logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: HTDOCS and Securtiy
Author
timboellis2031



Joined: 21 Mar 2007
Posts: 2

PostPosted: Wed 21 Mar '07 12:43    Post subject: HTDOCS and Securtiy Reply with quote

Can someone suggest a better suecurity for me.


I currently have appache running on a local server, however I have various users connecting to this internally and externally through the IP address that is forwarded through the router on port 80.

At the moment it is secured by IP address I have denied to all and allowed the IP addresses, however several of my users that work from home that need to access to this who have dynamic addresses.

So any suggestions on how to do this , I am not keen on doing passwords for security reasons?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 26 Mar '07 13:35    Post subject: Reply with quote

One possibility is that the others get a dynamic DNS name like user1.dyndns.org, user2.dyndns.org or some other dynDNS supporter. So you could allow by the DNS name.

Second thing I can think of is. That many providers have a pool of IP adresses given to the users. So you may could allow IPs beginning with that pool
e.g.
Code:

Deny from all
Allow from 172.20 192.168

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html


A password solution would be much easier for the users!
Back to top
timboellis2031



Joined: 21 Mar 2007
Posts: 2

PostPosted: Mon 26 Mar '07 17:01    Post subject: Security Reply with quote

But how secure is the password as their is sensitve information on this server?
Back to top
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA

PostPosted: Tue 27 Mar '07 17:00    Post subject: Reply with quote

re: "I am not keen on doing passwords for security reasons?"

I'm not sure I understand your point. Passwords are more secure than restricting IP addresses because IP addresses can be spoofed by a knowledgeable attacker.

Basic authentication is fine if you do not think anyone will intercept (i.e. wiretap) the connection between the browser and your server.

Digest authentication overcomes this "wiretapping" problem.

In both cases, the quality of the passwords (mixed-case, punctuation characters, avoid names or dictionary words) is the most important factor.

Perhaps you are worried that your users won't keep their passwords secret? Or maybe that someone can abscond with the password file from your server?

"sensitive information" can mean many things. If you really think a highly-skilled attacker would spend millions of euros/dollars and months/years of effort to crack your web site, then the encryption in Apache may not be strong enough. If your "sensitive information" is just commercial or personal data - the Apache password mechanism is certainly sufficient.

You can use both IP restrictions and passwords together, but this is seldom done.

-tom-
Back to top


Reply to topic   Topic: HTDOCS and Securtiy View previous topic :: View next topic
Post new topic   Forum Index -> Apache