I note that with amportal AUTHTYPE=database set (and therefore directory access disabled in httpd.conf or .htaccess)) and Logfiles module downloaded, I can still access the asterisk logfiles without encountering any authentication simply by entering the URL directly: -
Does this behaviour manifest itself in other people’s installations with AUTHTYPE=database. e.g. have a mucked up the default installation with incorrect permissions etc.
If this is the case, how may I best prevent access?
This server is hidden behind a firewall - with SSH tunnel access only to a non root user, however, I know that there are a few “Technically inquisitive” and occaisionally bored users, and I’d rather them not go playing in areas where they do not belong.
Further security would be a “nice to have” rather than a necessity, given the intended role of the software.
You could also just add an .htaccess file to the root html directory. That’s what I did but with auth_mysql instead so that way, I don’t need to use a second auth file and maintain 2 username/password files. I simply configured apache to use the mod_authmysql with the same users freebpx set up in the database. This way, everytime you add or modify a user in the database using freepbx, your root directory to your webserver stay updated. The only drawback is a double popup user/pass , but still way more secure.
If you want to go parano secure way, use the above recommended method by bubba, you wont have any security problems with that.
if you remove the httpd control then yes access to granted to all
Freepbx is not intended for Inet
If you are running a AAH / TB you gotta ton of holes by default.
AAH / TB are setup as a LAN type of use not open to the world, you never allow access to any thing but the needed ports for PHONE calls
and if you have just remote office / home the limit that to those IP’s only.