View previous topic :: View next topic |
Author |
Message |
noamkrief -
Joined: 12 Nov 2003 Posts: 40
|
Posted: Fri Nov 14, 2003 12:35 am Post subject: how secure is abyss web server "access control"? |
|
|
i'm obviously running a webserver. lets say i'm www.domain.com
I am now storing pretyy sensative files in an unpublished directory in my domain.
Lets say:
www.mydomain.com/files/
Lets say i don't have any links from my website leading to that folder, so basically, only i know that folder exists and i MUST type it in manually.
Is there a way people can find out that this particular "files" folder exists?
Also, on top of that, i used "access control" to put a password on that folder.
So, if someone happens to guess that there's a folder called "files", they'd have to enter in my username and password.
How secure is abyss webserver "access control"?
I don't suppose it is encrypted right?
Any comments or suggestions for me?
Thanks
Noam |
|
Back to top |
|
|
Karasu Kami -
Joined: 22 Sep 2003 Posts: 712 Location: Colorado
|
|
Back to top |
|
|
noamkrief -
Joined: 12 Nov 2003 Posts: 40
|
Posted: Fri Nov 14, 2003 1:34 am Post subject: |
|
|
i already have all that ftp, ssh, sftp etc etc ect which i can get those files from.
The reason i also have them on the http server, is because if i'm on an old computer without a version of IE that's current enough for ftp, i can always just go to the webserver and download the files...
Any answer to my questions?
How secure is my setup as described at the initial post?
thanks
Noam
' |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Fri Nov 14, 2003 1:45 am Post subject: |
|
|
Abyss encrypts passwords using MD5 hashes, this is as secure as you make the passwords and as far as you trust the MD5 algorithm - it's used for hashing the passwords on Linux and as the basis for integrity checks like Tripwire and other digital signatures, so I'd say it's pretty trustworthy.
More details from Aprelium here :
http://www.aprelium.com/forum/viewtopic.php?t=2298
More details on MD5 :
http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html
The three weakpoints are how obvious you make the subdirectory and user names and how strong your passwords are.
If you make a subdirectory of /files/ and a user files with pass files, it would be very easy to break in using only a decent sized dictionary and a tool like WebBrute.
http://www.rawlogic.com/netbrute/index.html
If you used a subdirectory of /topsecrethiddenfilesdirectory/ a user of imsdimd and a pass of 2jdnsdjn!*£4d then obviously it would be a lot less open to brute force attacks.
Assuming your username/passwords aren't obvious, I wouldn't worry too much about making an annoying subdirectory name, you have to consider convenience vs security.
If someone gained access by other means to your abyss.conf file with the encrypted passwords in, again, the stronger the password, the longer it would take to crack the MD5 hash with something like John the Ripper.
Note that your HTTP passwords are transferred in plaintext unless you use SSL so any man in the middle attacks will completely circumvent any strong usernames/passwords you have used. Remote FTP is no more secure than standard HTTP for file access unless you use encryption. |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Fri Nov 14, 2003 1:46 am Post subject: |
|
|
Just noticed you mentioned you already have SSH - even your old machine should be able to handle Putty to login and transfer the files via SCP :D |
|
Back to top |
|
|
noamkrief -
Joined: 12 Nov 2003 Posts: 40
|
Posted: Fri Nov 14, 2003 1:54 am Post subject: |
|
|
thank you so very much for all that good info.
Actually, i'm pretty parenoid when it comes to people sniffing because i've seen someone do it and it's amazing how data is transmitted in clear text that can easly be captured...
I use SSL for FTP, and RSA key authentication. The folder i'm talking about currently in this thread actually holds my RSA private key.
If someone gets in that directory, they'd be one step closer to sshing into my server. (also, even if somone did get my private key, they'd still have to guess my ssh username and the rsa private key passphrase)
But still, is there a way to encrypt my username and password transfer? or are we all stuck with clear text sending over the net?
https://???
thanks again for your very educating respone "anonymoose" :) that funny
Noam |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Fri Nov 14, 2003 2:01 am Post subject: |
|
|
Sadly Abyss doesn't support HTTPS at the moment :( They have it marked down for the next version. You could combine Putty and the web browser on the old machine to create an SSH tunnel to your webserver though...
On the old machine, open Putty and put the SSH details for your machine into the session panel, then go to Connection / SSH / Tunnels and enter a local port to use in the Source Port box under Add New Forwarded Port, then the address of your webserver into the Destination box, including the port (www.yourdomain.com:80). Select Remote in the box underneath and click Open.
You should now get a login prompt to your SSH - once you've entered your username password, on the old machine open IE and type http://localhost:sourceportyouselectedinputty
Bingo, SSH encrypted HTTP tunnel to your remote machine.
If your remote machine is behind a router, you might need to enter 127.0.0.1 as the Destination for the tunnel in putty, to request that the remote machine connects back to itself rather than tries to connect out over the web and back through the router which will fail.
Hope that makes sense ?
Sorry for the security 101 in the first post, didn't know how much you already knew :oops: |
|
Back to top |
|
|
noamkrief -
Joined: 12 Nov 2003 Posts: 40
|
Posted: Fri Nov 14, 2003 2:25 am Post subject: |
|
|
heheheh...
i know exactly what you are trying to tell me.
I already use this trick to have secure and encrypted VNC sessions.(http://ultravnc.sourceforge.net/)
I set a tunnel through my ssh which brings the server on the localhost :) so cool!
This can also be accomplished by
ssh -L 5901:localhost:5900
from cmd.exe
But, your suggestion will not work in my case since the folder i am trying to reach securly --> http://mydomain.com/sshkeys/ contains my rsakey.pkk which i need to have in order to connect to my ssh server in the first place using putty :) hehehe get the dilema?
My ssh server uses rsa key authentication. It's extremely secure. You must have the private key AND the passphrase.
If i give you my passphrase (which is like a password) it wouldn't do you ANY good since you'd need the private key which is impossible to recreate.
If you had my private key, you'd have to know my passphrase which is also nearly impossible.
I guess i'll have to wait to the next version of abyss web server so i can set up https for my folder containing my rsakeys.
Thanks anonymoos! I appreciate it.
Noam |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Fri Nov 14, 2003 2:40 am Post subject: |
|
|
Hmm. All I can think of other than SSH tunnels is to create a GPG encrypted self extracting version of your RSA key and put that in a place accessible by HTTP then select a secure GPG passphrase for the file... Brainache! |
|
Back to top |
|
|
stitch -
Joined: 09 Nov 2003 Posts: 49 Location: washington state
|
Posted: Fri Nov 14, 2003 4:23 am Post subject: |
|
|
hehehe security 101 is an okay place to start... for the REST of us... 8O |
|
Back to top |
|
|
|