Tools

Secure Web Folders

Posted on February 1, 2017 by Saba, Mitch

.htaccess Files

A .htaccess (dot-htaccess) file contains directives (commands) executed by the server before it delivers files to a browser. Some of the most common use for the .htaccess file is Controlling access to web documents by password or IP address.

Scope of the .htacess File
If you create a .htaccess file for one of your web directories, the effects from that file will be applied to all of the files in that directory and all subdirectories within that directory UNLESS you create a separate .htaccess file for that subdirectory. For example, if your main directory is called ‘Too’ and you have a .htaccess file that defines files with a ‘.htm’ extension to be given the MIME type ‘text/plain’, but you have a subdirectory called ‘Far’ which you want files with a ‘.htm’ extension to be given the MIME type ‘text/html’, you will need to create a separate .htaccess file for the ‘Far’ directory.

Controlling Access to Web Pages

Allow/Deny Access
Username/Password Access
Combining both types of restriction

Web Servers by default allow anyone to view any document residing in your public_html (or html) directory and it’s sub-directories. There is a way to tell the Web Server to restrict access to these pages by using Server directives (commands).

Access can be restricted in two ways:

By IP address, and/or
With a valid user name and password.

These methods can be used separately or together.

Restricting or granting access based on the visitor’s IP address allows you to specify an exact IP address or a domain (uconn.edu). Complete details on IP resricting is covered in the Allow/Dent Access section. Password protecting your site or portions of your Web Site requires you read this entire page.

.htaccess Information

First let’s be clear, you can not control access of an individual file without totally restricting it’s access using file permissions. You can control the access of groups of files or stated more clearly directories. If there are files you want to protect they need to be placed in a separate directory (/restricted). The next step to protecting the /restricted directory is the placement of a server directive in an .htaccess file stored in that directory (/restricted). We will outline the use of the .htaccess file to protect your sensitive data.NOTE: the .htaccess restrictions only restricts directory access through the Web, if you share FTP access to your account you can access the ‘restricted’ directories.

Allow/Deny Access

There are four directives used to control access:

Order,
Deny,
Allow, and
Require.

Order:

Dictates the order the allow and deny operations are executed. The syntax of the Order directive are separated by a coma with NO SPACES between them. The arrangement of the allow and deny specifies the order in which they will be executed. You determined the order based on how you intend to restrict access. There are two main approaches, restrict everyone and list the computer’s (IP’s) that can access OR let evryone access and list the computer’s (IP’s) you do not want to access your files.

FOR EXAMPLE:
If you only want computer’s within UConn to access your files then the .htaccess file would look like this:

order deny,allow
deny from all
allow from 137.99.

If you wanted to allow access to everyone except UConn users the .htaccess file would look like:

order allow,deny
allow from all
deny from 137.99.

The Order directive has a mutual-failure feature meaning that if the Order directive is used then the following rules apply.

Any computer on the allow list is allowed
Any computer on the deny list is denied
any computer not listed on either the allow or deny list is automatically denied.

Deny:

This directive is used to deny access to a directory in one of the following three ways:

Full IP address: deny from 137.99.29.255
partial IP addresses (for denying access to subnets): deny from 137.99
or the all keyword: deny from all

Allow

This directive can be specified in the same manner the deny directive.

Require

This directive is used to restrict access to specific users and groups of users.

users:: require user username
group:: require group groupname

Note: Here ‘username’ refers to a specific user in a password file. The groupname refers to a group that has been created in a group file. Refer to Username/Password Access for details on creating users and groups.

IMPORTANT: It is escential to include a hard return after the last line of the .htaccess file. Failure to do so may result in problems with your .htaccess file.

Recursive

The restrictions that the .htaccess file places on a directory is recursive. Meaning that the file restrictions apply to ALL sub-directories unless a .htaccess file is placed in the sub-directory to override the recursive nature of the .htaccess file.

Username/Password Access

Setting up password protection requires two steps:

Create a password file using the htpasswd program
Create (or modify) an .htaccess file to work with the password file

Using htpasswd
htpasswd is a UNIX utility used to create user name and passwords for use in authenticating access to a directory (under the public_html directory).

htpasswd is used as follows:

htpasswd [-c] password_file username

The -c option flag is only used the first time as it creates the password file and subsequent use will delete any existing password file and replace it with a new one. If you have previously created a password file simply do not use the -c option flag.

password_file refers to the pathway and name of the file you will use to store your password information in. username is pretty self-explanatory, if you don’t get it here’s a hint (HINT: look in a mirror or at a picture of the person you are creating the account for.). There are no restrictions on the name you give the password file, however, the accepted convention is .htpasswd.

