Restrict access to directory based on protocol - .htaccess

I know .htaccess can be used to restrict access to specific directories based on domain, IP address, etc. but is there a way I can restrict access based on protocol?
I have some scripts I want to be able to run remotely on an Apache server only from SSH.

Ssh and http(s) are completely different protocols and usually different server-side programs are responsible for them.
The Apache httpd serves http and if configured https requests. Restricting access can be done with .htaccess files. In a .htaccess https usage can be forced with the SSLRequireSSL directive. The Apache httpd has nothing to do with ssh.
For ssh connections generally the sshd is responsible and therefor if you want to access and execute your scripts only over ssh, move them out of httpd access.

Related

How can I get file from FTP server?

I have found the security hole in website. I can to sign in throught anonymous account so I signed in. So I am trying get index.html from website and I receive following message: Illegal PORT command.
Use port or pasv mode.
How can I get this file then edit and next upload modifited file again?
if you're administering an FTP server, it would be best for you to configure your server to support passive mode FTP. However, you should bear in mind that in doing so, you would be making your system more vulnerable to attacks. Remember that, in passive mode, clients are supposed to connect to random server ports.
Thus, to support this mode, not only should your server have to have multiple ports available, your firewall should also allow connections to all those ports to pass through!
But then the more open ports you have, the more there will be to exploit. To mitigate the risks, a good solution would be to specify a range of ports on your server and then to allow only that range of ports on your firewall.

How to configure liferay to get correct ip address of user?

Password rest mail currently sending private ip. I want below
$REMOTE_ADDRESS$ variable of liferay set public ip in password reset notification.
Internally liferay use request.getRemoteAddr(). How should i configure liferay so request.getRemoteAddr() give correct ip address.
I'm assuming, that you're using mod_proxy_http to forward requests from your Apache httpd to tomcat (or whatever appserver you use). This means, that there's a separate HTTP request, originating from your webserver. I'm assuming that this is the address that you see, no matter what request you handle.
One way to tackle this, is to use AJP as the forwarding protocol, instead of HTTP. You can do this by utilizing mod_proxy_ajp or mod_jk. This means that you can't encrypt the traffic between your web- and application server, however, it handles the remote host and other issues by default.
There might be other options, e.g. experimenting with adding the header X-Forwarded-For. I personally prefer AJP over HTTP as the forwarding protocol, that's why I never bothered to try the alternatives.
Basically, this does not involve Liferay at all: The remote host gets lost on the connection from Apache httpd to your appserver. Liferay just retrieves what the appserver tells it about the request.

Securing a simple Linux server that holds a MySQL database?

A beginner question, but I've looked through many questions on this site and haven't found a simple, straightforward answer:
I'm setting up a Linux server running Ubuntu to store a MySQL database.
It's important this server is secure as possible, as far as I'm aware my main concerns should be incoming DoS/DDoS attacks and unauthorized access to the server itself.
The database server only receives incoming data from one specific IP (101.432.XX.XX), on port 3000. I only want this server to be able to receive incoming requests from this IP, as well as prevent the server from making any outgoing requests.
I'd like to know:
What is the best way to prevent my database server from making outgoing requests and receiving incoming requests solely from 101.432.XX.XX? Would closing all ports ex. 3000 be helpful in achieving this?
Are there any other additions to the linux environment that can boost security?
I've taken very basic steps to secure my phpmyadmin portal (linked to the MySQL database), such as restricting access to solely my personal IP address.
To access the database server requires the SSH key (which itself is password protected).
A famous man once said "security is a process, not a product."
So you have a db server that should ONLY listen to one other server for db connections and you have the specific IP for that one other server. There are several layers of restriction you can put in place to accomplish this
1) Firewall
If your MySQL server is fortunate enough to be behind a firewall, you should be able to block out all connections by default and allow only certain connections on certain ports. I'm not sure how you've set up your db server, or whether the other server that wants to access it is on the same LAN or not or whether both machines are just virtual machines. It all depends on where your server is running and what kind of firewall you have, if any.
I often set up servers on Amazon Web Services. They offer security groups that allow you to block all ports by default and then allow access on specific ports from specific IP blocks using CIDR notation. I.e., you grant access in port/IP combination pairs. To let your one server get through, you might allow access on port 3000 to IP address 101.432.xx.xx.
The details will vary depending on your architecture and service provider.
2) IPTables
Linux machines can run a local firewall (i.e., a process that runs on each of your servers itself) called iptables. This is some powerful stuff and it's easy to lock yourself out. There's a brief post here on SO but you have to be careful. It's easy to lock yourself out of your server using IPtables.Keep in mind that you need to permit access on port 22 for all of your servers so that you can login to them. If you can't connect on port 22, you'll never be able to login using ssh again. I always try to take a snapshot of a machine before tinkering with iptables lest I permanently lock myself out.
There is a bit of info here about iptables and MySQL also.
3) MySQL cnf file
MySQL has some configuration options that can limit any db connections to localhost only - i.e., you can prevent any remote machines from connecting. I don't know offhand if any of these options can limit the remote machines by IP address, but it's worth a look.
4) MySQL access control via GRANT, etc.
MySQL allows you very fine-grained control over who can access what in your system. Ideally, you would grant access to information or functions only on a need-to-know basis. In practice, this can be a hassle, but if security is what you want, you'll go the extra mile.
To answer your questions:
1) YES, you should definitely try and limit access to your DB server's MySQL port 3000 -- and also port 22 which is what you use to connect via SSH.
2) Aside from ones mentioned above, your limiting of PHPMyAdmin to only your IP address sounds really smart -- but make sure you don't lock yourself out accidentally. I would also strongly suggest that you disable password access for ssh connections, forcing the use of key-pairs instead.You can find lots of examples on google.
What is the best way to prevent my database server from making outgoing requests and receiving incoming requests solely from 101.432.XX.XX? Would closing all ports ex. 3000 be helpful in achieving this?
If you don't have access to a separate firewall, I would use ip tables. There are a number of managers available for you on this. So yes. Remember that if you are using IPtables, make sure you have a way of accessing the server via OOB (short for out of band, which means accessing it in such a way that if you make a mistake in IP tables, you can still access it via console/remote hands/IPMI, etc)
Next up, when creating users, you should only allow that subnet range plus user/pass authentication.
Are there any other additions to the linux environment that can boost security? I've taken very basic steps to secure my phpmyadmin portal (linked to the MySQL database), such as restricting access to solely my personal IP address.
Ubuntu ships with something called AppArmor. I would investigate that. That can be helpful to prevent some shenanigans. An alternative is SELinux.
Further, take more steps with phpmyadmin. That is your weakest link in the security tool chain we are building.
To access the database server requires the SSH key (which itself is password protected).
If security is a concern, I would NOT use SSH key style access. Instead, I would use MySQLs native support for SSL certificate authentication. Here is now to configure it with phpmyadmin.

