I've got a classifieds website...
As you may imagine, like a website owner (administrator) I have to sometimes remove classifieds, edit them and so forth.
I've my very own Linux server, with root access offcourse.
Presently I've got a portion of this site with all of administrative php scripts that we use to get rid of classifieds, edit them etc:
/www/adm/ //Location of administrative tools
This above remains safe and secure today with a simple authentication using apache2.conf file:
<Directory /var/www/adm> AuthType Basic AuthName "Adm" AuthUserFile /path/to/password Require user username </Directory>
My real question is, is enough to avoid outsiders use of my administrative tools?
Because it might be devastating if somebody using the wrong intentions got their on the job these power tools. They'd have the ability to remove all records from the databases... I actually do have backup copies, but this means a lot of work...
What's usually completed in cases such as this?
Only factor I'm able to think about is upload the administrative scripts whenever I intend on with them, after which take them off in the server after with them.
Additional information which will let you decide what solution I ought to use:
- I manage the web site and server from just one and same computer
- The IP adress is dynamic of this computer
- I personally use secure ftp transfers of files to server
- The administrative tools are PHP codes which talk to the databases
- I've IPTables firewall setup to simply allow connections to database from the own server/website.
- I backup all files every single day
If anybody else has access spend towards the server, you ought to be careful with permissions.
Otherwise, fundamental Apache auth is alright, but bear in mind that if you work with an unencrypted connection (not SSL), you password is distributed as obvious text over the web, so almost always there is the potential of it being sniffed.
Make it possible for SSL you'll need:
- mod_ssl enabled in your apache
- a self-signed (free) certificate
- Improve your apache configuration to incorporate SSL port
You are able to make reference to this tutorial regarding how to enable SSL on Debian.
A much better option, on the top from the usual password protection, IP limitations, SSL, etc... would be to host the various tools on the completely seperate domain. Someone might guess you have
example.com/admin and then try to brute pressure their means by, but hosting an easy login page on
somecompletelydifferentdomain.com without any branding/markings to relate it to
example.com is really a better defence yet.
Apache auth may also restrict by Ip, if you possess a static IP, by using their along with a password ought to be pretty safe. I'd also employ AuthDigestFile rather than AuthUserFile if you are concerned about attacks.
This page explains it well: Unlike fundamental authentication, digest authentication always transmits the password in the client browser towards the server being an MD5 encryted string which makes it impossible for any packet sniffer to determine the raw password.
If you'll want direct remote accessibility administrative tools, locate an out-of-band method to avoid the web server from running them whatsoever when they are unnecessary. You may, for instance, perform a
chmod 000 /var/www/adm under normal conditions, change it out to something functional (say,
500) when you should utilize them and to
000 when you are done.
Better is always to secure the whole path between your administrative tools:
- Use port knocking make it possible for SSH on some port apart from 22 (e.g., 2222).
- Lock lower the
sshdon that port to whatever your needs.
- Operate a separate demonstration of your internet server that listens on the port apart from 80 (e.g., 8080) that can not be seen in the outdoors and it has configuration to permit use of
/var/www/admbut restrict accessibility local host only.
When the time comes to make use of the administrative tools:
- Knock to spread out the SSH port.
- SSH into port 2222 and begin a tunnel from 8080 around the remote host to port 8080 around the server.
- Make use of the remote browser to go to localhost:8080 and access your tools. The server might find the bond as from the local system.