.htaccess security, or lack thereof?

Charles Capps · 06-02-1999, 02:16 AM

I have, or rather, had a secure WWWBoard based forum for my UBB moderators, which was located two directory levels in:
/dirone/dirtwo/index.html  (Not the real names, of course)
Dirone was protected via .htaccess - all domains excluding certain IP addresses and domain names are denied entry.
Dirtwo was protected via htpasswd, so even if someone managed to bypass the IP block, they'd still have to know the username and password.

Someone did it.

Well, he got past the domain block.  His ISP was explicitely denied access, yet he got in!  SOMEONE that I apparently can't trust gave him the username and password for the second directory.

Right now I've replaced the thing with a dummy mockup perl script that will write down the IPs and time of anyone accessing it, just to make SURE that this guy is getting in.  Or got in, rather.

I'm very distressed.  How did this happen?
I was confident this jerk coudln't get into my forum, but apparently I took things for granted!

Oh, and how I found him....
I did my monthly log download, including the error log.  I wrote up a quick perl parser to filter out the interesting stuff into various files.  I filtered all the authentication errors into one file, and did IP checks to see who's been poking around when I found him.

Yay.
------------------
"Okay, so I'm not "SANE" so to speak, but uh... I'm the lovable kind of psycho"
http://solareclipse.net/

**Terra** · 06-02-1999, 03:33 AM

Did you block by Domain name like:
.acme.com
or by IP block:
123.232.12

ACL by domain can be sp00fed if the dude is very clever, but the IP block is pretty much solid as that cannot be spoofed... It can be forged in IP packets though, but only for a one-->way shot hacking (like trying to circumvent a firewall to plant a bogus .rhosts file)... Most all one-->way hacks don't require the message to go back to the originate address, as the plant opens up the rest of the access...

In your case, if he was mossing(sp?) around - then an IP block would have cut him off...

--
Terra
--No matter how secure you *think* you are - someone will always find a way to open your eyes--
FutureQuest

Charles Capps · 06-02-1999, 03:46 AM

As it doesn't really matter any more, this is what I had in my .htaccess in Dirone, plus a few ErrorDocuments:

Code Sample:

 

deny from all

allow from garlic.com

allow from garlic.net

allow from utoronto.ca

allow from toronto.edu

allow from 206.105.22

allow from 199.105.141

allow from 199.105.142

allow from 199.105.143

allow from leenet.demon.co.uk

allow from rjw.co.uk

allow from mvp.net

allow from marz.net

allow from liamnet.demon.co.uk

allow from elkvalley.net

allow from 204.244.150

allow from defiant.teb.et-inf.uni-siegen.de

allow from tmns.net.au

allow from bentonrea.com

allow from mtneer.net

He comes from orc.ca, and made no attempt to mask his IP according to the access and error logs.
Wouldn't the deny from all cut him off totally?
*reads sig and shivers run down his spine* Stop that!
------------------
"Okay, so I'm not "SANE" so to speak, but uh... I'm the lovable kind of psycho"
http://solareclipse.net/
[This message has been edited by Charles Capps (edited 06-02-99)]

**Terra** · 06-02-1999, 10:43 AM

Where is your 'order' directive?

order deny,allow
deny from ...
allow from ...

Even though it says the default is 'deny,allow' I would always recommend using the directive as they are a trio in usage...

Try adding 'order' and see if that possibly helps...

Second thing is, when matching partial domain names, use a leading dot and all domains in the allow lines should be stacked on top of each other...

allow from .garlic.com .mvp.net .mars.net (etc....)

I am not 100% sure if host stacking IS required - or using multiple line 'allow' directives can in fact be used... I've always stacked them on 1 line - and it's worked for me...

--
Terra
--Views above could be subject to correction--
FutureQuest

Charles Capps · 06-02-1999, 11:25 AM

Order? Pleh. Forgot about that. *sigh*

Hm. Well, if/when it gets put back up, I'll have to use that info.

Pleh.
------------------
"Okay, so I'm not "SANE" so to speak, but uh... I'm the lovable kind of psycho"
http://solareclipse.net/
[This message has been edited by Charles Capps (edited 06-02-99)]

Charles Capps · 06-02-1999, 01:29 PM

Well, after writing half a dozen parsers for the log files (it was fun, really), it seems I jumped to conclusions.

Rather, I forgot what I did.

I added the password literally a week BEFORE I added the domain block, which appears to be functioning perfectly, as the last attempt he made at accessing the private forum ended up in a 401 error - he hasn't tried since.

That STILL means that someone gave him the URL on March 22, and the password when I added it on May 5, but that's better than nothing.

*sigh*
------------------
"Okay, so I'm not "SANE" so to speak, but uh... I'm the lovable kind of psycho"
http://solareclipse.net/
[This message has been edited by Charles Capps (edited 06-02-99)]

Charles Capps · 06-03-1999, 12:29 AM

What concerns me now is who ELSE has had access.

I replaced the forum with a little notice about what's going on. It's actually an ErrorDocuemnt 404 pointing to a CGI script that logs accesses. Quite quaint.

Someone has been trying to get in, possibly on some sort of LAN, I'm not sure, but the IP doesn't look up properly. It's owned by AT&T according to the ARIN lookup. Methinks it's time to beef up that little perl tool and see who's been poking around my forums.
------------------
"Okay, so I'm not "SANE" so to speak, but uh... I'm the lovable kind of psycho"
http://solareclipse.net/