CHAPTER 5 ■ COMMUNICATION 168 Secure Server With the Web being a naturally open protocol and the home machine being a traditional secure environment, providing a way for secure access to your home and its data is a must. You can provide this with basic authorization that places specific files called .htaccess in each directory. These are read by the web server to govern access that does the following: • Makes it easy to add and change user access rights • Can be changed on a per-directory basis, without needing to be root • Requires no rebooting between changes One downside of this method, over changing the configuration files directly, is that these files are read on every access, making the service slower. In the case of a private web server, this is unlikely to be noticeable, however. More important, the username and password are sent across the wire in plain text when connecting, despite being present in an encrypted form on disk. Furthermore, they are stored (and are accessible) as plain text from any script running from inside this area. Consequently, it is recommended only for web servers that are inaccessible from outside your home network. To enable basic authentication, you need two things: a password file and an access file. The password file is traditionally called .htpasswd and exists on the filesystem in a location that is accessible to Apache (that is, the www-data user) but not the files that Apache serves (not those underneath /var/www). You create the file and your first user like this: htpasswd -c /etc/apache2/.htpasswd steev You are then prompted for a password that is encrypted and added to the file. This password is for accessing the web site only. It need not match the password for the user, if they share a name, and in fact you can allow users to access the web site who don’t have a Linux account at all. You must then indicate which directories are to be protected by including an .htaccess file, as shown here, inside them: AuthType Basic AuthUserFile "/etc/apache2/.htpasswd" AuthName "Enter your username and password." require valid-user You would generally protect the entire directory in this way, with any per-user control happening through code such as this: if ($_SERVER['PHP_AUTH_USER'] == "steev") { // allow this } Add any per-file control with a change to .htaccess thusly: <Files private_file.php> require valid-user </Files> CHAPTER 5 ■ COMMUNICATION 169 Note, however, that although you don’t need to restart Apache for these changes to take place (because you’re not changing apache2.conf or its partners), you do need to ensure the following appears within those directory directives that use this authentication system: AllowOverride AuthConfig This is because most examples will default the previous line to the following, which does not support the feature: AllowOverride None You can also create groups of users by adding lines to the .htpasswd file: FamilyGroup: mum dad sister HouseOwnersGroup: mum dad And you can amend the requirements line .htaccess to this: Require group HouseOwnersGroup When accessing these authorized-only web pages, you will be presented with a dialog box requesting your username and password. This naturally makes the page appear more difficult to bookmark. In fact, it isn’t! The HTTP specification allows both of these to be passed as part of the URL. http://myusername:mypassword@myprivatesite.homelinux.org Although this is a security flaw, it must be remembered that the authorization credentials are already passed in plain text, so it does not open any new holes; it merely lowers the barrier to entry for script kiddies. Provided the bookmark isn’t stored on any publicly accessible machine, you are no worse off. ■ Note Be aware that some media players will display the full URL (including login credentials) when streaming music from such a site. A much-improved form of security is through Secure Sockets Layer (SSL). This is where two sites (the client and server) will communicate only once they have established that a proven secure connection exists by the exchange of certificates. These certificates prove that the server claiming to be minervahome.net, for example, really is the server located at minervahome.net. This certificate of authenticity, as it were, is issued by a higher authority who’s reliability you can trust. And this authority is verified by an even higher authority, and so on. At the top of this hierarchy are companies like VeriSign whose entire worth is based on the fact they can never be confused with anyone else. Acquiring these certificates of trust costs money and is generally reserved for businesses, although home users are not explicitly excluded. However, you can always get around this requirement by generating a certificate that you sign yourself. This doesn’t provide the full security package, but it provides secure access to your data that can’t be seen by anyone else on the network. CHAPTER 5 ■ COMMUNICATION 170 From a technical level, SSL is an extension of the HTTP protocol that ensures that usernames and passwords cannot be monitored by packet sniffers watching the traffic to your home machine. However, because the security handshaking takes place before the domain name, only one virtual site may use SSL. 12 In our case, this would be our private house control web site. The self-signed authentication certificate is valid for a certain number of days and applied to the web server upon boot-up. To stop this certificate being copied and used on another web server (thus eliminating its purpose as a security mechanism), you will have to type a passphrase (a longer form of password, which should at least 20 characters and contain several words, to avoid basic dictionary attacks) when creating the certificate and at any time it is used, converted, or applied to a web server. Longer phrases are naturally better, but should you forget the phrase, you will have to revoke that