Page 1 of 2 12 LastLast
Results 1 to 35 of 36

Thread: Stats access only by certain users?

  1. #1
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14

    Stats access only by certain users?

    Hi all. I have already seen http://forums.powweb.com/showthread.php?t=73248 but that did not really give my brain the hint it needs to do what I want. Our /stats/awstats/cgi-bin/awstats.pl is viewable by the whole world, which is not desirable. I want to lock that down so only one or two people can access it. Is this done with .htaccess or is there some other method on PowWeb I am missing? If .htaccess is what I need can someone provide an example please? Thanks!
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  2. #2
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Create a .htaccess file with password protection in your stats directory. Which is in the root level, not the docroot level (htdocs). A .htpasswd file (which also needs to be created), should be put in the root directory also. Another option is to use the htaccess editor in OPS - .htaccess Editor: Password Protection. I haven't used it before, but it looks like is does everything simply, all in one place. And I wholeheartedly agree with the 'not desirable' part.. Good luck!
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  3. #3
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Hrm, the .htaccess editor in OPs will not let me make the stats directory in root, above htdocs, a password protected directory. I will have to cogitate about this a bit. Thanks for the tip.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  4. #4
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Okay, I found out how to create .htaccess and .htpasswd to protect a directory and all below it. The .htaccess file is in /stats/ and looks like this:
    Code:
    # Begin password protection #
    AuthName "Stats"
    Require valid-user
    AuthUserFile "/full/path/to/the/stats/.htpasswd"
    AuthType basic
    # End password protection #
    The .htpasswd file is in this format (No I am not posting the actual file here, as I am not nuts! ):
    Code:
    username:(hashedpassword)
    But still can get to the stats as an unknown user without being prompted for a password. Any other ideas folks?
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  5. #5
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Did you change valid-user to a 'real' username, one allowed to log-in?
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  6. #6
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    No. That is not necessary. I know this because I tested with another directory under /htdocs/ first. Then copied the .htaccess and .htpasswd to /stats/, edited the path in .htaccess to /full/path/to/stats/.htpasswd, and then tried to access stats as an unprivileged user. I could and can still access /stats/ as an unprivileged user.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  7. #7
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    For the record 'require valid-user' is a directive to require any "valid-user" from a .htpasswd file according to what I have read today.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  8. #8
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    snowmaker, by the way. I can load the stats from http://somdcomputerguy.com/ in the same way. Maybe you should experiment with this too ...
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  9. #9
    Mod.. with bite.. Croc Hunter's Avatar
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    7,332
    Rep Power
    26
    Are they Powweb installed Awstats? If so when did you install them? Powweb stats have not been accessible outside of OPS for a long time.
    Croc Hunter MSC :

  10. #10
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Quote Originally Posted by eracc View Post
    For the record 'require valid-user' is a directive to require any "valid-user" from a .htpasswd file according to what I have read today.
    Ya, you're right. I don't know what I was thinking at the moment..
    Quote Originally Posted by eracc View Post
    snowmaker, by the way. I can load the stats from http://somdcomputerguy.com/ in the same way. Maybe you should experiment with this too ...
    Hmm. If I visit mydomain.com/stats, I am required to login to OPS first.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  11. #11
    Custom User Title entrecon's Avatar
    Join Date
    Aug 2006
    Location
    Michigan
    Posts
    2,742
    Rep Power
    16
    Well, I just looked at this and looked at the original post and it would appear that all three of you are right. The stats directory does require that you log in through OPS...However, if you just go to the stats themselves (xxxxxxxxxx) it pops right up.

    I don't know much about .htaccess and allthe folder security stuff that I should, but it soundslike something isn't gettign inherited and/or PowWeb needs to take a closer look at their configuration.
    Last edited by snowmaker; 5-19-12 at 08:07 PM.
    ________________________________
    Find me on twitter: @entrecon

  12. #12
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Quote Originally Posted by entrecon View Post
    Well, I just looked at this and looked at the original post and it would appear that all three of you are right. The stats directory does require that you log in through OPS...However, if you just go to the stats themselves (deleted) it pops right up.

