| LinHES Forums http://forums.linhes.org/ |
|
| How To: Make R5F1 httpd more secure (passwords, SSL, etc.) http://forums.linhes.org/viewtopic.php?f=11&t=15796 |
Page 1 of 3 |
| Author: | alien [ Fri Jul 06, 2007 3:33 am ] |
| Post subject: | How To: Make R5F1 httpd more secure (passwords, SSL, etc.) |
Before you consider opening the httpd ports to the internet, read this. Even if you do this, there are risks. However, you may be going to do it anyway. At least this will improve things. Note: This assumes that you are using a firewall and only opening up only the ssl port (443) to the internet. Don't even think of connecting your mythbox to the internet without a firewall.... Step 0: Consider using ssh tunneling A safer approach is not not open up any http/https ports to the internet, but instead use ssh tunneling. With ssh tunneling, ssh is used to tunnel all traffic from a port on the remote machine (ex. 8080) to the http port on the mythbox (i.e. 80). Then, going to http://localhost:8080 on the remote machine will be the same as going to http://mythbox except all traffic will go through the encrypted tunnel, bi-passing the firewall. The basic steps are: a. Make sure you have a secure password on your mythtv box. b. On the firewall, forward a port (ex 800) to the mytbox ssh port (22). DO NOT FORWARD ANY OTHER PORTS TO ENSURE ALL ACCESS IS THROUGH THE SSH TUNNEL. c. How you run ssh on the remote machine depends on the ssh client you are using. I use the linux ssh on my windows machine after installing www.cygwin.com. To configure it, I add the following lines to the .ssh/config (comments in brackets): Code: Host myth.dyndns.org (the firewall ddns name) Port=800 (the firewall port opened) LocalForward=8080 localhost:80 d. ssh into the firewall ddns hostname, this will log you into your mythbox. e. Start a web browser and point it to http://localhost:8080. This will be tunneled to the mytbox:80 f. You can skip the remaining steps, or if you are really paranoid, you can do them too (just remember that https uses a different port). Step 1: Enable Password Control for Everything The default config only secures mythweb. This should secure all the other pages available. Edit /etc/apache2/sites-enabled/000-default. Search for the first "AllowOverride" and right before it add the following lines: Code: AuthType Digest AuthName "MythTV" AuthUserFile /etc/htdigest Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On Restart the web server (/etc/init.d/apache2 restart) and you should now be requested for a password for all web pages, not just mythweb. Step 2: Enable SSL As root, create the self signed certificates: Code: mkdir /myth/certs cd /myth/certs openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr -> Enter what you want, don't enter a passkey. -> "Your Name" can be machine address (www.sitname.net) openssl x509 -req -days 1001 -in server.csr -signkey server.key -out server.crt chmod go-rwx . * In /etc/apache2/sites-available/default, near the top right after the "ServerAdmin webmaster@localhost" line, add the following lines: Code: SSLEngine on SSLProtocol all SSLCipherSuite MEDIUM:HIGH SSLCertificateFile /myth/certs/server.crt SSLCertificateKeyFile /myth/certs/server.key Edit /etc/apache2/ports.conf and change the port to 443. As root, execute the following commands: Code: ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled/ssl.load ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled/ssl.conf Restart the web server and you will have to use https://servername to access. Note: http://servername will no longer work. Step 3: Create a Good UserID/Password for web access You probably weren't thinking of it at the time, but when you created the mythweb password, it should contain mixed case, letters, numbers and non-alphanumeric characters. If you didn't do this, fix it now: To create a new password file (overwriting what you create earlier): Code: htdigest -c /etc/htdigest MythTV <userID> To append to the password file with a new userID: Code: htdigest /etc/htdigest MythTV <userID>
Step 4: Your Done You should now have a secure SSL httpd running on port 443 that requires password access to all pages. This should be good enought to open port 443 to the internet. NOTE: I take no responsibility if someone finds a way in.... If I missed anything, please add it here. |
|
| Author: | spideyk21 [ Fri Jul 06, 2007 5:52 am ] |
| Post subject: | |
By george, this is exactly what I was looking for yesterday. Thanks a bunch. Worked like a champ. |
|
| Author: | randomhtpcguy [ Sun Jul 15, 2007 7:02 pm ] |
| Post subject: | |
I installed phpmyadmin to tweak the mysql database. I realized that there was no root password for mysql so I created one. Now mythbackup fails. So I removed the mysql root password. Wouldn't this allow a hacker to get to the mysql database through phpmyadmin? Should mysql root have a password? |
|
| Author: | alien [ Mon Jul 16, 2007 2:55 am ] |
| Post subject: | |
Maybe I should add that any changes or additions to the web server configuration may introduce security holes (as you have pointed out). I have never used myphpadmin. Only webmin which runs on a different port that I don't open to the internet. A few questions that might identify the risks(s): 1. Does myphpadmin run on the same port as the main httpd, or is it like webmin which is running on a different port (http://mybox.com:10000). If it is a different port, then just don't open this port to the internet. 2. If it is running on the same port, do you have to enter the web account password after the above changes? If so, then it is still relatively safe since a password and SSL are required to access the mysql (assuming mysql is not directly accessible from outside. i.e. Only port 443 has been opened to the internet). Still I would recommend only installing this tool when you need it and removing it when you are done. 3. If you can get in to it and make changes without any passwords (ex. the password enabled in step 1 of the instructions) then there is definitely a high risk. You might be able to correct it by looking for the .htaccess files added by myphpadmin, but I would still be very careful. |
|
| Author: | Too Many Secrets [ Mon Aug 06, 2007 7:41 pm ] |
| Post subject: | |
After trying the above instructions (very nicely done) I can't restart apache. Code: /etc/init.d/apache2 restart Gives me Code: Forcing reload of web server (apache2)...httpd (no pid file) not running
failed! I've been googling, but I'm not making sense of this. Any help appreciated. |
|
| Author: | alien [ Tue Aug 07, 2007 2:42 am ] |
| Post subject: | |
What version are you using? The instructions are based on R5F1. The error indicates that apache2 is not running. You might try /etc/init.d/apache2 start. Also, make sure you do this as root. |
|
| Author: | Too Many Secrets [ Tue Aug 07, 2007 7:44 am ] |
| Post subject: | |
alien wrote: What version are you using? The instructions are based on R5F1.
