Security  
documentation Apache HTTP Authentication
 
Risks
&
threats
  • Exposure of confidential data
  • Loss or destruction of data
  • Modification of data
  • Denial of service
  • Errors in software
  • Repudiation
Exposure of
Confidential Data
Don't store this on the web server - use a different computer

Design system with security in mind

Remove unnecessary services - each service usually has some vulnerability

Encrypt confidential data that is being transmitted via the Internet.

  • Data being transferred from a web server to an end-user may pass through 10 different machines. (Can find out how many by using the "traceroute" command on Unix machines.) 
  • Web servers often use SSL (Secure Socket Layer), developed by Netscape, to transmit confidential data.  The data will be encrypted before sent and decrypted at its destination.  Fairly low-cost, low-effort form of security.
Loss or Destruction
of Data
Can be caused by a malicious user, cracker, user error or software error

Should always maintain backups of important data
 

Modification
of Data
More difficult to detect

Could be modified on your computer or in transit

Encryption and "electronic signature" help ensure that data arrives as intended

Auditing and logging access to certain files and databases can reveal problems
 

Denial
of Service
DoS occurs when someone's actions make it difficult for users to access a service

Several ways to cause this: installing programs on a target machine that take all that system's resources, reverse spamming - sending mass spamming msgs with the target listed as the sender - will be flooded with angry replies.  There are also automated tools that can be used to cause DoS on another machine.

Guarding against DoS is difficult.  Only really effective defense is to monitor traffic and have countermeasures in place when things occur.
 

Errors
in Software
Can lead to security breaches, financial losses, and poor customer service.

Common causes for errors in Software:

  • Poor specification and design
  • Faulty assumptions made by developers
  • Poor or inadequate testing
Repudiation This occurs when a party involved in a transaction denies having taken part

Authentication provides some surety about whom you are dealing with.

Digital Certificates of authentication with encryption are better yet.
 

reasons for
outside attacks
  • challenge
  • notoriety
  • sabotage
  • steal money
  • gain free goods or services

 

Most attackers
take advantage
Easy to guess or find passwords (using defaults in network and firewall security)

Common mis-configurations

Setting up network with default passwords etc.

Old versions of software

Securing the system
  • Keeping backups of important information
  • Having hiring policies that attract honest staff and keep them loyal (most dangerous attacks come from within)
  • Taking software based precautions, such as choosing secure software and keeping it up-to-date
  • Training staff to identify targets and weaknesses
  • Auditing and logging to detect break-ins or attempted break-ins
Basic HTTP
security
 .htaccess & .htpasswd

(HTTP basic authentication)

Apache web server runs the .htaccess script that creates a dialog box to enter a username and password.   

The usernames and passwords are stored in a file outside the web directories usually named .htpasswd
 

  Example 1: HTTP security Example

username: testuser
password: testpw

.htaccess

AuthType Basic
AuthName "Restricted Files"
# (Following line optional)
AuthBasicProvider file
AuthUserFile /home/zimmer/admin/.htpasswd
Require valid-user

AuthType: Basic sends non encrypted password, other method more secure...

AuthName: identifies the "Realm" that is being authenticated

AuthBasciProvider: default is "file" since our passwords are in a file.  Could be provided by a database...

AuthUserFile: provides full pass to the password file

Require: indicates the users, group or all that need ot be authenticated

 

.htpasswd

located in the directory /home/zimmer/admin/
 

 

Try This:  .htaccess & .htpasswd Example

Create a directory public_html/csci304/secure to protect

Using an editor create the .htaccess file (use above as an example).  Save this file in the public_html/csci304/secure directory.

Move to your home directory.

In your home directory create the directory admin to store the .htpasswd file

Change the permissions on that directory so that it is only executable
    chmod go-rw+x  admin
   

From your home directory create the .htpasswd file with an intial username and password

htpasswd -c admin/.htpasswd  <username>
                    - you will need to type in the password twice

To add more users use same command but no -c
  htpasswd admin/.htpasswd  <username>
                    - you will need to type in the password twice

Change the permissions on .htpasswd - it should be readable
chmod go+r-wx  admin/.htpasswd

 

More documentation: Comprehensive Guide to .htaccess

PHP user
authentication
php has an encryption method (crypt( )) that provides a way to include password information values in a non plain text form.  It takes two arguments:
  • the value or variable to be encrypted
  • the salt (either "xx", "xy") used in the hashing algorithm

example: crypt("irun5K", "xx") returns the encrypted string
                                                                            "xxE77I3aJPOvs"

