HowTo
restrict file access via the webe-smith release: 4.1.x/SME5
Problem: You want to restrict access to critical files via the web server. Typically this is to protect PHP application configuration files that hold sensitive login and password information.
Solution: Implement the following httpd.conf template fragments via the steps below. See the Mitel security advisory below for one example:
Security
Advisory -- PHP-Nuke Remote Compromises
Posted on Friday, November 02 @
12:34:35 EST
# mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
# pico /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/88RestrictFileAccess
In the editor, enter:
<Directory /path-to-files>
<Files file1 file2 ...>
order deny,allow
deny from all
allow from address1 address2 ...
</Files>
</Directory>
Replace /path-to-files with the full directory path to the files you wish to protect on your server. For example, if it is in the primary i-bay, use /home/e-smith/files/primary/html. Add multiple <Directory>...</Directory> blocks if required.
Replace address1 address2 ... with a space-separated list of individual IP addresses, or netblocks in CIDR notation. For example, 127.0.0.1 would allow access from localhost, and 127.0.0.1 192.168.1.0/24 would allow access from both localhost and any system with an address from 192.168.1.1 to 192.168.1.254. Here is the completed example, based on the above settings and restricting access to a file named admin.php3:
<Directory
/home/e-smith/files/primary/html>
<Files admin.php3>
order deny,allow
deny from all
allow from 127.0.0.1 192.168.1.0/24
</Files>
</Directory>
Then rebuild the template and restart the webserver:
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# /etc/rc.d/init.d/httpd restart
When Apache restarts, test that the allowed addresses can access the
protected file(s), and that disallowed addresses cannot. From the
example above you would try to access this URL:
http://yourprimarydomain.com/admin.php3