Go Back   AnandTech Forums > Software > *nix Software

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 11-19-2012, 03:52 AM   #1
bobross419
Golden Member
 
bobross419's Avatar
 
Join Date: Oct 2007
Posts: 1,979
Default Apache Security - Pros and Cons of htaccess?

I've been doing quite a bit of reading lately on how to harden my server. One of the things that I've come across is that you should disable htaccess completely; however, I've also seen quite a few different places advising to use htaccess settings to increase security (password protecting directories for example). There is also at least one Wordpress security plugin that comes highly recommended that requires htaccess enabled to prevent certain things.

I'm leaning towards enabling htaccess and taking advantage of some of the extra security features, but wanted to get some feedback before going this direction. Mainly, does anyone have any experience with this and which option gives better security?

Thanks,
Bob
__________________
"We don't make mistakes here, we just have happy accidents... If you want sad things, watch the news. Everything is possible here. This is your little universe."

-Bob

http://railrockit.com/ "Just Rock It to Lock it"
bobross419 is offline   Reply With Quote
Old 11-19-2012, 02:52 PM   #2
KillerBee
Golden Member
 
KillerBee's Avatar
 
Join Date: Jul 2010
Posts: 1,157
Default

Lots of depends but mainly if it's only a one-time change then placing the directives in the main server config file is better for security and performance
KillerBee is offline   Reply With Quote
Old 11-19-2012, 08:41 PM   #3
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

I would say it depends on your server's usage and user's access. It's been a while but I believe you can change a significant number of Apache settings via .htaccess files and not just authentication so if you have users that you don't trust much it would make sense to restrict access. If it's just you and you're confident in the rest of your setup's security it probably shouldn't be a problem.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 11-20-2012, 06:32 AM   #4
VinDSL
Diamond Member
 
VinDSL's Avatar
 
Join Date: Apr 2006
Location: Arizona Uplands Intelligence (IQ): 138+
Posts: 4,861
Default

I've run web sites since the last century, and couldn't live without .htaccess

Really, the best way to harden your site is to try to hack it yourself.

Whatever software your decide to use, pretend you're a blackhat, go to all the hacker sites, pick up the latest vulns, and run them against yourself.

If one (or more) of them work, figure out how to harden your site against these exploits.

.htaccess is essential for protecting your site(s) against attack.

If someone sneaks past the protection, and defaces your server, pour over your logs line-by-line. I usually get 75k-100k page views a day. Going over the logs can take a couple of days, but eventually you'll figure out exactly how they did the deed. Logs provide a beautiful paper trail. Then, patch against the weak spots.

Anyway, yes, run .htaccess, by all means. And, keep after the perps. It's a never-ending battle! My .htaccess files are several 100 lines long.
__________________
.:: ABLē | Vin's Place | Vin's AnandTech Search | Vin's System Rig
Listen to people who fail. They know what they're talking about.

Last edited by VinDSL; 11-20-2012 at 06:35 AM.
VinDSL is offline   Reply With Quote
Old 11-20-2012, 09:16 AM   #5
sourceninja
Diamond Member
 
sourceninja's Avatar
 
Join Date: Mar 2005
Posts: 8,003
Default

The main issue with .htaccess is that typically those files have different permissions than your main apache config files.

This means it may be possible for non-admins to write these files and thus 'undo' all of your security. If you need to do something that is temporary, .htaccess is a good place to do it, if you need to do something more permeant, just put it in your /etc/apache/sites-avaliable/sitename (or httpd.conf or whatever your server calls it).

Personally I don't use .htaccess files on production systems, but we use then on all development systems (to let devs write their own rules).
sourceninja is offline   Reply With Quote
Old 11-20-2012, 06:05 PM   #6
Red Squirrel
Lifer
 
Red Squirrel's Avatar
 
Join Date: May 2003
Location: Canada
Posts: 28,357
Default

If you are offering hosting and block .htaccess you'll have lot of unhappy customers. There are many things you can do such as error documents, forcing a file to act as another mime type (ex: I have a file with no extension I force to act as php, so it's like a virtual folder, its good for SEO). If you want to block htaccess then find out what type of things people are using them for and make sure those options are in the user's control panel and can be backed up easily.
__________________
~Red Squirrel~
486dx2 @66Mhz turbo, 8MB ram, 512MB HDD, sound blaster 16 + 2x cdrom, Trident 1MB video card @ 640*480, 56k high speed modem.
Red Squirrel is offline   Reply With Quote
Old 11-23-2012, 02:10 PM   #7
beginner99
Platinum Member
 
Join Date: Jun 2009
Posts: 2,217
Default

Quote:
Originally Posted by VinDSL View Post
I've run web sites since the last century, and couldn't live without .htaccess

Really, the best way to harden your site is to try to hack it yourself.

Whatever software your decide to use, pretend you're a blackhat, go to all the hacker sites, pick up the latest vulns, and run them against yourself.

If one (or more) of them work, figure out how to harden your site against these exploits.

.htaccess is essential for protecting your site(s) against attack.

If someone sneaks past the protection, and defaces your server, pour over your logs line-by-line. I usually get 75k-100k page views a day. Going over the logs can take a couple of days, but eventually you'll figure out exactly how they did the deed. Logs provide a beautiful paper trail. Then, patch against the weak spots.

Anyway, yes, run .htaccess, by all means. And, keep after the perps. It's a never-ending battle! My .htaccess files are several 100 lines long.
What's the advantage vs. putting config in apache config? I don't see the point outside of shared hosting and my common sense tells me that a site is more secure without .htaccess (eg. stuff in main config) than with them. AFAIK it is normally recommended to put all config in apache config and not htaccess.
beginner99 is offline   Reply With Quote
Old 11-23-2012, 09:21 PM   #8
Red Squirrel
Lifer
 
Red Squirrel's Avatar
 
Join Date: May 2003
Location: Canada
Posts: 28,357
Default

Quote:
Originally Posted by beginner99 View Post
What's the advantage vs. putting config in apache config? I don't see the point outside of shared hosting and my common sense tells me that a site is more secure without .htaccess (eg. stuff in main config) than with them. AFAIK it is normally recommended to put all config in apache config and not htaccess.
Static config should be in the config file, but user config or config that is specific to a folder can be in .htaccess.

Yes it's more secure to run without .htaccess. It's even more secure if you close port 80.

One thing to watch for though is anything that allows a user to upload files, make sure they cannot create a file called .htaccess (ex: a picture upload site or something). Normally when I code a system like that I give my own file name and don't use the user supplied one.
__________________
~Red Squirrel~
486dx2 @66Mhz turbo, 8MB ram, 512MB HDD, sound blaster 16 + 2x cdrom, Trident 1MB video card @ 640*480, 56k high speed modem.
Red Squirrel is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:55 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.