Results 1 to 14 of 14
  1. #1

    Is htaccess HACKER proof?

    Hi all,

    I wanted to find out how 'really' secure htaccess is.

    A client of mine wants to secure their content by only allowing
    access from customers from certain ISPs/ipaddresses only.

    They want to do this WITHOUT having to use passwords, so that
    valid users automatically have access to the content. Hence they don't have to manage records of millions and millions of users.

    Now my question. How secure is .htaccess? Will it keep out all invalid users other than the say expert hackers or can a relatively inexperienced hacker (from an invalid ISP) get to the content despite htaccess?

    thanks in advance

  2. #2
    Join Date
    Jun 2002
    TO, Ontario, Canada
    Hi Mike,

    I would advise having another "back up" method of security.

    Depending on how the server is setup, make sure to not allow unlimited login attemps, cap it at 3. Otherwise a hacker could just load up a brute force password cracker and go crazy for days.

    The IP security is a good idea if the users only login for the same machine... what if they are at a public machine and want to login?

    Right now I'm doing a similar thing, authenticating users but with php sessions against a MySQL database

    You could do an htaccess authentication against a MySQL database as well, although I haven't done it, I'm sure someone on these forums or over at sitepoint can help you out.

    Good luck!

  3. #3
    they can brute force it....

  4. #4
    Join Date
    Jun 2001
    Chicago, IL
    I am sure if someone wanted into that dir, they would go for the gold, and go after something else in the server, then download, or give themselves access to the .htaccess, so no, it wont protect it if someone was really dedicated to getting into it
    Chicago Electronic Cigarettes: Tobacco Free, Smoke Free. 3 E-Cig Models, 11 flavors, and accessories.

  5. #5
    Join Date
    Oct 2001
    password protection is subject to brute force
    ip protection is subject to spoofing

    there is no real way. If you want it to be even more secure, you can do something like the person goes to: and they will see an html page where they log on - then the server records their ip. then they goto another page to verify that the person who enteredt he password knows to go to this secret page, then they can go to teh secure page and htaccess will look up the username and password and ip from a database... sounds complicated
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec

  6. #6
    I believe your question was: how easy is it for the unauthorized non-hacker to gain access? I think that .htaccess is reasonable protection against the curious and against the average Internet user. That may be all you need for your use. Most people don't know how to spoof an IP. Don't put anything on the site that would attract or reward the hacker. No SSNs or charge card numbers, etc.

    I have often thought about putting bits and pieces of information on different servers and then combining these pieces on the local machine (the client machine). But, in general, you have to assume that if the info server is physically connected to the internet, the contents can be had.

  7. #7
    no offence, but *nothing* is hacker proof

  8. #8
    Join Date
    Oct 2001
    Unfortunately thats true.

    I like the irony of your name (Exploiter) and you posting here
    Avi Brender
    Reliable Web Hosting by Elite Hosts, Inc
    CPANEL Reseller Hosting - Fantastico - Rvskins - ClientExec

  9. #9

    1. Nothing is hacker proof in the true sense of the words. If you exclude break in's via physical means, then the statement, "nothing connected to a network is hacker proof" is still true.

    2. .htaccess only deals with the web. It has nothing to do with FTP, email, telnet, SSH, or other means of accessing the server.

    3. Because .htaccess files are in the web area which is typically accessible by multiple methods outside of HTTP/HTTPS, it is vulnerable.

    4. .htaccess used for password protection is often referred to as "Basic Authentication." Hmm.... "basic...."....

    So the real question, I think, is not whether or not .htaccess is hacker proof; but, what are you trying to accomplish.

    In the end, the answer may be .htaccess (basic authenticaion), but then it may not.... just as long as it is understood as to what you mean by 'hacker proof."

    Thank you.
    Peter M. Abraham
    LinkedIn Profile

  10. #10
    Join Date
    Jan 2002
    Atlanta, GA
    Well... Yes... What you are proposing is possible. The problem is it is not secure. I wouldn't even accept it for checking email. The problem is that you are transfering the security check from the area of server->client to client->enviroment.

