CHAPTER FOUR - Security

Security: How do I implement it?

4.1) SECURE WEB PAGES

4.2) SECURE PASSWORDS

4.3) SECURE FTP DIRECTORIES

4.4) SECURE CGI-BIN DIRECTORIES

4.5) SECURE SOCKET LAYER (SSL)

4.1) SECURE WEB PAGES

How do I secure all web pages in a directory?

Please use the browser control panel interface for password protecting your web pages. Or via telnet, if your home directory is yourlogin, create a file named .htaccess in your web directory that contains the following:

	AuthUserFile /home/yourlogin/.htpasswd
	AuthGroupFile /dev/null
	AuthName ByPassword
	AuthType Basic
	<Limit GET POST>
	require user pumpkin
	</Limit>
	

Then in your home directory, type htpasswd -c .htpasswd pumpkin.

This will enable you to secure the directory so that only user pumpkin can enter this directory.

You may well want any of the user/password combinations you created in your .htpasswd file to allow access. Just say require valid-user instead of require user xxx in .htaccess and any of the users you created will be able to access the files.

 Note that you want to store the .htpasswd file in your home directory so it is hidden from others. The one drawback to putting your .htpasswd file in your home directory is that you will have to slightly lower the security of your home directory. Go to /home and type chmod +x yourlogin. The web server needs execute permission on to read the .htpasswd file.

4.2) SECURE PASSWORDS

How do I create a secure password?

 Make it at least 6 characters long. Include at least one number, capital letter, or punctuation mark in the name. Passwords can be a maximum of 10 alphanumeric characters.

4.3) SECURE FTP DIRECTORIES

How do I create secure ftp directories?

To make a directory named direct that can only be accessed by userid fred, go to the directory above direct and type chown fred direct. If you wish for only fred to read and write in it, type chmod 700 direct. If you wish to allow others to read these files you can type chmod a+rx direct after typing the first command.

The above only works if you are fred. If you not, but fred is in your group, ask us to make a new group for you and fred, your2grp. Then you can chgrp your2grp direct, and chmod g=rwx direct. If you do not wish anyone else to be able to read these files, use chmod o-rx direct.

To list the access permissions of a file, type ls -l file, and for a directory, ls -ld directory. r=read access, x=execute access, w=write access. After the first letter or hyphen (for file type), the first three letters apply to you, the second three letters apply to your group, the last three letters apply to everyone else. Execute access enables you to run programs or enter directories.

Examples of using chmod:

	PEOPLE                                  PERMISSIONS
	 u = the file's user (or owner)         r = read access
	 g = the file's group                   x = execute access
	 o = others                             w = write access
	 a = the user, the group, and others.

	 chmod a+w =  let everyone write to the file
	 chmod go-r = don't let people in the file's group or others to read
	              the file
	 chmod g+x =  let people in the file's group execute the file
	

4.4) SECURE CGI-BIN DIRECTORIES

How do I secure all pages in a cgi-bin directory?

To stop people from being able to read your scripts under all circumstances, end your CGI scripts with the name .cgi.

4.5) SECURE SOCKET LAYER (SSL)

How do use SSL security on a webpage or form?

First, you will need a security certificate - which will authenticate to the user that you are who you say you are. These can be purchased from certificate authorities such as Thawte for roughly $350US, or you can take advantage of the business relationship between Comodo and Nexus Internet Services and pay only our special price for the same level of security.

Please contact support with any questions you have concerning purchasing a Comodo SSL authentication Certificate via Nexus Internet Services. Your certificate will need to be installed, and a directory created with the appropriate security permissions.

The webpage form that you want to be secure must be called via a secure server request. All images in the webpage must also be called via a secure server call. These files will need to be moved to a subdirectory, and then their references modified to point to that subdiretory.

This is done by calling the files in the following format: If your file is normally http://www.yourdomain.com/order.htm then the page must be called as https://www.yourdomain.com/securedir/order.htm. 'order.htm' can be replaced with any file you are calling, including image files that you are trying to secure. If you get a broken key instead of an image file that should appear, it is because you have secured the page, but have not secured an image or your background.

If the webpage you are trying secure is a form, the action the form performs (form method=post action=http....) must be a secure action as well (form method=post action=https....). Below is an example of the beginning of a secure form using formmail:

	<form METHOD="POST" ACTION="https://www.yourdomain.com/cgi-sys/FormMail.cgi">
	

Return To Manual Menu