I am trying to find out how secure this scenario would be.
I have a directory which I do not want anybody to ever be able to access or download the encrypted log files within the directory.
I have this directory protected by .htaccess basic authentication.
I have not set a username and password for the directory.
I have ssh key setup for my ftp client and have disabled ftp so nobody could get through to download this directory via ftp.
Since a brute force attack will not work on the directory because there are no credentials set, would this be considered a locked directory without a key and impenetrable?
If not, how would someone penetrate the directory other then guessing cpanel credentials?
Thank you for the advice.
Related
I added the user from user management but I don't know what to do further how to check?
I am expecting to user don't access public html folder.
User will be able to access the public html folder, if they are accessing it through cPanel. Unfortunately, there is no way around this as phpMyAdmin is secured with cPanel authentication.
However, you could install your own phpMyAdmin on your domain and provide access through it. You can find more information about how to do it here.
I use current stable version of Nextcloud (nextcloud docker image). I want to disable an authentication window when user enter the site. Is it possible? I found only anonymous upload feature in official doc.
Nextcloud is build around the concept that each user has it's personal (cloud) folder where he can upload, edit and share files. Therefore you cannot access the "normal" user interface without a log in.
However it is possible for any user to share files/folders via a link and allow editing of them without login:
https://docs.nextcloud.com/server/latest/user_manual/en/files/sharing.html#public-link-shares
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/file_sharing_configuration.html
But just in case you rally want to give all anonymous visitors of your Nextcloud instance the option to upload and edit files anonymously, here is a possible solution:
Create a folder anonymous with your admin account
Share it via link and allow editing
In your admin settings, go towards Theming: https://your-domain.com/settings/admin/theming
Set Anonymous Usage as Name and your shared link as Web link
Now if you log out and access your Nextcloud instance, you'll see a link at the very bottom called Anonymous Usage that you (and your clients) can follow to upload files/folders or edit existing ones. All files uploaded via that link will be stored inside the anonymous folder and will be owned by your admin account. So make sure to set the storage quota on that account high enough.
Be ware that
by visiting your Nextcloud instance anyone could delete all files inside anonymous as he doesn't need to authenticate himself.
the visitors are not fully anonymous, as there are probably some log files of Nextcloud and your Webserver with their IP addresses.
When you protect an area of your document root using either the server configuration or .htaccess, the server prompts for a username and password when someone requests those files from a browser. If the password matches the one from the authentication provider for that user, the documentation at http://httpd.apache.org/docs/2.2/howto/auth.html says that apache will set environment variables for that user. In my case I'm building a php app, and using phpinfo() I gather that the environment variables set are are REDIRECT_AUTHENTICATE_SAMACCOUNTNAME, AUTHENTICATE_SAMACCOUNTNAME (Using active directory as authentication provider), and REMOTE_USER. I believe this is what prevents the user from being prompted again and again on each subsequent request.
What I don't understand is how apache matches requests from a user with the environment variables set for that user, and also when and how it knows how to clear those variables. I doesn't appear to use cookies, because I cleared all the cookies for the domain in question, and still it doesn't ask me to reauthenticate unless I actually close the browser.
Ultimately I'm going to be working with php to get the userid and to maintain state, but since php is getting the information from the apache information, I'd like to know about that context, and I don't seem to be able to find these details. Thanks in advance.
Look at the http headers your browser is sending. After you have supplied a username and password, your browser will continue sending those details to that site until your browser session ends, or longer if you tell your browser to remember the credentials.
I want to password protect a directory on a web server. I make the .htaccess and .htpasswd files and everything works.
What if some day, the admin comes along and sets "AllowOverride None" in httpd.conf? Does that immediately make all of my secrets visible to the whole wide web?
Is there another way to password protect files on a web server without having to store a password in plain text and doesn't leave the protection at the mercy of an admin?
Place the files outside of your webroot and use a serverside (scripting) language like php or python and make/use a login system. The script can access to your files outside your webroot and send it to your browser.
I've got a directory I'm protecting with .htaccess and .htpassword but I think some people have shared the access username and password, which is against my terms. The other possibility is that they are using bruteforce. How can I use .htaccess to log the IP addresses of the people who try to access my protected directory, for both accurate and failed logins?
That is beyond the scope of .htaccess. You will need to modify your webservers configuration if it doesn't log failed logins already. (Hint: Those can be identified by the 401 response code)