htaccess: is "Allow from 127.0.0.1" safe

I have a website where I keep a dev copy on my local computer, and a live copy on my webhost.
I want to ip-whitelist a particular subdirectory to allow only me to access it. However, if I am working on my local copy via my home network, my ip is 127.0.0.1, whereas when I am working on the live site via the internet my ip address is 184.255.27.13.
So I added both ip's to my .htaccess (identical copy on local server and webhost server):
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from 184.255.27.13
Is there any danger to upload the htaccess to the webserver with that generic 127.0.0.1 included?
Is there any danger to upload the htaccess to the webserver with that generic 127.0.0.1 included?
No, since if someone malicious is connecting to your webhosted server from 127.0.0.1, they've already got access to the server itself.
Most likely not, but there could be a security risk, depending on your server configuration.
If you are running beside apache, nginx or stunnel or haproxy or similar software that act as a reverse proxy, and configure it as reverse proxy for the apache server, the apache server could see all incomming connections coming from 127.0.0.1.
But that is not going to happen to a basic LAMP configuration.

Access FTP via HTTP?

We have an external secure FTP server that we want to access through HTTPS (our infrastructure does not support FTPs). I know that's possible but I don't know how. I'm looking for something like this:
ftp://ftp.mozilla.org/pub/mozilla.org/zz
http://ftp.mozilla.org/pub/mozilla.org/zz
Thanks!
To add some clarification: FTP and HTTP are, as SLaks said, two entirely different things. The links you have posted use two separate protocols. One if ftp, and one is http. You appear to be getting confused by the second link because it still has ftp in it. What is happening there is that "ftp.mozilla.org" is the domain name of that server. the pages themselves look similar because there is not actual page you are referencing (you are visiting the directory itself) and there is no default page specified in that directory (for example, no index.html).
The default behavior in this case is to simply list the directory contents, which is pretty much what the ftp protocol does anyway.
So:
You will need to either install a web server program (not an ftp server program!) on the ftp server (the physical box) and let users download files using the http(s) protocol, or you will as SLaks suggested need to create your own proxy (or find one that exists) that will receive commands from the http protocol and transform them into the equivalent ftp commands, which are then sent to the ftp server.
Personally, I recommend the former, as it is less complicated.
FTP and HTTP are two different protocols that have nothing to do with each-other.
You need to run an HTTP server.
You can either run an HTTP server that exposes the same files (like Mozilla does), or write an HTTP proxy for the FTP server.
Sounds like you are looking for a web-based FTP client. http://www.net2ftp.com/ is a good place to start, but you will have to configure the tunnel appropriately within your network. A solution like net2ftp will tunnel traffic to and from the server as HTTP, then running local scripts.
You will also want to remember that there are other file protocols your network administrator can open up aside from SFTP/FTP. Ask them about a private SSH key alternative, which would avoid a public-facing web-based FTP server/client solution.

Resources