Posted by: Amberlily
Posted on: 2002-04-05 00:04:00
Hi! I'm trying to install Pennywize and I've run into a snag. Does anyone know how to add server configuration lines that need to be added to a httpd.conf file? Is this something that dreamhost needs to do for me?
I hardly know what I'm talking about--just trying desperately to follow directions....
Thanks in advance!!
Posted by: wil
Posted on: 2002-04-05 00:32:00
Yes, and I doubt that they would be able to do this for you on a shared hosting plan. You'd have much more chance on a dedicated plan.
Out of interest; what on earth do you need to edit the master httpd.conf file for? You can mimick most features using on a per-directory basis using .htaccess files.
Wil
Posted by: Amberlily
Posted on: 2002-04-05 00:40:00
I don't know what the heck I'm doing. I'm trying to use a service that was recommended because my htaccess file seems to be in jeopardy--I'm finding my usernames and passwords on password trading sites and on message boards according to my site's ref. logs. So, this service, Pennywise, is supposed to help shelter from these attacks. I'm definitely a novice and am trying to follow their instructions for set up.
I'm really stressed out. I don't want to see my bandwidth skyrocket because a couple of jerks can rob me of my usernames/passwords for supposedly "protected" directories.
Any advice? Suggestions?
They did say in there directions that after I get the server configuration lines added that Apache may need to be restarted?
Le sigh...
Posted by: will
Posted on: 2002-04-05 00:45:00
if absolutely necessary, we might be able to add lines in httpd.conf, but you should be able to do most of the same things in .htaccess (on pretty much all plans, you have permission to override most of the apache configuration options).
however we can't really provide specific support for a setup like this, unfortunately, and it is a bit tricky. if you can find someone who has done it and is willing to help, that would be ideal.
Posted by: Amberlily
Posted on: 2002-04-05 00:54:00
How can I access the .htaccess to add the lines server configuration lines? Is this done through FTP or through the dreamhost panel?
I really do wish I could find someone who's set it up--support over there seems to be really slow. I think they're probably overwelmed or something.
I'm just so disheartened over the whole ordeal... I don't know why anyone would go to all the trouble to do this to my lil site. :(
Thanks, Will for answering though...
Posted by: wil
Posted on: 2002-04-05 06:55:00
So are you telling me that you already have htaccess/htpasswd files set up for basic authentication and people have managed to hack these to get your usernames and passwords? I highly doubt this. You sure you just don't have any untrusted users who distribute your username/passwords?
Wil
Posted by: Amberlily
Posted on: 2002-04-05 12:18:00
Yes Wil, this is exactly what I'm saying. I have gone to the hackers message boards and found the programs that they use to hack in--granted it's even in another language, so I don't know all of what I'm reading. I can see that in a post that give out the direct link to our members area they have nine of our usernames and passwords all ready to go.
The only other person that has access to our info is the owner of our site and she has NO experience with anything a website requires. And because I have some html knowledge, I'm the one that's looking after it.
I realize that this must sound outlandish, but it's really not. When it first started happening it was only one member's login to our protected area. Now, it's eight of them. This is NOT a case of password sharing. They ARE getting in. I suspect that we could change our dreamhost login info and it would make no difference. I'm gonna even see about doing that right now while I've thought of it...
It's very sad...
And what's more, one of the usernames and passwords on the message board is MINE. I have never given this out!!! I can supply the link to the message board, if you like. Dozens of sites are in there with violated logins. All hacked by what looks like the same guy. :(
Posted by: will
Posted on: 2002-04-05 17:37:00
> How can I access the .htaccess to add the lines server configuration lines? Is this done through FTP or through the dreamhost panel?
You just create a file in your web root called '.htaccess' with the lines you need. You should be careful which editor you use, though, since some Windows / Mac editors will insert carriage returns that our system doesn't like.
W/r/t your other question, I think it's unlikely that someone cracked your passwords without at least having access to one of your users. Even then, I'm pretty sure it would be fairly difficult, although I'll make sure we have Apache configured to not allow people to download the .htpasswd file.
