Improve company productivity with a Business Account.Sign Up

x
?
Solved

Protect access to local web server from unauthorized access (port 80)

Posted on 2014-02-07
8
Medium Priority
?
431 Views
Last Modified: 2014-03-10
Hi,

I have a local web server running on my computer and would like to be able to access it from outside by forwarding port 80.

This works, but now everybody can access it. Is there a why to protect access to the local web server from unauthorized access? I read about .htaccess and .htpassword but that level of protection doesn't meet my standards.

Is there a better / more reliable method available?

Thanks!
0
Comment
Question by:peps03
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 29

Assisted Solution

by:Michael Worsham
Michael Worsham earned 300 total points
ID: 39843495
What is it you're trying to protect? .htaccess / .htpassword is for basic needs.

If you are wanting something a bit more robust, you possible need to look at using PHP and a custom application for such secure needs.

Something else you can try is using a different listening port, so instead of port 80, use something like 4444 -- something not commonly seen as a Apache/WWW server port.
0
 
LVL 34

Assisted Solution

by:shalomc
shalomc earned 800 total points
ID: 39843724
Basic authentication is not as sexy as php login + session cookie.
But it provides exactly the same level of security.
You may throw in SSL. This can serve to protect your login details and data from snooping eyes, and also be used for authentication by certificate. This method is as strong as it gets.
0
 
LVL 36

Accepted Solution

by:
gr8gonzo earned 900 total points
ID: 39844435
1. I disagree that basic authentication provides EXACTLY the same level of security as a PHP session. A PHP session can be configured to be a little more robust than basic authentication (e.g. rotating session IDs, custom checks, combination of Javascript or CAPTCHA to harden against brute force, etc...). You could set it up to be a similar level, but typically it's not done that way.

2. I agree that SSL can help protect the data during transmission. Always a good idea (even if it's self-signed SSL). Client certificate authentication is a little more complex to set up than server-driven SSL, but it -is- indeed, one of the most secure methods you can use for authentication.

3. All that said, it SOUNDS like you just want access to port 80 to be restricted to a given IP address. If that's the case, you can either use a firewall (iptables for Linux or Windows Firewall for Windows are both good choices), or you can implement IP restrictions within your web server configuration using the Allow / Deny directives in your Apache config. The Apache docs have some good examples:

http://httpd.apache.org/docs/2.2/howto/access.html
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 

Author Comment

by:peps03
ID: 39848619
Thanks!

What would be a good way to protect the root and it's sub folders with php?

I think the things you name in point 3 are good options, but i would like to combine one of them with a php security measure.
What would be advisable?

>i think point 2 is too hard to set up for me?
0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 39852839
0
 

Author Comment

by:peps03
ID: 39894648
A htaccess and htpasswd could password protect the whole server if i place it in the root, as it also works for all (sub)folders.

Could php do that as well? Aren't php security measures moreover intended to secure individual files or websites?

Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)

Thanks
0
 
LVL 34

Assisted Solution

by:shalomc
shalomc earned 800 total points
ID: 39895505
> Could php do that as well?
Only if the web site is designed from the roots up with this in mind. For example, in a CMS that manages users and had an internal authorization scheme.
When the web site was not designed with authentication and authorization, adding it on afterwards as application logic requires extensive rewrites and modofocations.
htpasswd is completely independent of application logic.

> Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)
Base authenticatin throws a 403 error back to the browser. By default, browsers will display an error page after several attempts. Using php you could write authentication code that freezes accounts after severl failures, create password resets, add captchas etc. It will be difficult to do the same with basic auth.
0
 

Author Closing Comment

by:peps03
ID: 39917773
Thanks all for your replies!
I'll take all the possibilities into account. Limiting access with ip-tables / firewall sounds good in combination with some other measures.
Thanks
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
What You Need to Know when Searching for a Webhost Provider
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question