I note that with amportal AUTHTYPE=database set (and therefore directory access disabled in httpd.conf or .htaccess)) and Logfiles module downloaded, I can still access the asterisk logfiles without encountering any authentication simply by entering the URL directly: -
additionally, I can also bring up the javassh screen up with: -
This behaviour is apparent in 2.1.3 and 2.2b3.
Does this behaviour manifest itself in other people’s installations with AUTHTYPE=database. e.g. have a mucked up the default installation with incorrect permissions etc.
If this is the case, how may I best prevent access?
Many thanks for the responses.
This server is hidden behind a firewall - with SSH tunnel access only to a non root user, however, I know that there are a few “Technically inquisitive” and occaisionally bored users, and I’d rather them not go playing in areas where they do not belong.
Further security would be a “nice to have” rather than a necessity, given the intended role of the software.
Many many thanks for all your hard work
You could also just add an .htaccess file to the root html directory. That’s what I did but with auth_mysql instead so that way, I don’t need to use a second auth file and maintain 2 username/password files. I simply configured apache to use the mod_authmysql with the same users freebpx set up in the database. This way, everytime you add or modify a user in the database using freepbx, your root directory to your webserver stay updated. The only drawback is a double popup user/pass , but still way more secure.
If you want to go parano secure way, use the above recommended method by bubba, you wont have any security problems with that.
AuthName "=== Auth required ==="
edit: typo / added info
if you remove the httpd control then yes access to granted to all
Freepbx is not intended for Inet
If you are running a AAH / TB you gotta ton of holes by default.
AAH / TB are setup as a LAN type of use not open to the world, you never allow access to any thing but the needed ports for PHONE calls
and if you have just remote office / home the limit that to those IP’s only.
VPN SSH tunnel