Example:
To create a password file named .htpasswd in a directory ‘/public_html/restricted’ for a user named ‘guest’, you would type the following:

htpasswd -c /public_html/restricted/.htpasswd guest

Once you hit enter, you will be prompted to enter a new password for ‘guest’ and then confirm the password by entering it again. This process places the selected password into the .htpasswd file in encrypted form. Check it out. The password is encrypted to protect it from prying eyes. However if your password isn’t a good one, then someone may be able to grab a copy of the .htpasswd file and crack your password! If you want to know if your password is good or not see, Good Password.

Adding Users & Changing Passwords

To add new users follow the above procedure without using the -c option flag.
Example:

htpasswd /public_html/restricted/.htpasswd nobody

Again DO NOT USE the -c option flag.
To change a password (which should be done periodically) we again use htpasswd:
Example:

htpasswd /public_html/restricted/.htpasswd guest

You will again be prompted to enter the new passwords. htpasswd does not provide a way to remove users from your password file. We suggest two methods change their password or open the .htpasswd file and delete the line that their user name appears on.

Choosing Passwords
DO NOT USE your UNIX login password as your web htaccess password. Here is why, these passwords are sent over an HTTP connection as unencrypted text which makes them vulnerable to sniffing. Additionally HTTP send the unencrypted password with EVERY request, in contrast with protocols like telnet that only send the password unencrypted once (this is why I strongly suggest SSH). So again you have been warned, if your account gets hacked into you will lose data and if they use your account to do further damage to the network you could end up loosing account privileges. Key word privileges.

Modifying .htaccess
Now that the user name and password have been created and saved we need to activate them. Every directory that you created an .htpasswd file for needs to have a .htaccess file with the following entry:

AuthName "restricted stuff"
AuthType Basic
AuthUserFile /www/foo/.htpasswd

require valid-user

The first directive, AuthName, specifies a realm name for this protection. Once a user has entered a valid username and password, any other resources within the same realm name can be accessed with the same username and password.

The AuthType directive tells the server to use the Basic method for authentication (default).
AuthUserFile tells the server the location of the .htpasswd file created by htpasswd. A similar directive, AuthGroupFile, can be used to tell the server the location of a groups file (see below).
Require valid-user tells the server that any username/password pair in the .htpasswd file can be used to access this directory. However, it is possible to limit access to only certain users:
```
require user guest nobody
```

This will only allow users guest and nobody access to the directory. Any other users would be denied access to the directory even though they may appear in the .htpasswd file.

Creating User Groups

Say we did not want to type out guest and nobody what could we do? We can create a group of users. This works well when there are a large number of users to manage. In this case we create a file that contains the group name and a list of the user names that belong to that group. Here’s and Example:

dumbgroup: guest nobody

The .htaccess file would look like this:

AuthUserFile /public_html/restricted/.htpasswd
AuthGroupFile /public_html/restricted/.htgroup
AuthName GroupAccess
AuthType Basic

require group dumbgroup

Note that all users in a group file MUST also appear in the .htpasswd file.

Combining Users and Groups
Your .htaccess file and include both users and groups. Here’s an example:

AuthUserFile /public_html/restricted/.htpasswd
AuthGroupFile /public_html/restricted/.htgroup
AuthName GroupAccess
AuthType Basic

require group dumbgroup
require user myself

The directory would then be accessible for ‘guest’, ‘nobody’, and ‘myself’.

Combining Different Types of Restriction

I think we have discussed the particulars enough so far. Here is an example:
Restrict access to only allow access to the UConn campus additonally requiring the users ‘guest’ or ‘nobody’.

AuthUserFile /public_html/restricted/.htpasswd
AuthName "ByDomainAndUser"
AuthType Basic

order deny,allow
deny from all
allow from 137.99.
require user guest nobody
require user nobody

Conversely, you can allow access to the UConn campus, AND to users outside of UConn who have valid user name and password pair. This is accomplished by including the “satisfy any” directive in the .htaccess file. Example:

AuthType Basic
AuthUserFile  /www/foo/.htpasswd
AuthName "byDomainOrUser"

order deny,allow
deny from all
allow from 128.125.
require valid-user
satisfy any

Protecting Your .htaccess & .htpasswd Files

The use of .htaccess poses an interesting problem. In order to protect your files with .htaccess and .htpasswd these files must be readable by the Web Server. However, if the Web Server can read these files so can anyone! Even though the password file is encrypted DOES NOT mean that someone can not download the file and attempt to decrypt the passwords it contains! (This can be done in a number of ways, take my word for it.)

