When I secure the vicidial directory...

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

When I secure the vicidial directory...

Postby convertec » Mon Jan 28, 2008 3:40 pm

When I enable directory specific password authentication in httpd.conf via htpasswd like so:
Code: Select all
<Directory "/home/www/htdocs/vicidial">
AuthType Basic
AuthName "DO NOT USE Internet Explorer!"
AuthUserFile /home/www/passwd/passwd
Require user agent
</Directory>

it prompts for a password just fine, and gets me to the vicidial welcome.php but when I try to login to that I get this in the httpd logs:
Code: Select all
[Mon Jan 28 12:28:09 2008] [error] [client XXX.XXX.XXX.XXX] user 6666 not found: /vicidial/admin.php

and it just sits there, I cannot go any further!
If I disable the per directory password protection, it logs me in fine.
I really need to secure this directory, it there another way I should be doing it?
convertec
 
Posts: 43
Joined: Sun Sep 03, 2006 2:27 pm
Location: Idaho

Postby convertec » Wed Jan 30, 2008 1:45 pm

I still haven't found a resolution!

I am following the directions here: http://httpd.apache.org/docs/2.0/howto/auth.html

The agents can login fine, but no one can log into the administrator portal unless I turn off the directory authentication!
convertec
 
Posts: 43
Joined: Sun Sep 03, 2006 2:27 pm
Location: Idaho

Postby mflorell » Thu Jan 31, 2008 12:32 am

Most of the admin scripts in vicidial.php use HTTP authentication for access control so we don't have to rely on passed variables or cookies.

Doing a quick search I could not find any easy tutorials on how to do htaccess directory protection and PHP authentication.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby convertec » Thu Jan 31, 2008 2:22 pm

I am worried about files like this that contain user logins and passwords that are not protected in the vicidial and agc directories:

admin_changes_log.txt
astguiclient_auth_entries.txt

I have directory listings turned off, but anyone with knowledge of vicidial could get in and start making calls with these files unprotected like this.

Can you tell me how I move files like this elsewhere?

Thanks for your reply.
convertec
 
Posts: 43
Joined: Sun Sep 03, 2006 2:27 pm
Location: Idaho

Postby mflorell » Thu Jan 31, 2008 4:33 pm

Here are some suggestions for securing your VICIDIAL install:

You may want to reduce the exposure of some of the elements of VICIDIAL. Here are some examples:

ln -s /dev/null /usr/local/apache2/htdocs/vicidial/project_auth_entries.txt
ln -s /dev/null /usr/local/apache2/htdocs/agc/project_auth_entries.txt
ln -s /dev/null /usr/local/apache2/htdocs/vicidial/admin_changes_log.txt

- Change the WWW writable in the admin.php server settings to "0"
- Change the default admin user "6666" or it's password from the default
- Change the Default secret(password) for the default SIP and IAX accounts that are set up with astGUIclient
- Possibly use static IP addresses for the IAX/SIP conf account entries
- Change the default port for Apache in httpd.conf from 80 to something else
- Change the default port for IAX in iax.conf from 4569 to something else
- Change the default control port for SIP in sip.conf from 5060 to something else
- Use a firewall to route access using different port numbers or restricting connection by VPN or set IP addresses
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby convertec » Thu Jan 31, 2008 6:48 pm

Ok great, thanks!

But how do I just move those files to another directory and password protect it so I can be sure no one is using IE?

would I do it like this?:
mkdir /usr/local/apache2/htdocs/vicidial/secretdir

ln -s /usr/local/apache2/htdocs/vicidial/secretdir/project_auth_entries.txt /usr/local/apache2/htdocs/vicidial/project_auth_entries.txt

ln -s /usr/local/apache2/htdocs/vicidial/secretdir/project_auth_entries_agc.txt /usr/local/apache2/htdocs/agc/project_auth_entries.txt

ln -s /usr/local/apache2/htdocs/vicidial/secretdir/admin_changes_log.txt /usr/local/apache2/htdocs/vicidial/admin_changes_log.txt
convertec
 
Posts: 43
Joined: Sun Sep 03, 2006 2:27 pm
Location: Idaho

Postby mflorell » Thu Jan 31, 2008 8:30 pm

I'm not sure I understand the question. What does using Internet Explorer have to do with any of this?

The ln -s ... entries will make those files write to /dev/null which is a black-hole file in Linux that does not store anything, so your logging cannot be read by anyone.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby convertec » Thu Jan 31, 2008 8:34 pm

the agc/vicidial_auth_entries.txt shows what browsers people are using. I would like to know if people are using IE because I understood that IE had 'memory leaks' that would crash vicidial. Therefore, I would not want to throw them in the bit bucket!
convertec
 
Posts: 43
Joined: Sun Sep 03, 2006 2:27 pm
Location: Idaho

Postby mflorell » Fri Feb 01, 2008 1:10 am

With IE6 and astguiclient 2.0.4 the issues with memory leaks have been pretty much addressed. There are some stupid Javascript tricks you need to use to help IE to remember to take out it's garbage, and since IE6 the process is somewhat reliable, at least enough to not have problems through a 12 hour shift for a single session.
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby eijal » Thu Mar 27, 2008 8:12 pm

What exactly do you mean with?
Code: Select all
Change the WWW writable in the admin.php server settings to "0"

sorry I didn't catch it
eijal
 
Posts: 186
Joined: Thu Feb 08, 2007 6:34 pm

Postby mflorell » Fri Mar 28, 2008 1:33 pm

admin.php -> Admin -> System Settings -> Webroot Writable
mflorell
Site Admin
 
Posts: 18387
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to Support

Who is online

Users browsing this forum: Bing [Bot] and 73 guests