Gossamer Forum
Home : Products : Links 2.0 : Customization :

Password Protecting THe Admin Dir Is Here!!

(Page 1 of 2)
> >
Quote Reply
Password Protecting THe Admin Dir Is Here!!
Hi, all well here goes anther mod to password protect the admin dir, to better understand it try and do somthing in my admin dir at
http://www.net-freebies.com/search/admin/ You will be asked for a password before you are allowed entrance, to let you see it work in action here is the pass temppass
First try a fake one it wont let you have access,
I quate from Alex, post
I said "couldnt you add somthing like Password Please?"
Here is what he said,
Of course, but you know how many people leave the default password in, or do not
set up the program properly? I've had someone complain to me that their Links
directory got wiped out by a hacker, turned out they didn't password protect their
directory as suggested in the readme. By default the password is blank, if it see this it will say Please Tell Me your Password, Try it out and let me know what ya think, Ill make the mod instrusions in a few,
Thanks
Joey
PS Alex, no harm intended in what you said, just trying to express some of the benifits of the mod

------------------
Links is HOT! Get it and you will LOVE IT!
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
PS, if you run into errors its not the scripts, I got the data files chmoded to 555 That way no one can delete/add anything,(that's what password procting is about right?)
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Looks good to me.

Where can I get the mod?

Thanks,

John
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Correct me if I'm wrong but you don't need a mod to password protect the admin area, correct?
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
That is correct.

It is actually redundant cause you can have the web server protect the admin directory.

John
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Your best bet is to use .htaccess, however some people can't figure out, there server doent support it, or somthing, Still writting the instuctions, but should be done in a bit,
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Here's the URL
http://www.net-freebies.com/...ro/protect_admin.htm Im changing the password to my admin dir, so the temppass will no longer work, Also im only listing the instruckions for a simple mosifactions(still be like the one I can though)but wont check for a blank pass and say before you have access to your admin dir you must Please Tell Me Your Password!, Im still writting the instructions for the advanced one,
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
But watch out for the wiley hacker who knows Links and can go directly to:

http://www.net-freebies.com/...i?display=navigation

Wink

Cheers,

Alex
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Man Thanks Alex, well I guess we could just rename those to our secret words! I completely forgot that part,
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Make life simple, just password protect your admin directories and its associated files; that way no one can get in or run any of the scripts within the protected directory.

I still don't understand why we need that Joey Bost mod to password protect a single script.

John
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Protecting your admin directory with a script like that leaves many security problems. Calling admin.cgi with a parameter is one, and also none of your data files are protected. Though I can't necessarily modify things, I can use nph-build.cgi, I can also view your links database, sites awaiting validation, your links.cfg, and even more dangerous the e-mail addresses of the people who submit sites to you. You really have to password-protect the entire admin directory.
If you're installing scripts like Links, you should probably know how to use .htaccess, but if not you can use a script like the one below.

Just call it like makeht.cgi?username/password, but beware, it will overwrite any current .htaccess, .htpasswd files in that directory. Sorry, this is a long post Wink.

