Sorry, been away for a few weeks...

First off, I would be very careful about form based logins. Some are not very secure. For example, it is often possible to still go directly to a sub-page or sub-directory, bypassing the index file that does the login. If possible, I would recommend removing the form based login and using the apache login. If you want to have a different password for the directory, you can create a separate "AuthName" for that directory.

But if you really want to disable authentication for a directory, you can add something like the following to the /etc/apache2/sites-enabled/000-default file:

Alternatively, you can change the AllowOverride to "All" or "Options" and use .htaccess files in the directories to override the authentication.

Again, I want to emphasize that disabling security for any part of the server is a very dangerous thing to do.....

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Also please note Cecil's warnings at the end of this thread: http://mysettopbox.tv/phpBB2/viewtopic.php?t=16266

The key as always with security is defense in depth (e.g. a secured system behind a good firewall) and taking a system level approach rather than trying to sprinkle magical security pixie dust over random parts and hoping it'll do some good. The steps given here are a start but they're only that.

Good point. I was assuming a firewall when I wrote these instructions. I added a note to the original post to clarify this.

If anyone can add additional ways to secure mythweb, please post it here. Opening anything up to the internet is a risk, but I suspect mythweb is so cool, people are going to want to show it off anyway. Anything to reduce the risks would help....

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Another "kudo" to tjc. This is priceless

Hello!

I'd like to achieve the following:

1. NO ONE can access ANY of my webpages except the mythbox itslef. Not even on my local network!

2. If I want to access any of my webpages, i simply ssh tunnel.


I have ssh and my router configured and I know I can ssh tunnel to the mythbox.

So my questions are:

a. Do I have to do anything to achieve point 1 above or is it the default with R5F27?
(and how do I check that??)

b. If I achieve 1 and 2 above, then hacking my box using the web is out of question and my only concern re security should be to secure my ssh session(s), right? Are there any other security issues I should worry about?

c. If I use ssh tunneling, then do I still need to use SSL and/or setup passwords?

d. Does anybody see anything wrong with using 1 and 2 above to access mythweb, my music, and my photos?

Thanks!!

You could restrict http to only be accessible from the local host. Then use ssh tunneling to access it.

man ssh and man sshd will tell you about tunneling. You will probably have to go googling to find out how to restrict httpd to only allow connections from localhost ("apache localhost access" might find it).

Note that in my experience using X tunneling, it slows things down considerably. However, this may not be as big an issue for http as it is for X.

[EDIT] Just saw your other posts and I thought I should clarify what I mean by ssh tunneling. I'm referring to forwarding a port on the remote machine (ex. 8080) through ssh to the mythbox (ex. 443 or 80). The connections then appear local on the mythbox. Again, search on tunnel in man ssh for more info.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

I added a "Step 0" describing ssh tunneling as I think this is actually a better way to secure http/https. The remaining steps can still be followed for those that are really paranoid

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Could somebody more familiar with linux security issues comment my intentions presented in this thread: http://www.mysettopbox.tv/phpBB2/viewtopic.php?t=17129 ?

Thanks, es4PM

I skimmed the iFolder install instructions and it basically disables all the apache security described here for the iFolder directories. You would have to trust iFolder for it's own security. I can't comment on iFolder's security.

Generally, I don't trust an application that bypasses a perfectly usable security framework (apache) to implement its own. An application usually does this for a reason, and that reason is often to relax restrictions. I just realised I commented....

Using ssh tunneling (step 0) is, however, still relatively secure as as all external access must go through the protected tunnel.

_________________
ASUS AT3N7A-I (Atom 330)
TBS 8922 PCI (DVB-S2)

Alien,
I've used your instructions in the first post and it all works beautifully. Your solution feels a lot better than the method suggested in the wiki.

Thanks!
/Chris

P.S. The Microsoft geeks at the office are stunned.

_________________
LinHES R8.6.1
BE: AMD64X4, 4GB, Hauppauge usb tuners
FE1: Gigabyte F2A85X-UP4, nVidia GT640
FE2: Gigabyte GA-MA69GM-S2H, AthlonX2 4850E 2.5 GHz, 1GB, ASUS GEFORCE 7200GS 256MB
FE3: Asus Eeebox410

Hi,

Is there any advantage to using a port <1024 or any danger to using a port >1023? ie, https:/url:808x ?

Thanks
Mike

From http://www.iana.org/assignments/port-numbers :
So, if you install/configure some other network application you may stumble into it's port number/range. I personally have not had any issues in the 8500 and above range, you just need to be aware of the other services running on your network.

Hi,

Ya, read all that also I didn't think it made any difference security wise.

Thanks
Mike

Mike,

From a security standpoint I believe the only thing you gain is "Security by Obscurity" (which, of course, isn't security at all ). Move your SSH port and people will have to spend more time tracking it down if they are trying to hack you...

Hi,

The original point / question was, is there any difference security wise above / below port 1023..as the first 1024 ports are considered special?

Once I have set up my KM, the first thing I do is apt-get install firestarter and as soon as it is installed, it comes up running and everything external is blocked.

IF I need / want to do an ssh or https then I open only what I have to open. Of course this is all under the department of redundency as my boxes are also behind a hardware firewall anyway but I do it for practice and to learn.

I would rather have to do the dance to open an access than to go through the process of trying to secure it after the fact. And firestarter also works with dialup

Thanks for all the info, I keep trying to learn.
Mike