Solved

Protect access to local web server from unauthorized access (port 80)

Posted on 2014-02-07
8
413 Views
Last Modified: 2014-03-10
Hi,

I have a local web server running on my computer and would like to be able to access it from outside by forwarding port 80.

This works, but now everybody can access it. Is there a why to protect access to the local web server from unauthorized access? I read about .htaccess and .htpassword but that level of protection doesn't meet my standards.

Is there a better / more reliable method available?

Thanks!
0
Comment
Question by:peps03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 29

Assisted Solution

by:Michael Worsham
Michael Worsham earned 75 total points
ID: 39843495
What is it you're trying to protect? .htaccess / .htpassword is for basic needs.

If you are wanting something a bit more robust, you possible need to look at using PHP and a custom application for such secure needs.

Something else you can try is using a different listening port, so instead of port 80, use something like 4444 -- something not commonly seen as a Apache/WWW server port.
0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 200 total points
ID: 39843724
Basic authentication is not as sexy as php login + session cookie.
But it provides exactly the same level of security.
You may throw in SSL. This can serve to protect your login details and data from snooping eyes, and also be used for authentication by certificate. This method is as strong as it gets.
0
 
LVL 35

Accepted Solution

by:
gr8gonzo earned 225 total points
ID: 39844435
1. I disagree that basic authentication provides EXACTLY the same level of security as a PHP session. A PHP session can be configured to be a little more robust than basic authentication (e.g. rotating session IDs, custom checks, combination of Javascript or CAPTCHA to harden against brute force, etc...). You could set it up to be a similar level, but typically it's not done that way.

2. I agree that SSL can help protect the data during transmission. Always a good idea (even if it's self-signed SSL). Client certificate authentication is a little more complex to set up than server-driven SSL, but it -is- indeed, one of the most secure methods you can use for authentication.

3. All that said, it SOUNDS like you just want access to port 80 to be restricted to a given IP address. If that's the case, you can either use a firewall (iptables for Linux or Windows Firewall for Windows are both good choices), or you can implement IP restrictions within your web server configuration using the Allow / Deny directives in your Apache config. The Apache docs have some good examples:

http://httpd.apache.org/docs/2.2/howto/access.html
0
Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

 

Author Comment

by:peps03
ID: 39848619
Thanks!

What would be a good way to protect the root and it's sub folders with php?

I think the things you name in point 3 are good options, but i would like to combine one of them with a php security measure.
What would be advisable?

>i think point 2 is too hard to set up for me?
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 39852839
0
 

Author Comment

by:peps03
ID: 39894648
A htaccess and htpasswd could password protect the whole server if i place it in the root, as it also works for all (sub)folders.

Could php do that as well? Aren't php security measures moreover intended to secure individual files or websites?

Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)

Thanks
0
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 200 total points
ID: 39895505
> Could php do that as well?
Only if the web site is designed from the roots up with this in mind. For example, in a CMS that manages users and had an internal authorization scheme.
When the web site was not designed with authentication and authorization, adding it on afterwards as application logic requires extensive rewrites and modofocations.
htpasswd is completely independent of application logic.

> Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)
Base authenticatin throws a 403 error back to the browser. By default, browsers will display an error page after several attempts. Using php you could write authentication code that freezes accounts after severl failures, create password resets, add captchas etc. It will be difficult to do the same with basic auth.
0
 

Author Closing Comment

by:peps03
ID: 39917773
Thanks all for your replies!
I'll take all the possibilities into account. Limiting access with ip-tables / firewall sounds good in combination with some other measures.
Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question