A few ways to use this:

Create a form that allows the end-user to enter a username and password. Check the username and encrypted password with server-side encrypted password.  Encrypted server-side username/password values can be

  • stored in php file (hard-coded)
  • stored in flat file as encrypted values
  • stored in a database table - plain text or further db encrypted
Valid userids and
passwords
used for the
rest of the examples

valid users:

userid password
user1 irun5K
user2 csci304
user3 4youNEthing

 

 

hard coded
username/passwords 

Try This:  PHP hardcoded usernames & passwords Example

Create the form for the user to enter their username and password

Determine valid username/password pairs and find encrypted values

Create the php that determines if it is correct or not

  • if correct - display page that says it is valid

  • if incorrect - display error page

 

  Examples:

Get the encrypted password values: execute script

<html>
<head></head>
<body>

<h1>PASSWORDS:</h1>
<?php

$mypass = crypt("irun5K","xx");
print ("irun5K is $mypass");
print( "<br>");

$mypass = crypt("csci304","xx");
print ("csci304 is $mypass\n");
print( "<br>");

$mypass = crypt("4youNEthing","xx\n");
print ("4youNEthing is $mypass");
print( "<br>");

?>

</body>
</html>

 

php form example 1 - causes redirection

php form example 2 - demo for older browsers (not redirect)

php script with hardcoded usernames & passwords:

<html>
<head></head>

<?php

$user = $_POST['user'];
$pass = $_POST['pass'];

$user1 = "user1";
$pass1 ="xxE77I3aJPOvs";
$user2 = "user2";
$pass2 = "xxjke42t63SL.";
$user3 = "user3";
$pass3 = "xxaCKTzjndF2s";


$user = htmlentities(trim($user)); // input from webpage
$pass = htmlentities(trim($pass)); // input from webpage

if ( (($user == $user1) &&(crypt($pass,"xx")==$pass1)) ||
     (($user == $user2) &&(crypt($pass,"xx")==$pass2)) ||
     (($user == $user3) &&(crypt($pass,"xx")==$pass3)) )
{
$tag = "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=security_valid.htm'>";
    $url = "security_valid.htm";
}
else
{
$tag = "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=security_notvalid.htm'>";
    $url = "security_notvalid.htm";
}
echo $tag; //redirection tag
?>

<body>
<h1>
To load the page, click <a href=
<?php
// Just incase they have an older browser and were not redirected
echo $url;
?>
>here
</a>
</h1>
</body>
</html>

Using a database
table

Try This:  DB stored usernames & passwords Example

Create the form for the user to enter their username and password

Determine valid username/password pairs and find encrypted values

Create the mySQL table to store usernames and encrypted passwords.

Create the php that determines if it is correct or not by retrieving the record from the database table

  • if correct - display page that says it is valid

  • if incorrect - display error page

 

  Example:

Get the encrypted password values:execute script(same as above)

php form example - causes redirection

<html>
<head></head>
<body>
<?php

$user = $_POST['user'];
$pass = $_POST['pass'];

// assume invalid pair until match is checked
$tag=
"<META HTTP-EQUIV='Refresh' CONTENT='0;URL=security_notvalid.htm'>"
;
$url = "security_notvalid.htm";

if ((!$user) || (!$pass) )
{
     echo "You did not enter all the required data... try again!";
}
else
{
   require_once 'login.php';
    $table = "USERS";
    $db_server = mysql_connect(...);
   if (!db_server)
        die("unable to connect to MySQL:" . mysql_error());

// Connect to the DB
    mysql_select_db($db_database)
   or die("Unable to connect to database: " . mysql_error());

   $user = FixData($user); // input from webpage
   $pass = FixData($pass); // input from webpage

    $query = "select * from $table where username = '$user'";
    $results = mysql_query($query);
    if ($results)
    {
        $record = mysql_fetch_array($results);
        if (crypt($pass, "xx") == $record[password])
        {
         $tag =
      "<META HTTP-EQUIV='Refresh' CONTENT='0; URL=security_valid.htm'>";

            $url = "security_valid.htm";
        }
    }
    mysql_close($link);
    echo $tag;  //redirection tag
}

function FixData($var)
{
    $var = trim($var);
   if (get_magic_quotes_gpc())
   $var = stripslashes($var);
   $var = mysql_real_escape_string($var);
   $var = htmlentities($var);
   return $var;
}
?>
<h1>
To load the page, click <a href=
<?php
    echo $url;
?>
>here
</a>
</h1>
</body>
</html>