Professional Insecurites with Apache
January 7, 2008 3:00 PM Subscribe
Is deny all, allow (my.ip.add.ress) good enough in Apache over Windoze?
I'm developing a Wiki for documenting the work that various people in my company do, mostly to prevent some of the time waste created by poor communication and documentation. Realistically, this would be best on our internal Intranet server, but that's not a viable option at the moment. It's not exactly the kind of corporate secrets anyone would kill for, but I can see why security might be an issue.
In order to get things rolling, I thought I'd set it up on a virtual subdomain on our webserver (hosted outside the corporate intranet) but block access to the host directory with the standard Apache deny all, allow (company's outgoing ip) in the settings. My network guy tells me this is completely insecure and I shouldn't do it.
Does anyone have any serious experience/options on this? Is it a hugely Bad Idea? I'm running Apache 2.? on a Windows box, the Wiki is written in PHP. I'm not a network admin type gal, I just know how to make things work and some reasonable precautions!
I'm developing a Wiki for documenting the work that various people in my company do, mostly to prevent some of the time waste created by poor communication and documentation. Realistically, this would be best on our internal Intranet server, but that's not a viable option at the moment. It's not exactly the kind of corporate secrets anyone would kill for, but I can see why security might be an issue.
In order to get things rolling, I thought I'd set it up on a virtual subdomain on our webserver (hosted outside the corporate intranet) but block access to the host directory with the standard Apache deny all, allow (company's outgoing ip) in the
Does anyone have any serious experience/options on this? Is it a hugely Bad Idea? I'm running Apache 2.? on a Windows box, the Wiki is written in PHP. I'm not a network admin type gal, I just know how to make things work and some reasonable precautions!
have you discussed using .htaccess as well? the best way would be to use ssh tunnels, either into the apache box, or into another box thats in the same intranet as the apache box. see if you can do that before meddling around with http.conf. much more flexible, and encrypted to boot.
posted by Mach5 at 3:07 PM on January 7, 2008
posted by Mach5 at 3:07 PM on January 7, 2008
ip address spoofing is insanely easy to do, so no IP based security is going to be worth diddly.
posted by nomisxid at 3:36 PM on January 7, 2008
posted by nomisxid at 3:36 PM on January 7, 2008
Best answer: If you filter access by IP address and also password-protect it, only someone with:
(1) knowledge of the hostname/address of your website
(2) knowledge of the login and password, and
(3) access to your company's network, from which an outbound connection can be established
...can see your site. Having the combination of all three is likely secure enough for the situation, as long as you're not dealing with very sensitive data.
nomisxid: IP address spoofing (to fool Apache, or modern TCP/IP stacks) is trivial? Would you mind providing linkage or further commentary to back that up?
foxydot: I would be more worried about the fact that your network guy knows what you're doing, and is in a position to do damage to your venture (and by extension, your professional standing at the company). You may be better off pushing the issue upstairs, hard, and making the non-viable option more viable.
posted by Jubal Kessler at 4:09 PM on January 7, 2008
(1) knowledge of the hostname/address of your website
(2) knowledge of the login and password, and
(3) access to your company's network, from which an outbound connection can be established
...can see your site. Having the combination of all three is likely secure enough for the situation, as long as you're not dealing with very sensitive data.
nomisxid: IP address spoofing (to fool Apache, or modern TCP/IP stacks) is trivial? Would you mind providing linkage or further commentary to back that up?
foxydot: I would be more worried about the fact that your network guy knows what you're doing, and is in a position to do damage to your venture (and by extension, your professional standing at the company). You may be better off pushing the issue upstairs, hard, and making the non-viable option more viable.
posted by Jubal Kessler at 4:09 PM on January 7, 2008
ip address spoofing is insanely easy to do, so no IP based security is going to be worth diddly.
Yeah not really in this context over the internet with modern TCP/IP stacks. I agree that IP based security isn't the bees knees, but in this context IP filtering would work, I just wouldn't do it at the web server and I'd combine it with some sort of user/password or vpn lan to lan scheme.
Really though, this is intranet stuff, generally you do not want your intranet residing with your general internet site, it's bad practice and leaves you open for unpleasantness.
Please listen to your local infrastructure guy (i'm guessing network dude), they are usually responsible for insuring that security is maintained.
posted by iamabot at 4:28 PM on January 7, 2008 [1 favorite]
Response by poster: I think I'll suggest adding the passwording and see how that flies. This is only a temporary situation anyway, and I trust my networking guy, I just think that sometimes he's a little....erm...hypervigilant. (ie. I had to fight to get 22 open so that clients could upload files to a pwd/ip protected ftp server.)
I think I'll also take the time (when I have it...ha.ha.ha. to learn more about ssh tunneling!) Thanks guys...hivemind is teh awesomes.
posted by foxydot at 7:46 PM on January 7, 2008
I think I'll also take the time (when I have it...ha.ha.ha. to learn more about ssh tunneling!) Thanks guys...hivemind is teh awesomes.
posted by foxydot at 7:46 PM on January 7, 2008
This thread is closed to new comments.
posted by iamabot at 3:03 PM on January 7, 2008