Print Reseller Scheme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess blocking users

Discussion in 'Website Design Forum:' started by philjohns, Jan 25, 2009.

  1. philjohns

    philjohns Senior Member

    Hi all, quick question (I hope)

    I need to block a .txt file that is on my web space from being visible by everyone. i.e. I want it to display a message similiar to:

    "Sorry, but you do not ahve the right permissions to read this file"

    when it is visited so I can only view it when I download it. I still need to be able to write to the file when it is on my website though (chmod 777)

    Any clues?

    Thanks,

    Phil
     
  2. Jazajay

    Jazajay Active Member

    Right now the only way I can think about doing that uses the .htaccess file is using a static IP address, that way you say if the IP address does not equal such and such display this error/error page, if it does write to it.

    You could have a login form and a session if the session is not set redirect the user to the home page/error page if it is write to the page instead.
     
  3. tim

    tim Senior Member

    Hey Jaz, you've disintegrated recently!

    But thanks for the thread PJ, will probably help me somewhere along the line :D
     
  4. Jazajay

    Jazajay Active Member

    Yeah been busy travelling round the country seeing some friends, and just going out and stuff, that and I've been working for a change, lol.

    See you've been busy with over 100 more posts than me now, lol.
     
  5. Kevin

    Kevin Senior Member

    Put it in a protected directory?

    .htaccess
    Code:
    AuthUserFile /your/directory/path/.htpasswdAuthGroupFile /dev/nullAuthName "Password Protected Area"AuthType Basic<limit GET POST>require valid-user</limit>
    .htpasswd
    Code:
    John:rm/3C/dvBWHrgMary:rg/4x/dvYHrug
    Here is a generator
    http://www.webmaster-toolkit.com/htaccess-generator.shtml
     
  6. tim

    tim Senior Member

    @jazajay : wow, you really have been busy!

    and yeah, i think i'm at 9 posts a day, which is a bit excessive, but obviously I have an opinion about everything!
     
  7. Kevin

    Kevin Senior Member

    • Total Posts: 93
    • Posts Per Day: 12.87
    Beat that :D
     
  8. Jazajay

    Jazajay Active Member

    @ Onartis
    I would say depending on what the files are that that will work, nice catch.
    I will add however that I never use it because it is really easy to crack by a dedicated hacker using nothing more than a brute force attack. However if it is just for images that should work and would be good enough protection.

    Depending if you want to write to the file dynamically though that will require more as I dont think it will allow you to write to the file, I could be wrong.

    If it is a simple issue as a server side log error file store it out side of the document root, and it cant be accessed but still be able to be written to.

    If it is for a log in script to a CMS, go with a user name password, 30 second time-out function, if the wrong password and or user name is entered, followed by a 24 digit security number once the password and user name is correct, again with a 30 second timeout function applied.

    But make sure the user name and password is a minimum of 8 charcaters with a mixture of both special characters ([]~@) and both upper and lower case alpha charcters, and ideally with SSL encrytion, if that is not available use sha1 encyrtption.

    But it does depend on the files you want to write to and thier importance TBH. :)

    Jaz
     
  9. Jazajay

    Jazajay Active Member

    @Tim-ater and Onartis
    I feel so lame ~

    • Total Posts: 357
    • Posts Per Day: 5.39
    Jaz :lol:
     
  10. tim

    tim Senior Member

    Incorrect...

    - Total Posts: 358
    - Poster Per Day: 5.40


    Just to annoy you :D
     
  11. Kevin

    Kevin Senior Member

    I don't have any top secret CIA stuff on my server so it's been working fine so far... But I didn't know about this before, thanks for pointing it out :up:

    Who knows... maybe president Obama will come to me to make sure his wife doesn't find his Christmas list :D
     
  12. Jazajay

    Jazajay Active Member

    Well I protect my CMS via that method.
    If a hacker was to hack into my CMS because of lax security then they could mess the whole DB up, and thus my rankings and my credibility as a result.

    If it is an image directory then fair enough but if the file has more importance then higher security protocols need to put in place to safe guard the files within it IMO.
     
  13. Kevin

    Kevin Senior Member

    Should I have a genuine fear of hackers?
     
  14. Jazajay

    Jazajay Active Member

    I think it is around 10,000 sites are hacked every week now and Websense has just come out with statistics that say that 70 of the top 100 sites are now infected with malware.

    Now if your site is hacked and the hacker puts his or her malware on your site to automatically download to your visitors, 1 you are spreading virus, as well as other crap to your own visitors with out you knowing it, 2 if the search engines detect it you lose all your rankings across the board as a result of that 1 hacker.

    The point being is if the file has little importance then don't worry about it, if it contains the passwords to your db and you have no back ups and 8 months of solid data on their be a control freak with the mentality that every site visitor has 1 goal and that is to access that file and delete your db just because they can.

    Bare in mind I can get DB passwords to 100,000's of sites in less than 5 mins, because of poor security, simple server, or port look up and I am in.

    I got hacked and was down for 3 days, just because they could TBH, so I take a control freak's mentality as a result.

    Legal note: I know the law regarding cyber crime and thus the penalities, I have only done penetration testing on my sites, that I own, and 2 others, both of the other site owners gave me permision to do so before hand and no malcious actions where carried out, just a review of site security.
     
  15. philjohns

    philjohns Senior Member

    Thanks guy for the help.

    Jazajay - you sound like there might be a way of doing WITHOUT using the .htaccess file?

    Otherwise - how would I write the ip address block?

    Thanks,

    Phil
     
  16. Jazajay

    Jazajay Active Member

    Now this may be wrong, and if it is, let me know and I'll have another look because I have TBH never needed to use it just learnt it a while ago when I was learning how to set up a web server. But try ~
    PHP:
    <Directory /path/to/your/directory/form/your/root/directory>
    Order Deny,Allow
    Deny from all
    Allow from 255.10.2.3
    </Directory>
    Now what this does is block the directory you reference in the directory line to everyone apart from the user with the IP address 255.10.2.3.

    Now for this to work you will need a static IP address, not a dynamic IP address. If you are not sure if you have a static IP address the chances are you don't, you will have a dynamic one. In which case this wont work due to the fact that your IP address will be slightly different every time you log off the internet.

    Now the way I would do it, is create a log in form that has a user name and password. If the attempt is unsuccessful log the time, if another attempt is made checked the logged time with the current time, if the logged time is less than 30 seconds automatically fail it, this pretty much stops any automated attacks/slows them down considerably, and brute force attacks become a huge long shot due to the added time needed.

    Then if both the user name and password are correct, show a input form.
    Now if you are the only 1 editing it don't give a description of what it does, that way to a hacker it could be anything, but we have a 24 personalized number, that you can just copy and paste from your email, again if it fails go straight back to the first login form and put a 30second time-delay on it. That way every time there after they have to go back through the first form which is time consuming, the chances of them then cracking the second 1 as it is a 24 character sequence well.......

    I would also bring in sha1 encryption on the post variables as well, TBH.

    Then if both forms are correct save in a session variable something obscure like $_SESSION['pussy_cat']="my dog says meow"; Then send the user to admin.php.

    On the top of admin.php, and any page you want to secure, test to see if $_SESSION['pussy_cat'] equals my dog says meow if it doesn't redirect the user back to the first login page. That way if they just access the admin page without going through the login form they just get redirected to the login form.

    Then on the admin.php page have links to files you want to secure. Have a link to the page that allows you to edit that file. That way the only way the file can be edited is via access to the almost perfect login form. It would take a hell of a long time and a very, very dedicated hacker to get round it.

    But what is the file you want to secure and I could advise you further?
     

Share This Page