makeht.cgi:
#!/usr/bin/perl
print "Content-type:text/html\n\n";
eval '$home = (getpwuid($< ))[7];';
if (!-e "C:/") {
$pwd = `pwd`; chop $pwd;
}
if (!eval 'use Cwd;') {
eval '$cwd = cwd();';
} else {
$cwd = "";
}
($uname, $pword) = split(/\//,$ENV{'QUERY_STRING'});
if ($pwd eq "") {
$dirname = $cwd;
} else {
$dirname = $pwd;
}
if ($dirname eq "") {
&dienice("Error determining directory");
}
if ($uname eq "") {
&dienice("Error determining username");
}
if ($pword eq "") {
&dienice("Error determining password");
}
$cpass = crypt ($pword ,"Cd");
open (HTACC,">.htaccess") or &dienice("Error opening htaccess");
print HTACC qq~AuthName Links Admin
AuthType Basic
AuthUserFile $dirname/.htpasswd
require valid-user
~;
close(HTACC);
open (HTPWD,">.htpasswd") or &dienice("Error opening htpasswd");
print HTPWD "$uname:$cpass\n";
close(HTPWD);
print "Complete. Username: $uname Password: $pword Encrypted Password: $cpass";
sub dienice {
($msg) = @_;
print "<h2>Error</h2>\n";
print $msg;
exit;
}
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Im going to be using .htaccess, the data file s wont be world readiable(the be where no one can access it(not in the root web) the admin dir will be competetly on anther domain, Im just testing out the beta, so theres no reeson get worried about security issues, I worte that mod so for the people that didnt have .htaccess or didnt know how to do it(it took me along time to figure it out) would have some sence of sucrity, as far as the data files and the other stuff their chmoded to 777 thats why you could see them, after I get the testing done, there would be know posssiable way to look at anything, execet for the pages being built,
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
95% of the Web runs on either Apache or IIS. Apache obviously support htaccess, and I'm not sure about IIS's password-protection mechanism. Certainly, a simple password form is better than nothing, but if you have Apache you really should use htaccess.
I understand htaccess is a little difficult... use the script above Smile.

However, with that method you CAN read the data files. The Perl scripts have to be able to read (and often write to) the data files, and they run as user nobody. I browse the web as something close to user nobody, and in general if a script can read it, so can someone browsing the web. You would have to chmod it 770 for you not to be able to access it from the web, and with that setting the script couldn't access it either.


Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Yes I see your point, I ment say like, my home folder witch is only accessable by FTP or Telnet using my usname/pass is /usr/joey, and the word readle dir is /usr/htdocs so after I get through testing any scripts that uses data the data dir would be somthing like /usr/joey/data/scripname **especially data with email address** the admin dir will be on the same server, but anther domain name,
Quate"However, with that method you CAN read the data files" if your server has 2 different directorys like mine I really would sujest you do like what I do when you get through testing**there are people that has the time to keep typing in passes** then yet there's anther reson, most hosting companys stuff there servers with alot of people, most dont even charge anything or verify anything before they give away **100%** access to your **entire** site, what I mean is anyone can just say host me to get a pass then log in, cd into your direcotrys, and veiw any files, but if there in your home dir they can't(least thats the way it is on my server)
thanks to Alex, thought about if they new Links they could just go to admin.cgi?diplay=side that script has been completely rewritten, now it requires cookies,(will be replacing it shortly),
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
I used the code that elv made to protect a directory but need to know how to call the script to access a page in the directory. Could you email me the answer? I have the directory password protected but how can I access the admin/index.html now from a browser? What is the exact address I need to place into the location window to access it?
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Server-based protection protects the entire directory automatically - this means that you go to the same URL as always, and your browser will pop up a box asking for a username and password. If it doesn't... either your server doesn't support .htaccess, or your server doesn't like the .htaccess that script generates (for some reason, I haven't been able to password protect directories using any method on my Win95 computer and Apache, but Apache on Unix works like a charm).
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Joey and all,

The best security you can get is on a NT Server.

If you look at http://karaim.net/testweb

you will see nothing no matter what you do because I use FrontPage98 and with this software I can add security to any directory with just a few MouseClicks becuase FrontPage works with the Server itself and the site I mentioned above is protected, NOT BY ANY SCRIPT but by NT itself.

now that is what I call security.

Scripts can run there and execute there but files cannot be seen by users without passwords and it also does not allow a script on a remote server to access this directory I called testweb.

You can protect a complet website this way, or just a directory or both..

NT as some of you know has Government C2 security and that is why most of the Federal institutions are switching to NT....
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Hey guys:

I posted a request in the other forum but I will also add here. I am having a strange problem with links and password protecting the admin directory: (As for NT, i will take linux running apache over NT any day of the week.)
When I password protect the admin directory the following problem occours on my web site: When a visitor clicks on either the whats cool link or link tree section on the links web pages a password window pops up. You can just click cancel and the page will load but I do not want visitors to see this. Any ideas on a way to stop this from happening?

