Is htaccess HACKER proof?

netline5000

I wanted to find out how 'really' secure htaccess is.

A client of mine wants to secure their content by only allowing
access from customers from certain ISPs/ipaddresses only.

They want to do this WITHOUT having to use passwords, so that
valid users automatically have access to the content. Hence they don't have to manage records of millions and millions of users.

Now my question. How secure is .htaccess? Will it keep out all invalid users other than the say expert hackers or can a relatively inexperienced hacker (from an invalid ISP) get to the content despite htaccess?

thanks in advance
Mike

piersk

As long as none of the users have telnet/ftp access to the server, and they dont spoof their IP or they dont have a static IP, then yes, .htaccess files are safe.

netline5000

Thanks for the reply.

Is it posible for a user to fake the IP address of their ISP?

Also could you explain more clearly the static ip issue. How does this breach security? Won't all users from an ISP have ip addresses that contains part of their ISP's ip address.

For example is a users static ip is 102.23.44.12
blocking 102.23. would effectively block out that user as well.
Hence I think static or not, as long as one can get the ISP part of the ip, then users can be blocked. Am I correct?

Frag

Nothing is hacker proof. Something are just harder to hack than others.

1) Yes, you can spoof any ip.

2) I don't know what he meant. static IPs don't help/hurt hacking unless only certain IP can access $x service. But then thats where spoofing comes in to play.

3) you can block all the way down to a subnet of an ip range. You don't have to just block 102.83.x.x

If you just allow ips from an ISP then ANYONE using that ISP will be able to have access to the contect.

Not using some sort of authentication (more than just an ip address) isn't a good idea.

Frag

netline5000

Thanks for the reply Frag,

Yes, the client doesn't mind ANYONE from the approved ISP's accessing the content. What they don't want is someone from an un-approved ISP accessing it.

I guess my question is, is it possible for someone from an un-approved ISP to fake their ISP in order to get access to the htaccess protected content?

Frag

It's possible for anyone with the right skills to access any content anywhere. If someone really wants in and has the skills. You not going to stop them.

So the answer is Yes.

AdminsDeath

Food for thought!!!

Put your htpassword in a totally different locaition and tag the htaccess to it.

You can also set up a 3 times your out option with htaccess hence on the third attempt blocking the IP from access even if they get the password. It makes random number generators kill over dead.

Working with these same issues i have found alot of little tricks.
Best to set certian IP's to Allow and the rest to DENY.
This will lessen the burden for they must know the IP's allowed to start the hack.

Be sure to log all failed attempts. This way you keep an eye one a certain area and you can then adjust the block.

htaccess everything of importance. ONe big thing most dont know BLOCK your stats area it shows vital links that have been used in the past to connect to your server gives them a backdoor.Never use an outside source to give you your sites stats!!

use SSL if you can. Currently i am working with and using CAC(computer acccess cards) This is the most secure way i know to block even the best hacker. Tag a computer and you have blocked everyone but the real person.

netline5000

Thanks for all the replies.

AdminsDeath, what do you mean by 'tag the htaccess to it'?

piersk

I think he means that you should put the .htpasswd file anywhere outside the webserver files (htdocs I think is the default) and then in the .htaccess file, and where he says tag the htaccess to it he means put the absolute file path to it.

AdminsDeath

Thank you !! Some times i have a hard time putting things into normal terms. Tagging= Path to!

😃

MrAlaska

I learn something new every day, but from what I know about successful IP spoofing it depends on the IP being used to not be active. To guard against IP spoofing, you would ping the supplied IP and it would at least guard against the commonly available client side applications that provide this 'service'.

Of course, pinging everybody who visits would increase server and network load, but such is the price you pay for security. SSL has already been mentioned, another necessary load you are forced to bear if security is an issue.

EDIT: Upon a bit more thought, a tracert would give you even more security than a ping. Nothing should ever leave the ISP network, so any request that has a path outside the network would be suspect... I think...

drclue

htaccess authentication even when using kerbose or other encryption
is not by itself particularly bullet proof

I've herd claims from folks claiming that norwfta or some other site
has taken precautions against being hacked and consider themselves
"hacker proof" , but hey , if your bored enough and have the time
just about anyplace can be had.

There are things you can do like limit attempts or such by IP. (anyone short of IP's)
not me.

Even banks which one would figure by now should work like mini fort knox's of data
regularly appear in the news having "lost" social security , credit card and other information.

The only thing one can really do is make the price of admission so high that what folks get
for their efforts is not worth the trip.

I was assisting a government agency and getting some flack from an admin
so "with their permission" I broke into their so-called secure system in less than
8 minutes. Not that I'm some sorta whiz kid hacker , but rather that their idea of security
was that lame and the prize of the 2000/Week work was in comparison a worthy prize.

Sometimes sites are done on the cheap and it's not that those coding the site are all that lame
but rather that the firm wanted a Lexus result for the price of a piece of bubblegum, so those
coders really could not afford to do their best.

Even I have committed such sins, but I let the owners know that their $250 for a sie worth of code
was going to make for some thin paint.

If you can , let firms who focus on securing small bits of data like paypal do their thing
and llmit the size of the prize contained on your site. Hopefully the worst
you'll ever experience is a little graffetie. Most of that can be avoided by not using Microsoft products to interact with your secure items. Not because any other system is so much more secure (even if they are) but simply most hacks are aimed at the main stream.

I started coding before screens , keyboards and even PC's and have made my share
of captain crunch calls in my day (statutes of limitations long expired)

Most penetrations these days are indirect. Rather than hack your web site or host ,
they simply hack your browser or the various viewers (thanks adobe) and from there simply
get the info right out your home PC

So in the end as I said above , it's simply a matter of profit / effort.
Stretch it out some and at least there is a good chance it won't be YOU in the nightly news