Posted by: vrillusions
Posted on: 2002-04-06 14:51:00
OK, it sounds like what's happening is common among password protected sites. Knowledge is power, so when this starting happening to a friend of mine, I started to research. The way hackers get these username and passwords is by constantly hitting the server with predefined usernames and passwords. Basically, any password that's deamed "easy" such as; password, 12345, 54321, 111111, 333333, you get the idea. Stuff that people set as an easy to remeber password. So what happens is this program keeps hitting the server trying all the combinations of usernames and passwords, until they get a match, usually they do.
Now that you know how it's done, now you can starting preventing it. How so? by making both the password AND username 'secure'. Basically a combination of letters, both upper and lower-case, numbers, and special characters like %. The best way to do this is to prevent users from creating their own password, at all. Or make it always go through you. Now you can do somewhat simple things to secure it. Take the password, "password." Using some characters and numbers, you can come up with "P@ssW0rd" (the "o" in word is the number 0). Just making those simple changes can really secure it.
So what should you do? First off, let those users that have the "stolen" passwords made aware that their usernames have been stolen and have been removed and for them to email you back with new contact information. If after securing the passwords like above, you STILL see the passwords on websites, then email them again and said their password has been stolen and to arrange for a new username and password. If it STILL shows up, then I would suggest the person(s) are purposely sending those to websites. In that case I would susspend their account (3 strikes and your out). Just make sure you specify that in your user aggreement somewhere. This is a rather "benefit of the doubt" approach. A lot of secure sites say that the first time it happens the account gets cancelled without refund.
Hope this all helps.
Posted by: Amberlily
Posted on: 2002-04-07 19:53:00
Hiya Todd:
Thanks for the info. We will be making usernames and passwords harder to figure out from now on. (Not that I think ours were all that easy to begin with--we use combinations of letters and numbers but not special characters.)
I *think* I've added the configuration lines to my .htaccess file. The only other thing that the pennywize.com directions said to do was to have Apache restarted. Then it should be set. I will contact dreamhost support about doing that....
I'll still be checking our site's ref. logs, but I can't watch them 24 hours a day. The Pennywize program claims to shut down a particular username/password combo if it's exhibiting too much use.
I guess it'll be a "wait and see" game to see if I got it set up right. Another username/password was cracked today. One is still way better than eight or nine....
Posted by: wil
Posted on: 2002-04-08 01:25:00
What's the actual line added to your .htaccess files? What magical code have you found that can stop this?
If I'm not mistaken, Apache is reconfigured every 15 minutes on most dreamhost servers. But if it needs a total restart (very unlikely from a configuration in .htaccess) then you'll have to contact support.
Wil
Posted by: will
Posted on: 2002-04-08 01:48:00
changing stuff in an .htaccess file doesn't require a server reload.
i noticed that we're not currently preventing authenticated users from downloading / viewing the .htpasswd files, so it's possible for an authenticated user to view the .htpasswd file if the file isn't below the web root. for domains with password protection added from our web panel, this is the default.
we're most likely going to add something like the following to the .htaccess file or to the apache configuration on the server:
<FIlesMatch "^.ht*">
deny from all
</FilesMatch>
(I think there might be an apache directive specific to preventing this type of thing as well - perhaps the directive that disallows viewing of dot-files).
Generating .htaccess files from the command line using the directions in kbase will not have this problem, since our instructions suggest putting the htpasswd file below the web root.
While the passwords are encrypted, they're encrypted using 'crypt', and so passwords are not that hard to crack, especially weak passwords.
Posted by: Amberlily
Posted on: 2002-04-08 03:16:00
Wil, you can sign up for your own free account at http://www.pennywize.com. They'll give you the instructions for getting it set up that way. My trying to explain what I hardly understand probably won't work all that well! ;)
Basically, it was a two part set up. Stuff in the cgi bin and then the lines added to the .htaccess file.
*hugs*
Amber