Wednesday, July 21, 2010

.ftpaccess files and ftp hacking

A number of my sites have been hacked recently. Lots of dodgy links have been hidden in the html behind the scenes, only visible when you look at 'view source'.

The main vulnerabilities in the approach I use to managing websites comes from FTP (or so I am finding out) though I also use php 'includes' sometimes, which is another no-no.

Anyhow, my provider, 34sp has come up with a suggestion for resellers to protect their FTP uploads. This seemed like a reasonable idea but has not worked out that well for me, so here's my take on how to adapt their approach.

Despite having an .ftpaccess file in place, a charity site I run has again found itself with lots of dodgy hidden links in its pages. I suspect the problem may be because I created the .ftpaccess file using Dreamweaver 4 with the wrong Line Feed characters - these files apparently MUST have a Unix line feed or they will not work.

I have another problem though. With these .ftpaccess files we are advised to use the enum range if we are not on a static IP address. This seemed reasonable but my ISP's enum ranges seem to change with great frequency so this whole approach is not going to be very reliable for me.

So, I've been wishing I could just turn OFF ftp access until I need it. And that is what I have decided to do, like this.

1. Create an .ftpaccess file as above but leaving only 'Deny all' in the file, no other valid IP addresses and put it in the appropriate directories (httpdocs, httpsdocs and cgi-bin)

2. Using Plesk file manager, change the permissions on the .ftpaccess file to what I think is called 644 or rw- r-- r-- (which seems to be generally recommended for .htaccess files as a secure permission setting)

3. If I want to FTP to the site I first go in to Plesk file manager and move the .ftpaccess file to a special purpose built directory called ftp-off

4. Do whatever FTPing I need to do

5. Go back into Plesk and move the .ftpaccess file into httpdocs (I move the file rather than rename it to retain the permissions settings)

This is a rather belt and braces approach but as far as I can tell it locks off FTP so that only the person with Plesk access can use it.

Now, none of my customers do any FTPing for themselves. But, if they did perhaps the solution would be to allow 127.0.0.1 to allow them access through siteadmin.

Monday, May 10, 2010

How to Password Protect a Folder or some Files on the web

Placing files .htaccess and .htpasswd into the directory you wish to protect is apparently a good way to put some password protection on folders on the web. So if you want someone to type in a password before they can access a web page, these .ht files are what you would use. There is a good explanation of how you do this here... http://davidwalsh.name/password-protect-directory-using-htaccess - Dave also has a nice tool to let you MD5 encrypt the password too!

Well, I tried it and I got a '500 internal server error' on the page when I tried to access it. After some head scratching I found this post which reminded me that sometimes the presence of non Unix line breaks can cause problems in files like this: http://www.oreillynet.com/cs/user/view/cs_msg/6238.

Rather than immediate reach for BBEdit, I found a nice article explaining how to ensure Dreamweaver uses Unix Line Breaks...
http://livedocs.adobe.com/en_US/Dreamweaver/9.0/help.html?content=WSc78c5058ca073340dcda9110b1f693f21-7bdd.html - I don't know why you'd want it any other way!

So, I'm now happy that I have a password protected web page for one of my customers!