Solved

Protect access to local web server from unauthorized access (port 80)

Posted on 2014-02-07
8
401 Views
Last Modified: 2014-03-10
Hi,

I have a local web server running on my computer and would like to be able to access it from outside by forwarding port 80.

This works, but now everybody can access it. Is there a why to protect access to the local web server from unauthorized access? I read about .htaccess and .htpassword but that level of protection doesn't meet my standards.

Is there a better / more reliable method available?

Thanks!
0
Comment
Question by:peps03
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 29

Assisted Solution

by:Michael W
Michael W earned 75 total points
ID: 39843495
What is it you're trying to protect? .htaccess / .htpassword is for basic needs.

If you are wanting something a bit more robust, you possible need to look at using PHP and a custom application for such secure needs.

Something else you can try is using a different listening port, so instead of port 80, use something like 4444 -- something not commonly seen as a Apache/WWW server port.
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 200 total points
ID: 39843724
Basic authentication is not as sexy as php login + session cookie.
But it provides exactly the same level of security.
You may throw in SSL. This can serve to protect your login details and data from snooping eyes, and also be used for authentication by certificate. This method is as strong as it gets.
0
 
LVL 34

Accepted Solution

by:
gr8gonzo earned 225 total points
ID: 39844435
1. I disagree that basic authentication provides EXACTLY the same level of security as a PHP session. A PHP session can be configured to be a little more robust than basic authentication (e.g. rotating session IDs, custom checks, combination of Javascript or CAPTCHA to harden against brute force, etc...). You could set it up to be a similar level, but typically it's not done that way.

2. I agree that SSL can help protect the data during transmission. Always a good idea (even if it's self-signed SSL). Client certificate authentication is a little more complex to set up than server-driven SSL, but it -is- indeed, one of the most secure methods you can use for authentication.

3. All that said, it SOUNDS like you just want access to port 80 to be restricted to a given IP address. If that's the case, you can either use a firewall (iptables for Linux or Windows Firewall for Windows are both good choices), or you can implement IP restrictions within your web server configuration using the Allow / Deny directives in your Apache config. The Apache docs have some good examples:

http://httpd.apache.org/docs/2.2/howto/access.html
0
 

Author Comment

by:peps03
ID: 39848619
Thanks!

What would be a good way to protect the root and it's sub folders with php?

I think the things you name in point 3 are good options, but i would like to combine one of them with a php security measure.
What would be advisable?

>i think point 2 is too hard to set up for me?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 29

Expert Comment

by:Michael W
ID: 39852839
0
 

Author Comment

by:peps03
ID: 39894648
A htaccess and htpasswd could password protect the whole server if i place it in the root, as it also works for all (sub)folders.

Could php do that as well? Aren't php security measures moreover intended to secure individual files or websites?

Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)

Thanks
0
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 200 total points
ID: 39895505
> Could php do that as well?
Only if the web site is designed from the roots up with this in mind. For example, in a CMS that manages users and had an internal authorization scheme.
When the web site was not designed with authentication and authorization, adding it on afterwards as application logic requires extensive rewrites and modofocations.
htpasswd is completely independent of application logic.

> Is it possible to limit htpasswd log in attempts? (as this would be possible with php protection)
Base authenticatin throws a 403 error back to the browser. By default, browsers will display an error page after several attempts. Using php you could write authentication code that freezes accounts after severl failures, create password resets, add captchas etc. It will be difficult to do the same with basic auth.
0
 

Author Closing Comment

by:peps03
ID: 39917773
Thanks all for your replies!
I'll take all the possibilities into account. Limiting access with ip-tables / firewall sounds good in combination with some other measures.
Thanks
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Have you ever stumbled upon a software that is so great that you just love? It happened to me. Love at first sight. Filezilla Server.   Ok its not the most advanced ftp server I've came across. But its a fairly simple piece of software to get the …
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now