Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Protect access to local web server from unauthorized access (port 80)

Posted on 2014-02-07
8
Medium Priority
?
420 Views
Last Modified: 2014-03-10
Hi,

I have a local web server running on my computer and would like to be able to access it from outside by forwarding port 80.

This works, but now everybody can access it. Is there a why to protect access to the local web server from unauthorized access? I read about .htaccess and .htpassword but that level of protection doesn't meet my standards.

Is there a better / more reliable method available?

Thanks!
0
Comment
Question by:peps03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 29

Assisted Solution

by:Michael Worsham
Michael Worsham earned 300 total points
ID: 39843495
What is it you're trying to protect? .htaccess / .htpassword is for basic needs.

If you are wanting something a bit more robust, you possible need to look at using PHP and a custom application for such secure needs.

Something else you can try is using a different listening port, so instead of port 80, use something like 4444 -- something not commonly seen as a Apache/WWW server port.
0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 800 total points
ID: 39843724
Basic authentication is not as sexy as php login + session cookie.
But it provides exactly the same level of security.
You may throw in SSL. This can serve to protect your login details and data from snooping eyes, and also be used for authentication by certificate. This method is as strong as it gets.
0
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 900 total points
ID: 39844435
1. I disagree that basic authentication provides EXACTLY the same level of security as a PHP session. A PHP session can be configured to be a little more robust than basic authentication (e.g. rotating session IDs, custom checks, combination of Javascript or CAPTCHA to harden against brute force, etc...). You could set it up to be a similar level, but typically it's not done that way.

2. I agree that SSL can help protect the data during transmission. Always a good idea (even if it's self-signed SSL). Client certificate authentication is a little more complex to set up than server-driven SSL, but it -is- indeed, one of the most secure methods you can use for authentication.

3. All that said, it SOUNDS like you just want access to port 80 to be restricted to a given IP address. If that's the case, you can either use a firewall (iptables for Linux or Windows Firewall for Windows are both good choices), or you can implement IP restrictions within your web server configuration using the Allow / Deny directives in your Apache config. The Apache docs have some good examples:

http://httpd.apache.org/docs/2.2/howto/access.html
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 

Author Comment

by:peps03
ID: 39848619
Thanks!

What would be a good way to protect the root and it's sub folders with php?

I think the things you name in point 3 are good options, but i would like to combine one of them with a php security measure.
What would be advisable?

>i think point 2 is too hard to set up for me?
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 39852839
0
 

Author Comment

by:peps03
ID: 39894648
A htaccess and htpasswd could password protect the whole server if i place it in the root, as it also works for all (sub)folders.

Could php do that as well? Aren't php security measures moreover intended to secure individual files or websites?

Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)

Thanks
0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 800 total points
ID: 39895505
> Could php do that as well?
Only if the web site is designed from the roots up with this in mind. For example, in a CMS that manages users and had an internal authorization scheme.
When the web site was not designed with authentication and authorization, adding it on afterwards as application logic requires extensive rewrites and modofocations.
htpasswd is completely independent of application logic.

> Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)
Base authenticatin throws a 403 error back to the browser. By default, browsers will display an error page after several attempts. Using php you could write authentication code that freezes accounts after severl failures, create password resets, add captchas etc. It will be difficult to do the same with basic auth.
0
 

Author Closing Comment

by:peps03
ID: 39917773
Thanks all for your replies!
I'll take all the possibilities into account. Limiting access with ip-tables / firewall sounds good in combination with some other measures.
Thanks
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question