1. Portal Home
  2. Knowledgebase
  3. PBX F.A.Q
  4. How can I secure my web server

How can I secure my web server

Most exploits gain entry via the web server.  The following 2 methods are simple and effective ways to prevent that.  These methods assume the web server does not need anonymous access.  

First method

Password protect web folders.  You will have to log in once via a web browser.  Tell the browser to save the log in info when it asks so you do not have to log in again.

mkdir -p /etc/pbx

# Create password file and first user
htpasswd -c /etc/pbx/wwwpasswd someusername

# Add additional users to existing password file
htpasswd /etc/pbx/wwwpasswd someotherusername
nano /var/www/html/.htaccess
# .htaccess files require AllowOverride On in /etc/httpd/conf/httpd.conf
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/pbx/wwwpasswd
Require valid-user

Alternatively, the authentication can be added to an apache config file such as /etc/httpd/conf.d/myauthentication.conf.

For Apache v2.2

<Directory /var/www/html>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/pbx/wwwpasswd
Require valid-user
</Directory>

For Apache v2.4

<Location />
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/pbx/wwwpasswd
Require valid-user
</Location>

To bypass this extra security on the user control panel (http://xx.xx.xx.xx/ucp) add the following to the same file.

For Apache 2.2

<Directory /var/www/html/ucp> 
Satisfy Any
Allow from All
</Directory>

For Apache 2.4, put it after the other Location directive

<Location "/ucp" > 
Require all granted
</Location>

If using SSL certificates.

For Apache 2.2

<Directory /var/www/html/.well-known>
Require all granted
</Directory>

<Directory /var/www/html/.freepbx-known>
Require all granted
</Directory>

For Apache 2.4

<Location /.well-known>
Require all granted
</Location>

<Location /.freepbx-known>
Require all granted
</Location>

 

Second Method

Whitelist protect web folders.  If browser http access is only required from certain IP addresses or ranges of addresses.

nano /etc/httpd/conf.d/whitelist.conf

For Apache v2.2

<Location />
Order Deny,Allow
Deny from all
#
Allow from x.x.x.x
Allow from x.x.x.x x.x.x.x x.x.x.x
Allow from somedomain.com
Allow from x.x
Allow from x.x.x.0/255.255.255.0
#
#See http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html for more examples
#
</Location>

For Apache v2.4

<Directory "/">
<RequireAny/>
## This first one should only be uncommented when full anonymous access is required
# Require all granted 
Require ip x.x.x.x
Require ip  x.x.x.x x.x.x.x x.x.x.x
Require host somedomain.com
Require ip x.x
Require ip x.x.x.0/255.255.255.0
#
#See http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html#requiredredirectives for more examples
#
</RequireAny>
</Directory>

Make sure to restart the web server after doing any of the above.

service httpd restart

Alternatively, just reboot for the changes to take effect.

  • security, secure, web, browser, http

Related Articles

I have a bunch of anonymous call attempts showing up in my call logs

I have a bunch of calls that look like this. 2011-11-18 00:27:10SIP/xx.xx...unknown"unknown"...

Do I need to do anything on the server/linux side of things?

You should not have to do anything on the server/linux side unless you want to tweak things or...

How hard is it to upgrade my server?

Upgrading resources such as memory, processing, hard drive space is instantaneous and does not...

Do you automatically upgrade our software when a newer version comes out?

Software upgrades are not automatic because they usually require service interruption.  We can...

Do you provided automatic backups.

Our premium plan includes automatic online backups.  All other plans can be backed up manually...