certificate and issue a new one. SSL self-signed certificates are generated with several (rather opaque) commands. There are many examples on the Web detailing these in varying degrees of detail. For our purposes, you care not about the why, merely the how. So, begin with this: cd /etc/apache2 mkdir ssl cd ssl and issue the following commands, filling in the prompts as requested: openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key -out server.pem openssl req -new -key server.key -out server.csr openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt chmod 600 * You can then add an SSL host to your available sites list by cloning the existing 001-control version and wrapping it with the following: <IfModule mod_ssl.c> <VirtualHost _default_:443> # Normal configuration data goes here SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule> 12 There are solutions to the contrary detailed on the Internet, but they are too complex to be discussed here. CHAPTER 5 ■ COMMUNICATION 171 You should then restart the web server with this: a2enmod ssl a2ensite 002-control-ssl /etc/init.d/apache2 restart If all has gone well, you’ll be asked for your passphrase, and the site will be available only when HTTPS is used. ■ Note The process of setting up and configuring SSL is rife with possibilities for error, from differences between key and certificate (often when the location and domain information is entered) to broken SSL protocols to old certificates being used in preference to the new ones. Consequently, incorporate SSL only when you have some time and good access to the various Internet message boards! To ensure that your users always use the SSL version of your web site, you can introduce some simple rules to the configuration by rewriting any HTTP request as an HTTPS one. This uses the famed mod_rewrite module and can be introduced with the virtual host configuration file like this: <Directory /var/www/sites/homeprivate> Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all deny from none RewriteEngine On RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://myprivatesite.homelinux.org/$1 [R,L] </Directory> You must then enable the module and restart: a2enmod rewrite /etc/init.d/apache2 restart As an extra layer of protection, it is not unusual to utilize the “security through obscurity” approach. This means that you make it difficult for someone to accidentally stumble upon your server. For example, you could have the real home directory inside a child directory, descended from the root, which has no links to it. This would use a more obscure name, not housecontrol, and act like a first-layer password. Since you can’t query a web server to determine which files are available to download, it is possible to access this area only if you know that it exists and its name. If you choose an arbitrary randomized name like bswalxwibs, you can always bookmark it on physical secure machines. Naturally, this should always be used in addition to the standard security methods, not instead of. If you have registered a domain like MyMegaCoolAutomatedHouse.com, then it is likely that someone will CHAPTER 5 ■ COMMUNICATION 172 find it and may be able to use the Whois directory to get your real-world address 13 (unless you’ve remembered to shield it). Controlling the Machine Although Apache is capable of running scripts dynamically when web pages are requested, they are done so as the user under which Apache runs. Depending on your configuration, this is usually the www-data or nobody user. Confirm this by including the following whoami.php script on your web server and then loading it in a browser: <?php system("whoami"); ?> Consider this user carefully. Because all system calls made by the server (on behalf of the user accessing the web page) will happen as www-data, there are further considerations to the code being run: • This user probably has more access to your file system than you expect. No longer does someone need a user account on the Linux machine to read the filesystem; they can do so through the web page if there are security issues with the software or its configuration. • Also, the permissions will be different, not just for the necessary configuration files but the access rights to devices, such as the CD-ROM or sound card. If you allow a web page to control your CD-ROM, for example, then /dev/cdrom must have read- write access granted for the www-data user. Since this is a little specific, it is more usual to grant read-write permission to an audio group and add user www-data to that group. Note that you have to restart the Apache server whenever such a change to their user’s group is made. The same is true for access to /dev/dsp. • The path used to determine the location of named executables will be significantly different from that of your normal user that you have tested with. This means you should explicitly use the path in all commands issued. • The environment variables will also be different. You may need to set these up manually by logging in as the Apache user (for example, rlogin www- data@localhost) and setting up the environment accordingly. You can also use this approach to confirm that your permissions are correctly set by running the commands manually. This also allows you to create any configuration files that might be necessary. 13 Thieves use a similar idea by pressing the home button on satnavs to drive to their victim’s house while they’re busy filing a police report on their recently stolen car. . 1024 openssl rsa -in server.key -out server.pem openssl req -new -key server.key -out server.csr openssl x509 -req -days 30 -in server.csr -signkey server.key -out server.crt chmod 600 * . /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0. begin with this: cd /etc/apache2 mkdir ssl cd ssl and issue the following commands, filling in the prompts as requested: openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key