Home page logo

basics logo Security Basics mailing list archives

Re: Apache AuthBasic
From: "Jon Mark Allen" <jonmark () allensonthe net>
Date: Fri, 12 Dec 2003 14:49:38 -0600

Thank you very much for all your input.  It is greatly appreciated!

I do feel better knowing that I at least have the right idea.... :-)

Jon Mark

Miles Stevenson<miles () mstevenson org> 12/12/03 02:39:58 PM >>>
I think you are going down the right path.

Depending on the practicality, you may want to consider issuing keys for
the SSL site, and using public/private key auth via SSL instead of basic
auth. It's not too hard to setup with apache, but you will have to
distribute and sign keys to each user that is going to access the sight,
which can sometimes be impractical. 

Other than that, the same basic rules apply:
1)Keep your systems patched.
2)Minimize and secure your server configurations. (if you don't need it,
don't run it!).
3)Read your logs.
4)Have a well configured firewall.
5)Snort rules!


On Fri, 2003-12-12 at 15:29, Jon Mark Allen wrote:
The content of the folder is a few static HTML pages.

The main security concern is confidentiality of the data.  There is no application or database.

My hands are tied in a number of areas here:

1) the site is hosted by a 3rd party, so I don't have real-time access to the log files to watch for brute-force 
1a) which obviously also means that my security is only as good as the web host's security; a fact I will just have 
to live with

2) PGP is not an option given the diversity and size of the audience that needs the info. (i.e. not all the 
receipiants have PGP and neither do I want to manage *all* their public keys)

3) the info is time critical and needs to be available ASAP (doesn't it always? :-? )

Taking the factors above into consideration, and with some of the responses to this list as well as an idea from an 
article on hardening .htaccess files, I think I've decided that my biggest security threat (aside from end users 
mishandling userids and passwords) is the brute force attack.

I do have access to PHP on this server and am writing a custom 401 error page that will email me the IP address of 
any client that fails to authenticate before displaying as generic an error message as I can send.  I suppose if I 
had time (and if I trusted my PHP coding abilities enough) I could write some authentication scripts in PHP to handle 
the security, but I think that would get very complicated very quickly and I'm not an expert PHP coder just yet :-)  
So I think the built in Apache password challenge will suffice in this case.

Does this sound like a good plan?

This is still a bit new to me, but I think I'm getting somewhere.

Thanks again,

Jon Mark


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]