The error indicates that apache2 is not running. You might try /etc/init.d/apache2 start. Also, make sure you do this as root. Running R5F1 off a fresh install. I tried the 'apache2 start' and still failed. (tried 'apache start' too but nothin.) apache2 restart worked fine after Step 1, it was after Step 2 that I got this "failed". I've gone thru the instructions for Step 2 twice to make sure I got it right. I'm open to suggestions... |
|
| Author: | Too Many Secrets [ Tue Aug 07, 2007 7:58 am ] |
| Post subject: | |
Forum is acting funny wouldn't let me edit. But I did run all the above over putty (cut and paste commands) as root. |
|
| Author: | alien [ Tue Aug 07, 2007 9:59 am ] |
| Post subject: | |
In that case, it sounds like the server is encountering an error during startup. This might be due to a problem with the keys (if it doesn't have valid keys, it won't start in SSL mode). Can you check the logs? There should be something logged indicating the error. I think there were some apache related logs in /var/log somewhere. I'm traveling again, so I don't have access to my box to check. |
|
| Author: | Harbinger [ Wed Aug 08, 2007 2:02 pm ] |
| Post subject: | Security vs. ease of use |
Although it may be more secure that way, I'd think having to enter a password at every page would quickly kill any desire to use the box remotely. Isn't there some way to set up a single, privileged login that would allow secure yet easier access without resorting to constant logins for every page? Another question...if you're using something like a Linksys cable/DSL router and have security set up well on the firewall in that box, is it necessary to have 'shields up' on the Myth box also? |
|
| Author: | Too Many Secrets [ Wed Aug 08, 2007 6:48 pm ] |
| Post subject: | |
alien wrote: In that case, it sounds like the server is encountering an error during startup. This might be due to a problem with the keys (if it doesn't have valid keys, it won't start in SSL mode).
Can you check the logs? There should be something logged indicating the error. I think there were some apache related logs in /var/log somewhere. I'm traveling again, so I don't have access to my box to check. Here's the error log repeatedly featuring: Code: [Wed Aug 08 17:53:18 2007] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)
|
|
| Author: | alien [ Thu Aug 09, 2007 12:40 am ] |
| Post subject: | |
Harbinger wrote: Although it may be more secure that way, I'd think having to enter a password at every page would quickly kill any desire to use the box remotely. Your web browser will cache the password. It only needs to be entered once. By "password required for all pages" I mean that no pages can be access without entering the password once earlier. By default, there are several pages that can be reached directly without ever entering a password. Too Many Secrets wrote: Here's the error log repeatedly featuring:
Code: [Wed Aug 08 17:53:18 2007] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) Are you running webadmin? It uses ssl and maybe is conflicting. I did see this error once, but I can't remember what caused it at the moment. |
|
| Author: | Too Many Secrets [ Thu Aug 09, 2007 7:55 am ] |
| Post subject: | |
alien wrote: Harbinger wrote: Although it may be more secure that way, I'd think having to enter a password at every page would quickly kill any desire to use the box remotely. Your web browser will cache the password. It only needs to be entered once. By "password required for all pages" I mean that no pages can be access without entering the password once earlier. By default, there are several pages that can be reached directly without ever entering a password. Too Many Secrets wrote: Here's the error log repeatedly featuring: Code: [Wed Aug 08 17:53:18 2007] [error] Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) Are you running webadmin? It uses ssl and maybe is conflicting. I did see this error once, but I can't remember what caused it at the moment. I haven't setup webadmin, so I guess not. |
|
| Author: | alien [ Wed Aug 15, 2007 1:54 am ] |
| Post subject: | |
Ooops, my bad. I just got back and had a chance to look again at my setup and the SSLxxx options don't go in httpd.conf. They have to go in the VirtualHost directives. I've updated the instructions above. Don't forget to remove the options in httpd.conf. |
|
| Author: | md10md [ Tue Aug 21, 2007 10:49 am ] |
| Post subject: | Re: How To: Make R5F1 httpd more secure (passwords, SSL, etc |
alien wrote: Before you consider opening the httpd ports to the internet, read this. Even if you do this, there are risks. However, you may be going to do it anyway. At least this will improve things.
Step 1: Enable Password Control for Everything The default config only secures mythweb. This should secure all the other pages available. Edit /etc/apache2/sites-enabled/000-default. Search for the first "AllowOverride" and right before it add the following lines: Code: AuthType Digest AuthName "MythTV" AuthUserFile /etc/htdigest Require valid-user BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On Restart the web server (/etc/init.d/apache2 restart) and you should now be requested for a password for all web pages, not just mythweb. Is there a way to exempt a directory? I have some folders that have their own form based login and the basic auth method is made redundant. |
|
| Page 1 of 3 | All times are UTC - 6 hours |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|