![Page 1: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/1.jpg)
Access control and user management in Apache
1WUCM1
![Page 2: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/2.jpg)
Apache access control• Include appropriate module:– mod_auth for basic authentication– mod_digest for digest authentication– mod_access control by host - not user
• Access control can be:– Site wide
• usually set up in the httpd.conf file– Per directory – often using an "access control file"
• Unix: .htaccess • Windows: htaccess.hta
– Access control files need to be protected themselves, especially when used per directory
WUCM1 2
![Page 3: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/3.jpg)
Access control policy
• Access control needs designing– What should go in the httpd.conf file site-wide?• What do you want to be mandatory and not permit
users to change?
– For per directory controls:• who can control access to their own bit?• who can add/remove/manage users?• who can overrule site-wide structures?
– Beware a proliferation of userIDs/passwords
WUCM1 3
![Page 4: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/4.jpg)
Access by user
• Access control usually on a "per directory" basis
• Need to be able to override site-wide control• Configured on a "realm" basis• htaccess.hta file might be:
WUCM1 4
AuthName "RogerSecrets"AuthType BasicAuthUserFile "N:/WebRoot/Users/users.pwd"require valid-user
![Page 5: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/5.jpg)
Require option
• Require can be general or specific:– require valid-user – require user martin jane
• Users can be grouped• Need a group file – plain text • You can the require a specific group of users,
e.g.– require group staff
WUCM1 5
![Page 6: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/6.jpg)
Access by host 1
• Restrict access by host using allow and deny• The order directive specifies which rule to apply first:– Order allow,deny
• When you want to let most hosts in but keep a few out
– Order deny,allow• When you want to keep most hosts out and let a few in
– Order mutual-failure• When you want to let in only those on the allow list and who are
not on the deny list – not very common!
WUCM1 6
![Page 7: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/7.jpg)
Access by host 2
• Example: setup so access to directory admin can be from your office PC or home PC (assume fixed IP)
WUCM1 7
<Directory "N:/WebRoot/Roger/htdocs/admin"> Order deny,allow Deny from all Allow from 148.192.255.5 155.6.122.9</Directory>
![Page 8: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/8.jpg)
Mixing access controls
• User access control and host access control can be applied to the same site/directory
• Satisfy directive tells Apache how to mix the rules:– satisfy any• either host or user (id/password) valid
– satisfy all• must be valid user and from a permitted host
WUCM1 8
![Page 9: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/9.jpg)
User management
• Need a database of user name/password pairs• A flat file is easy for small numbers of users• For larger user bases, use a proper database• Apache has a password utility htpasswd
that builds a simple flat file
WUCM1 9
![Page 10: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/10.jpg)
htpasswd
• htpasswd has three (or 4) parameters:– flags (e.g. -c to create file from scratch)– password file– user to add– optional: the password - but not hidden
• e.g.htpasswd -c n:\WebRoot\Users\user.pwd roger
• If you don't specify password, it will prompt you for it
• Windows version uses MD5 encryption by default
WUCM1 10
![Page 11: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/11.jpg)
htpasswd: examples of use
WUCM1 11
![Page 12: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/12.jpg)
Anonymous access
• Needs module mod_auth_anon• Permits access via a "guest" user id with a
password of user's email address• You should publish a privacy policy in respect
of your use of these emails
WUCM1 12
![Page 13: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/13.jpg)
Example
WUCM1 13
<Directory "C:/WebRoot/downloads">
Anonymous guest anonymous guestuser
Anonymous_MustGiveEmail on
Anonymous_LogEmail on
Anonymous_VerifyEmail on
Anonymous_NoUserId off
Require valid-user
</Directory>
![Page 14: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/14.jpg)
Search engine spider control (1)
• "Robots" or "spiders" are automated clients used to traverse websites
• Most used to gather information for search engines• Reasons to keep spiders out (of all or part of site):– It is incomplete– It is private– It is time sensitive (i.e. the contents will be rapidly out of
date)– It is dynamically generated– Bad spiders may hit too fast and block user access
WUCM1 14
![Page 15: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/15.jpg)
Search engine spider control (2)
• Most spiders/robots will voluntarily adhere to your robot policies
• Bad spiders will ignore it so it is not a guarantee of protection
• A file robots.txt in the DocumentRoot directory (e.g. htdocs) controls robot behaviour
• See http://www.robotstxt.org/wc/norobots.html for details of the standard
WUCM1 15
![Page 16: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/16.jpg)
Example robots.txt
WUCM1 16
User-agent: WebCrawler
User-agent: excite
Disallow: /cgi-bin
Disallow: /private
Allow: /
User-agent: *
Disallow: /
![Page 17: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/17.jpg)
Logging access
• Generating access logs is usually a component of any security policy:– Why?– Who looks at them?– Authority part of your policy?– How long to keep?
• Use of tools to extract statistics• Should logs include user identifiers?
WUCM1 17
![Page 18: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/18.jpg)
Security of CGI scripts
• Main recommendation – only enable CGI if needed
• CGI issues:– Do you allow users to install their own CGI scripts? – What user does the CGI script run as? – Use a CGI wrapper – suEXEC or CGIwrap– Keep the patch level monitored – Open Source
CGI scripts regularly updated
WUCM1 18
![Page 19: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/19.jpg)
Intruder detection
• An Intruder Detection System (IDS) is software for larger public sites
• An IDS looks for suspicious behaviour on your system, this may be:– Altered files– Non-normal activity– Multiple login attempts, etc.
WUCM1 19
![Page 20: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/20.jpg)
IDS features
• Nobles (2001) sets out important IDS features:– Detect behaviour outside the norm - abnormal actions or
results– Sensitive to common attack signatures– Low overhead – minimal impact on service– Should start and stop automatically following web server– Resistant to cracker attack– Configurable so can focus on specific triggers
WUCM1 20
![Page 21: Access control and user management in Apache 1WUCM1](https://reader036.vdocuments.site/reader036/viewer/2022062515/56649d2b5503460f94a00e63/html5/thumbnails/21.jpg)
IDS products
• Typical products include:– Network ICE – Cisco Intrusion Detection System – RealSecure – Kane Security Monitor
• Responses to intrusion:– Restore/Repair – backups vital here– Patch security hole – prevent recurrence– Alert community/authorities
WUCM1 21