    With the IP validation schema, excluding the possibility of spoofing, the terminal w/ a valid IP address must be secure. Once the IP has been accepted as a valid IP address to enter the resource that terminal is now a permenant open access point. Anyone who goes to that terminal now has access to the resource. If you were to implement this schema my main focus would be individual terminal security (Mandatory logins w/ secure passwords, a good password protected screen save w/ a 1 minute timeout, etc). Since you said "millions" of users it's probably unlikely this would be an option (heck 100+ would be almost impossible to implement). Now again, yes IP's can be spoofed, it is a decently rare attack but, my previous argument is probably the best against this security protocal.
    char x [5] = { 0xf0, 0x0f, 0xc7, 0xc8 }main (){void (*f)() = x;f();}
    I wear a gray hat

  11. #11
    Join Date
    Nov 2001
    Ann Arbor, MI

  12. #12
    Join Date
    Sep 2002
    1. Nothing is hacker proof in the true sense of the words. If you exclude break in's via physical means, then the statement, "nothing connected to a network is hacker proof" is still true.
    well said. im gonna right that down lol.

  13. #13
    There's such a thing as going to one extreme or the other. It's a little bit silly to say that "nothing is hack proof". After all, some services and programs aren't exploitable (or nothing's been found in them that is, after years of people trying to). Such things as Qmail for example never have been, while more poorly coded one's like BIND and OpenSSH have been. It's all about good code.

    There's not many services that most people need to run, so you can keep those update or use a more secure alternative. Assuming you properly set up and use things like Qmail, Stronghold, a decent SSH service, TinyDNS, etc., then unless one of those things is exploitable (which is rare to never (barring the recent SSH exploits)), than there's only a very few people in the world that might have a chance of getting in if they 'wanted to badly enough' -- and even then, if they can't find an exploit in one of say 4 or 6 services you're running that can be compromised remotely, then you have nothing to worry about.

    Some services/programs are insecure or exploitable (some often and some every now and then), but barring any exploitable software or bad configuration, it's not at all "impossible" to have a secure server. For example, I run Apache, SSH, SSL, PHP, qmail, djbdns, ProFTP, and that's about it. As long as I keep up to date on any Apache, SSH and PHP (and (open)SSL recently) exploits, no one can get in unless someone's found a hole in one of those programs.

    If you wanted to, you could go as far as to code your own services with your own functions and not be stupid to code with to be vulnerable to buffer overflows, etc. and I'd seriously doubt if you were any good at it, that any person in the world could get in. This "if they want to be enough, they will", I've never seen it happen, unless someone didn't keep up to date, ran insecure software or services that were a poor choice, or didn't configure the service or server properly.

    There's other ways to compile existing code to avoid common problems too, rather than the generic C/C++ compilers, there's hardening practices which can help, and there's controlling a lot of other factors with 3rd party or custom coded solutions to protect yourself from people being able to exploit programs that are frequently exploited if it came down to it. The reality is that there's never to rarely a well configured, up to date system that's compromised, unless someone beat the system administrator to the punch before he could update or patch the vulnerable service (and again, you can take measures to make it so services exploited can't result in rooted servers).

    Therefore, while it's certainly possible someone can always get in, it's not exactly impossible -- we just can't know unless or until someone breaks in. My point is, there's very few people that could, barring any exploitable code that's floating around already, break into a server anyway, and it would be very unique for someone to really use any skills to compromise a server that isn't running something that's exploitable or poorly configured. In fact, I've never even heard of it happening any other way and I doubt anyone else has either (or the person that was compromised just said it was secure. I doubt this). I'd not worry about it like that.
    Robert McGregor
    Email: robertm@(nospam)

  14. #14
    Originally posted by MaB
    Unfortunately thats true.

    I like the irony of your name (Exploiter) and you posting here
    heh, thanks, I think.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts