Web Hosting Manual & Guide
CHAPTER FOUR - Security
Security: How do I implement it?
4.1 SECURE WEB PAGES
4.2 SECURE PASSWORDS
4.3 SECURE FTP DIRECTORIES
4.4 SECURE CGI-BIN DIRECTORIES
4.5 SECURE SOCKET LAYER (SSL)
4.1 SECURE WEB PAGES
How do I secure all web pages in a directory?
Please use the browser control panel interface for password protecting your web pages.
Or via telnet, if your home directory is yourlogin, create a file named .htaccess in your web
directory that contains the following:
AuthUserFile /home/yourlogin/.htpasswd
AuthGroupFile /dev/null
AuthName ByPassword
AuthType Basic
<Limit GET POST>
require user pumpkin
</Limit>
Then in your home directory, type htpasswd -c .htpasswd pumpkin. This
will enable you to secure the directory so that
only user pumpkin can enter this directory.
You may well want any of the user/password combinations you created in your .htpasswd file to allow access. Just say
require valid-user instead of require user xxx in .htaccess and any of the users you created will be able to access the files.
Note that you want to store the .htpasswd file in your home directory so it is hidden from others. The one drawback to
putting your .htpasswd file in your home directory is that you will have to slightly lower the
security of your home directory. Go to /home and type chmod +x yourlogin. The web server needs
execute permission on to read the .htpasswd file.
4.2 SECURE PASSWORDS
How do I create a secure password?
Make it at least 6 characters long. Include at least one number, capital letter, or punctuation mark in the name.
Passwords can be a maximum of 10 digits.
4.3 SECURE FTP DIRECTORIES
How do I create secure ftp directories?
To make a directory named direct that can only be accessed by userid fred, go to the directory above direct and type
chown fred direct. If you wish for only fred to read and write in it, type chmod 700 direct. If
you wish to allow others to read these files you can type chmod a+rx direct after typing the first command.
The above only works if you are fred. If you not, but fred is in your group, ask us to make a new group
for you and fred, your2grp. Then you can chgrp your2grp direct, and chmod g=rwx direct. If you do
not wish anyone else to be able to read these files, use chmod o-rx direct.
To list the access permissions of a file, type ls -l file, and for a directory, ls -ld directory.
r=read access, x=execute access, w=write access. After the first letter or hyphen (for file type),
the first three letters apply to you, the second three letters apply to your group, the last three
letters apply to everyone else. Execute access enables you to run programs or enter directories.
PEOPLE | PERMISSIONS |
u = the file's user (or owner) |
r = read access |
g = the file's group | x = execute access |
o = others | w = write access |
a = the user, the group, and others. |
|
Examples of using chmod:
chmod a+w = let everyone write to the file
chmod go-r = don't let people in the file's group or others to read the file
chmod g+x = let people in the file's group execute the file
4.4 SECURE CGI-BIN DIRECTORIES
How do I secure all pages in a cgi-bin directory?
To stop people from being able to read your scripts under all circumstances, end your CGI scripts with the name .cgi.
4.5 SECURE SOCKET LAYER (SSL)
How do use SSL security on a webpage or form?
The webpage form that you want to be secure must be called via the secure server. The images in the webpage must also
be called via the secure server. This is done by calling the files in the following format: If your file is normally
http://www.yourdomain.com/order.htm then the page must be called as https://securedservername/~username/order.htm.
order.htm can be replaced with any file you are calling, including image files that you are trying
to secure. If you get a broken key instead of an image file that should appear, it is because you
have secured the page, but have not secured an image or your background.
If the webpage you are trying secure is a form, the action the form performs (form method=post action=http....) must be a
secure action as well (form method=post action=https....).
Please contact the support dept to activate secure server for you.