the form for the user to enter their username and password

Determine valid username/password pairs and find encrypted values

Create the php that determines if it is correct or not

  • if correct - display page that says it is valid

  • if incorrect - display error page

 
  Examples:

Get password values: execute script

<html>
<head></head>
<body>

<h1>PASSWORDS:</h1>
<?php

$mypass = crypt("irun5K","xx");
print ("irun5K is $mypass");
print( "<br>");

$mypass = crypt("csci304","xx");
print ("csci304 is $mypass\n");
print( "<br>");

$mypass = crypt("4youNEthing","xx\n");
print ("4youNEthing is $mypass");
print( "<br>");

?>

</body>
</html>

 

php form example 1 - causes redirection

php form example 2 - demo for older browsers

php script with hardcoded usernames & passwords:

<html>
<head></head>

<?php
$user1 = "user1";
$pass1 ="xxE77I3aJPOvs";
$user2 = "user2";
$pass2 = "xxjke42t63SL.";
$user3 = "user3";
$pass3 = "xxaCKTzjndF2s";
$user = trim($user); // input from webpage
$pass = trim($pass); // input from webpage

if ( (($user == $user1) &&(crypt($pass,"xx")==$pass1)) ||
     (($user == $user2) &&(crypt($pass,"xx")==$pass2)) ||
     (($user == $user3) &&(crypt($pass,"xx")==$pass3)) )
{
$tag = "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=security_valid.htm'>";
    $url = "security_valid.htm";
}
else
{
$tag = "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=security_notvalid.htm'>";
    $url = "security_notvalid.htm";
}
print $tag; //redirection tag
?>

<body>
<h1>
To load the page, click <a href=
<?php
// Just incase they have an older browser and were not redirected
print $url;
?>
>here
</a>
</h1>
</body>
</html>
Using a database
table

Try This:  DB stored usernames & passwords Example

Create the form for the user to enter their username and password

Determine valid username/password pairs and find encrypted values

Create the mySQL table to store usernames and encrypted passwords.

Create the php that determines if it is correct or not by retrieving the record from the database table

  • if correct - display page that says it is valid

  • if incorrect - display error page

 
  Example:

Get password values: execute script (same as above)

php form example - causes redirection

<html>
<head></head>
<body>
<?php
// assume invalid pair until match is checked
$tag="<META HTTP-EQUIV='Refresh' CONTENT='0;URL=security_notvalid.htm'>";
$url = "security_notvalid.htm";

if ((!$user) || (!$pass) )
{
     print("<p>You did not enter all the required data... try again!
                </p>\n");
}
else
{
    $db = "test";
    $table = "USERS";
    $user = trim($user); // input from webpage
    $pass = trim($pass); // input from webpage

    $query = "select * from $table where username = '$user'";

    @ $link = mysql_connect ("cslab103.cs.edinboro.edu",
                                                         "zimmer","mypw");
    if (!$link)
    {
        print( " ERROR connecting to MySQL.<br />");
        exit;
    }

    mysql_select_db($db); // connects to a db
    $results = mysql_query($query);
    if ($results)
    {
        $record = mysql_fetch_array($results);
        if (crypt($pass, "xx") == $record[password])
        {
$tag = "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=security_valid.htm'>";
            $url = "security_valid.htm";
        }
    }
    mysql_close($link);
    print $tag;  //redirection tag
}
?>
<h1>
To load the page, click <a href=
<?php
    print $url;
?>
>here
</a>
</h1>
</body>
</html>