[Tfug] The Apache security saga ALMOST done!

Jeff Breadner jeff at breadner.ca
Wed Jul 8 14:19:48 MST 2009


> Here's the .htaccess file now - I've added line numbers so I can ask
> what's going on at a couple of lines:
>
> ---
> 1 AuthType Basic
> 2 AuthName "Restricted Files"
> 3 # (Following line optional)
> 4 AuthBasicProvider file
> 5 AuthUserFile /usr/local/apache/passwd/passwords
> 6 Require user zmuser
> 7 # secure htaccess file
> 8 <Files .htaccess>
> 9 order allow,deny
> 10 deny from all
> 11 allow from 127.0.0.1
> 12 allow from 192.168.0.1/24
> 13 allow from [ip address of the Qwest router, with the router told to
> route IP stuff coming in there to the fixed IP addy of the camera
> server, 192.168.0.53]
> 14 </Files>
> ---
>
> OK. At line 11, I'm successfully telling it to accept access from the
> local server console, right?
>
>   
Yes
> Line 12 I don't understand - is "1/24" a RANGE?  Should I up that to
> "1/255"?  Thing is, the wireless connections to the router are DHCP
> from a range of 192.168.0.2 through 192.168.0.52...static starts at
> .53 (where the server is) and goes up.  So, the two other locally
> connected DHCP Windows machines (one WiFi, one Ethernet) *should* be
> attached somewhere around 192.168.0.2 or .3 or .4 or so.  Meaning, if
> "1/24" is an IP address range, my two Windows boxes should be inside
> it?
>
>   

The /24 literally means that the first 24 bits of your IP address are 
static.  There's 32 bits in an IPv4 address (8 bits / byte * 4 bytes), 
so 32 - 24  = 8 bits that are variable, or the last byte is variable.  
Basically you're saying it's OK for anyone in the range 192.168.0.0 
through 192.168.0.255 to connect.  It would be most correct to list this 
as 192.168.0.0/24 though, not 192.168.0.1/24, though functionally there 
shouldn't be a difference.

> But they're blocked.  I've tried going to 192.168.0.53 and going to
> the same IP address that works coming in from the outside.  No joy
> either way - it will actually show the login screen popup, but won't
> accept the valid username/password that works on the server console or
> from the outside world.
>
>   
Any clues in /var/log/httpd/access_log or /var/log/httpd/error_log?

cheers
  Jeff




More information about the tfug mailing list