I am using Megalinks on an apache server running linux redhat 5.

This is driving me nuts, any advise you guys could give me would be greatly appreciated.

I was thinking of moving the admin directory to another section of my server (a directory only I know) and leave it unprotected but i am not so sure about that and uneasy about it.
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Hi

The Cool and links tree directories are not under my admin directory. I have links installed exactly how it is distributed with the admin directory under the links directory. When I password protect the admin directory then go and browse my web site I get a password box when I click the cool or links tree link. I do not know what is triggering this window to pop up. Any ideas on how to solve this problem?
The only thing I can think of that would be causing this is that one of the .cgi files in the "links" directory is calling something in the "admin" directory and causing the password popup for example the call to require the site_html.pl file. What do you guys think?

[This message has been edited by toughpick (edited January 01, 1999).]
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Guys

What would I need to change to move the admin scripts out of the links directory? Maybe I can solve the problem by just moving it away from the links directory.

[This message has been edited by toughpick (edited January 01, 1999).]
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
toughpick,

I may be completely wrong, but this is just the obvious answer I thought of, but from the sounds of it, your links tree and cool directories are sub-directories of your admin dir. Where are your cool and linkstree directories?
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
ah yes Frontpage will password protect the directorys alright, but anyone who uses Front page knows that the password is in the file, domain.com/_vti_pvt/service.pwd any wouldbe hacker could easyly take an decode the password, I use Frontpage, but I make sure not to use any Frontpage passwords,
Thanks
Joey
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Hello !

I need some help. I need to find a way to protect my admin dir. My host told me that i don't have any Telnet Access and .htaccess wont work whitout it. So how can i protect in a secure way my admin directory ?

Thank's

Stefan
Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
Stefan,

While you may need Telnet to login to a shell account, it is not necessary to create .htaccess/.htpasswd files. You can create, for example, the .htaccess file on your own computer and then upload it via ftp. The problem then becomes how to create the .htpasswd file that the .htaccess file points to.

The CGI Resource Index has a number of scripts available that allow you to create and manage both files. Some are shareware while a few are freeware. Point your browser to http://www.cgi-resources.com/...Password_Protection/ to see what is available.

I hope this helps.

------------------
Bob Connors
bobsie@orphanage.com
www.orphanage.com/goodstuff/
goodstufflists.home.ml.org/


Quote Reply
Re: Password Protecting THe Admin Dir Is Here!! In reply to
toughpick: your problem sounds very odd. Try deleting your .htaccess and .htpasswd files, make sure you no longer get asked for a password. Then recreate them, as per the instructions linked to from the Links 1.1 readme (hoohoo.ncsa.uiuc.edu is the site, I think). Make sure you have something like <LIMIT GET PUT>
require user toughpick
</LIMIT>
of course that may be the wrong syntax, I haven't memorized it, but it's something like that.

And as to NT servers, in my somewhat uneducated opinion they are far less secure than Unix servers. First, I am quite certain that Frontpage can password-protect directories on UNIX/Apache with the Frontpage extensions just as easily. Also, read Joey Bost's post to see how insecure that can be. Apache, of course, has built-in encrypted password protection that doesn't involve any scripts, via the .htaccess function (which seems to do exactly what NT was described as doing in a post above). I believe those passwords are encrypted with the federal Digital Encryption Standard (DES), which doesn't pose any major security risks unless the NSA tries to crack it.

Also, there is a script for NT that, uploaded to a server, will crash it. No such script exists for Unix/Apache. Of course, I could go on talking about the advantages of Unix (multiuser from the ground up, easy remote shell-based access, far faster than Windows when compared on a particular system), but I believe than Unix is certainly just as secure as NT. After all, 70% of the Web runs on Apache.
> >