Hello all!
I have an apache web server that uses Basic HTTP Authentication to block off certain pages from the public. I do this by incorporating the following into .htaccess files:
AuthType Basic
AuthName "Members Only"
AuthUserFile /Path/to/folder/.htpasswd
require valid-user
Is doing this a secure way of blocking the public from accessing certain web pages on my web server? If not, is there an alternative password authentication method that can be implemented with relative ease?
Thanks for your time and advice!
it is effective, but you're asking yourself to be brute forced. So better don't do obvious pages you want to secure this way - and know that if someone with more specialized set off skills can bypass it. Don't put confidential stuff there.
a better way of securing yourself would be use of acl's in .htaccess to deny access to all and grant to ip's you want.
You can also create ssh cert and use it, as authentication ~ even better approach.
1 Like
Acl's would be good in most cases, but in the off chance that I want to use a computer that's not on my LAN, that could be a bit annoying for some content. Is there a somewhat easy way to setup a password based authentication that limits the numbers of attempts and/or adds on time in between multiple failed attempts? @anon5205053
Thanks!
(advanced) acls are you bet there. You can create all kinds of rules and port them to a file so .htaccess can read from them.
Apache on itself doesn't have anything like that. If you're afraid of ACL's then you can look at proprietary software like fail2ban or you can create cron job that will look at the failed login logs and count IP's and add them to hosts.deny file.
You can also create php based authentication less secured as its more commonly cracked but its easier to script for many people.
Alright, thank you so much!