restrict file access via the web
e-smith release: 4.1.x/SME5
Problem: You want to restrict access to critical files via the web server. Typically this is to protect PHP application configuration files that hold sensitive login and password information.
Solution: Implement the following httpd.conf template fragments via the steps below. See the Mitel security advisory below for one example:
Advisory -- PHP-Nuke Remote Compromises
STEP 1: You will need to create a custom template for Apache. Execute the following commands from the server command line:
# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
# pico /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/88RestrictFileAccess
In the editor, enter:
<Files file1 file2 ...>
deny from all
allow from address1 address2 ...
Replace /path-to-files with the full directory path to the files you wish to protect on your server. For example, if it is in the primary i-bay, use /home/e-smith/files/primary/html. Add multiple <Directory>...</Directory> blocks if required.
Replace address1 address2 ... with a space-separated list of individual IP addresses, or netblocks in CIDR notation. For example, 127.0.0.1 would allow access from localhost, and 127.0.0.1 192.168.1.0/24 would allow access from both localhost and any system with an address from 192.168.1.1 to 192.168.1.254. Here is the completed example, based on the above settings and restricting access to a file named admin.php3: