vicidial.org

[convertec]

When I enable directory specific password authentication in httpd.conf via htpasswd like so:

Code: Select all

<Directory "/home/www/htdocs/vicidial">
AuthType Basic
AuthName "DO NOT USE Internet Explorer!"
AuthUserFile /home/www/passwd/passwd
Require user agent
</Directory>


it prompts for a password just fine, and gets me to the vicidial welcome.php but when I try to login to that I get this in the httpd logs:

Code: Select all

[Mon Jan 28 12:28:09 2008] [error] [client XXX.XXX.XXX.XXX] user 6666 not found: /vicidial/admin.php


and it just sits there, I cannot go any further!
If I disable the per directory password protection, it logs me in fine.
I really need to secure this directory, it there another way I should be doing it?

[convertec]

I still haven't found a resolution!

I am following the directions here: http://httpd.apache.org/docs/2.0/howto/auth.html

The agents can login fine, but no one can log into the administrator portal unless I turn off the directory authentication!

[mflorell]

Most of the admin scripts in vicidial.php use HTTP authentication for access control so we don't have to rely on passed variables or cookies.

Doing a quick search I could not find any easy tutorials on how to do htaccess directory protection and PHP authentication.

[convertec]

I am worried about files like this that contain user logins and passwords that are not protected in the vicidial and agc directories:

admin_changes_log.txt
astguiclient_auth_entries.txt

I have directory listings turned off, but anyone with knowledge of vicidial could get in and start making calls with these files unprotected like this.

Can you tell me how I move files like this elsewhere?

Thanks for your reply.

[mflorell]

Here are some suggestions for securing your VICIDIAL install:

You may want to reduce the exposure of some of the elements of VICIDIAL. Here are some examples:

ln -s /dev/null /usr/local/apache2/htdocs/vicidial/project_auth_entries.txt
ln -s /dev/null /usr/local/apache2/htdocs/agc/project_auth_entries.txt
ln -s /dev/null /usr/local/apache2/htdocs/vicidial/admin_changes_log.txt

- Change the WWW writable in the admin.php server settings to "0"
- Change the default admin user "6666" or it's password from the default
- Change the Default secret(password) for the default SIP and IAX accounts that are set up with astGUIclient
- Possibly use static IP addresses for the IAX/SIP conf account entries
- Change the default port for Apache in httpd.conf from 80 to something else
- Change the default port for IAX in iax.conf from 4569 to something else
- Change the default control port for SIP in sip.conf from 5060 to something else
- Use a firewall to route access using different port numbers or restricting connection by VPN or set IP addresses

[convertec]

Ok great, thanks!

But how do I just move those files to another directory and password protect it so I can be sure no one is using IE?

would I do it like this?:
mkdir /usr/local/apache2/htdocs/vicidial/secretdir

ln -s /usr/local/apache2/htdocs/vicidial/secretdir/project_auth_entries.txt /usr/local/apache2/htdocs/vicidial/project_auth_entries.txt

ln -s /usr/local/apache2/htdocs/vicidial/secretdir/project_auth_entries_agc.txt /usr/local/apache2/htdocs/agc/project_auth_entries.txt

ln -s /usr/local/apache2/htdocs/vicidial/secretdir/admin_changes_log.txt /usr/local/apache2/htdocs/vicidial/admin_changes_log.txt

[mflorell]

I'm not sure I understand the question. What does using Internet Explorer have to do with any of this?

The ln -s ... entries will make those files write to /dev/null which is a black-hole file in Linux that does not store anything, so your logging cannot be read by anyone.

[convertec]

the agc/vicidial_auth_entries.txt shows what browsers people are using. I would like to know if people are using IE because I understood that IE had 'memory leaks' that would crash vicidial. Therefore, I would not want to throw them in the bit bucket!

[mflorell]

With IE6 and astguiclient 2.0.4 the issues with memory leaks have been pretty much addressed. There are some stupid Javascript tricks you need to use to help IE to remember to take out it's garbage, and since IE6 the process is somewhat reliable, at least enough to not have problems through a 12 hour shift for a single session.

[eijal]

What exactly do you mean with?

Code: Select all

Change the WWW writable in the admin.php server settings to "0"

sorry I didn't catch it

[mflorell]

admin.php -> Admin -> System Settings -> Webroot Writable