With Apache we protect against this situation by adding the require valid-user entry to the .htaccess file. You can not use UNIX permissions since that would conflict with the Web Server’s need to have read access to the files you wish to serve over the Internet.

FAQ’s:

I entered the restricted page by entering my password successfully. I proceeded to leave the page and surf the Internet. Later I returned to the restricted page and I was not prompted for a password, what’s wrong?!

Nothing is wrong! Once your user name and password are authenticated your ‘session’ is tied to your browser. If you were to terminate all browser sessions that you are running and then restart them, you would be prompted for a user name and password again. This is an important fact and you may want to make your users aware of this especially if users may access the restricted materials from ‘public’ machines.

Apache Modules

Posted on November 15, 2016 by Saba, Mitch

I seem to always forget this command when I need it every 6-9 months, so here it is for my easy access:

List all the loaded modules in apache (both DSO and Static)

apachectl -t -D DUMP_MODULES

screen your work…

Posted on May 27, 2015February 15, 2017 by Saba, Mitch

The Linux screen command is a very useful tool for many reasons. For one you don’t need to worry about losing your session. Sometimes long running jobs with little or no output can lead to your remote session terminating, not usually a helpful thing. Other benefits of the screen command are session logging (thing documentation) multitasking and session sharing.

The screen command is pretty darn easy to use but it does have some nice features that you may have to dig through the documentation to find. I’ll give some highlights and add to this as I find new uses or useful features. So let’s get started.

You can just issue the screen command ‘screen’ and you will immediately be in a screen session, not very useful. Of course now that you are in a session how do you get out?! To exit but leave the screen session open/active type:

Ctrl-a d

To exit and terminate the screen session type:

Ctrl-a

Terminating the screen session will prompt you with the following, potentially misleading question:

Really quit and kill all your windows [y/n]

Choosing ‘y’ only kills the current session all other screen sessions that may be running are uneffected.

Once you leave a screen session you need to know how to re-enter it. You need the screen session ID to do this, you can set one (covered shortly). To list the active screen sessions issue this command:

# screen -ls
There are screens on:
13986.pts-0.hostname (Detached)
13488.pts-0.hostname (Detached)
16156.mylabel (Detached)

The last session listed was assigned a label (see below) To reattach to a session you use the label or ID number like this:

screen -r 13986
OR
screen -r mylabel

Now that you have the basics I am going to speed things up and give a bunch of examples with explanations where necessary. You can always refer to the screen man page.

From within a screen session using the command “Ctrl-A n“ will move you to the next screen session. “Ctrl-A p“ will move you to the previous screen session. “Ctrl-A c“ will create a new screen session.

The screen option -S allows you to assign a Session Name/Label which makes multiple screen sessions easier to manage. The screen option -L enables logging for the session.

screen -S "mylabel" -L

Cleaning up your Screen Log

The log screen produces contains a lot of special characters from typing mistakes, spaces, etc. It can make the log difficult to read. This command cleans out the majority of the cruft and make the file easier to read:

perl -ne 's/\x1b[[()=][;?0-9]*[0-9A-Za-z]?//g;s/\r//g;s/\007//g;print' < screen.0 > screen.0.readable

switch between these two tasks?

Switching between windows is the specialty of screen utility. So to switch between pine and wget window (or session) press CTRL+a followed by n key (first hit CTRL+a, releases both keys and press n).
To list all windows use the command CTRL+a followed by ” key (first hit CTRL+a, releases both keys and press ” ).
To switch to window by number use the command CTRL+a followed by ‘ (first hit CTRL+a, releases both keys and press ‘ it will prompt for window number).

press C-a d screen will detach from the screen session.

press C-a H screen will start recording everything to a file called screenlog.X (where X is a number starting at 0).

Using screen for shared command-line interaction:

Set the screen binary (/usr/bin/screen) setuid root. By default, screen is installed with the setuid bit turned off, as this is a potential security hole.
The first-user starts screen in a local xterm, for example via screen -S SessionName. The -S switch gives the session a name, which makes multiple screen sessions easier to manage.
The second-user uses SSH to connect to the target system.
The first-user then has to allow multiuser access in the screen session via the command Ctrl-a :multiuser on (all screen commands start with the screen escape sequence, Ctrl-a).
Next the first-user grants permission to the second-user to access the screen session with Ctrl-a :acladd second-user where second-user is their login ID.
The second-user can now connect to the first-user’s screen session. The syntax to connect to another user’s screen session is screen -x sessionID/name.

Common screen commands

screen command	Task
Ctrl+a c	Create new window
Ctrl+a k	Kill the current window / session
Ctrl+a w	List all windows
Ctrl+a 0-9	Go to a window numbered 0 9, use Ctrl+a w to see number
Ctrl+a Ctrl+a	Toggle / switch between the current and previous window
Ctrl+a S	Split terminal horizontally into regions and press Ctrl+a c to create new window there
Ctrl+a :resize	Resize region
Ctrl+a :fit	Fit screen size to new terminal size. You can also hit Ctrl+a F for the the same task
Ctrl+a :remove	Remove / delete region. You can also hit Ctrl+a X for the same taks
Ctrl+a tab	Move to next region
Ctrl+a D (Shift-d)	Power detach and logout
Ctrl+a d	Detach but keep shell window open
Ctrl-a Ctrl-	Quit screen
Ctrl-a ?	Display help screen i.e. display a list of commands

Pain often equals Progress

Posted on November 7, 2014 by Saba, Mitch

It has been one of those weeks. Not fun, to many hours worked, personal events missed, you know the kind of week I am talking about. If not…what do you do for a living?!

Despite all the pain and stress this week has resulted in Progress, an increased understanding of certain products and new ways to use old tools. I won’t share the details of my story, just insert yours here, but I will share/document the lessons and commands I learned or rediscovered. Here we go…

Starting a long running process from home last night around 9PM and forgetting to start screen…priceless! At 5:30AM this morning the process was still chugging along, with from my calculations would be running for another 18+ hours. Off to work with no way to grab the terminal (an ssh session), what to do? Why use strace of course! Here is how:

strace -pPROCESS_PID -s9999 -e write

ie: strace -p3918 -s9999 -e write

Now even if my ssh session dies at home, I can still see the process output and know when it finishes and if it had any problems. Yes, I could have piped output to a file, you never forgot anything after working for 15+ hours?

Dealing with a system that had some package inconsistencies and a yum update that failed, followed by a package-utils –cleandupes that erased many complete packages, I thought about using the ‘yum history’ command to revert the system until I read this: “Use the history option for small update rollbacks.” Here are some of the commands I used which due to the systems package inconsistencies did not perform as expected.

# yum check
# package-cleanup --cleandupes
# yum-complete-transaction
# yum check
# package-cleanup --problems
# rpm -Va --nofiles --nodigest
# yum distribution-synchronizatio

The rest is pretty standard stuff, at least not worth noting in this post. The end result this week is a lot of lessons learned and a much deeper understanding for an application that I support on my server. In all, ignoring the backlog, I’d say that is what progress looks like.

SSH – weak ciphers and mac algorithms

Posted on June 25, 2014 by Saba, Mitch

A security scan turned up two SSH vulnerabilities:

SSH Server CBC Mode Ciphers Enabled
SSH Weak MAC Algorithms Enabled

To correct this problem I changed the /etc/sshd_config file to:

# default is aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
# aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
# aes256-cbc,arcfour
# you can removed the cbc ciphers by adding the line

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour

# default is hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# you can remove the hmac-md5 MACs with

MACs hmac-sha1,hmac-ripemd160

Once that was done and sshd was restart, you can test for the issue like this:

#ssh -vv -oCiphers=aes128-cbc,3des-cbc,blowfish-cbc <server>
#ssh -vv -oMACs=hmac-md5 <server>

Best to test before and after so you are familiar with the output.

Running the Citrix Reciever on Linux

Posted on November 22, 2013February 9, 2016 by Saba, Mitch

Setting up a new linux workstation and after installing the Citrix Receiver and attempting to start a module (Outlook) I got the dread SSL error:

Having run into this every 6 months or so I decided it was time to jot down the fix. The problem is the install does not install the Citrix SSL certificate into the browsers trusted certificate cache. So here is the solution for Firefox…

To prevent the SSL error 61 when accessing remote sessions:

Make Firefox’s certificates accessible to Citrix,

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

That’s it, you should be good to go!

Running the Citrix Reciever on Linux

Posted on November 22, 2013January 29, 2016 by Saba, Mitch

Setting up a new linux workstation and after installing the Citrix Receiver and attempting to start a module (Outlook) I got the dread SSL error:

To prevent the SSL error 61 when accessing remote sessions:

Make Firefox’s certificates accessible to Citrix,

sudo ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts

That’s it, you should be good to go!