    I don't know much about .htaccess and allthe folder security stuff that I should, but it soundslike something isn't gettign inherited and/or PowWeb needs to take a closer look at their configuration.
    Heh, entrecon "gets it in one". Yes, the full URL to awstats.pl is what I meant all along. Not just access to domain/stats/.

    Added - I figured out this is being accessed from "outside" due to looking at the awstats report itself. I will try to attach a screen capture ... nope, too wide. Okay you can see the capture here:

    stuff was here..
    Last edited by snowmaker; 6-1-12 at 08:45 PM. Reason: Update the information provided.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  13. #13
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    All, I think it is time to file a support ticket on this. Since I brought it up, I will do that. However, each of you should check your own direct link to stats and file your own support ticket if yours is doing the same. Having "the world" be able to access that is usually not a good idea.
    Last edited by snowmaker; 5-19-12 at 08:09 PM.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  14. #14
    Custom User Title entrecon's Avatar
    Join Date
    Aug 2006
    Location
    Michigan
    Posts
    2,742
    Rep Power
    16
    I forgot stats were even there. I use Google Analytics for everything. I definately need to get the ones on here locked down.
    ________________________________
    Find me on twitter: @entrecon

  15. #15
    PowWeb Staff
    Join Date
    Sep 2011
    Location
    Phoenix, AZ
    Posts
    93
    Rep Power
    6
    Interesting one. I've pinged one of the guys at HQ with examples. My instinct is that it is a bug of some kind, as stats should not be openly accessible without logging in. Will see what he says.

  16. #16
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Quote Originally Posted by Jim M View Post
    Interesting one. I've pinged one of the guys at HQ with examples. My instinct is that it is a bug of some kind, as stats should not be openly accessible without logging in. Will see what he says.
    Jim M, thanks for popping in. I got a reply from my support ticket that states in part:
    Unfortunately, we cannot block the stats URL:link removed . We can do nothing regarding this issue.
    So, hopefully you can get a better answer than I did as you are on the staff.
    Last edited by snowmaker; 5-12-12 at 08:15 AM. Reason: removed link for user safety, 2 days late, but better than never..
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  17. #17
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    I created a service ticket this morning. Several replies have gone back and forth between me and Support. I am not happy.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  18. #18
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Heh, I am not unhappy or upset. In my 52 years on earth I have learned that "stuff happens". Sometimes good "stuff", sometimes bad "stuff", sometimes neither good nor bad "stuff". IMO, this is the latter. There is little point in allowing "stuff" to upset me. After all, as I am not insane or on drugs, I am in control of deciding what emotions I will experience. I prefer not experiencing angst over "stuff".

    I will likely look into simply disabling my online stats and just download the access_log_* files in the future. I have been working on getting off-line stats working with my own install of awstats on my Linux PC here. So far, I like it much better because I can change the awstats.conf file to show what I want. AFAIK, PowWeb still does not allow one to change the online awstats.conf file as they will replace it with their default file if one does. At least that is what happened in the past when I made logical changes to the file.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  19. #19
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    I got a PM from Jim M (in a reply), and while I won't quote directly as some mod (probably me) would delete it, he did assure me that Powweb is aware of this issue. But no progress status is known yet.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  20. #20
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Well, good on Jim M! I simply closed my ticket after the answer I received. That was a very unsatisfactory answer, but I saw no point in arguing with level one support about it.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  21. #21
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Quote Originally Posted by eracc View Post
    I simply closed my ticket after the answer I received. That was a very unsatisfactory answer, but I saw no point in arguing with level one support about it.
    That's what I ended up doing also, but I waited until after several unsat and contradictory replies..
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  22. #22
    Mod.. with bite.. Croc Hunter's Avatar
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    7,332
    Rep Power
    26
    How about setting Chmod 600?
    Croc Hunter MSC :

  23. #23
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Quote Originally Posted by Croc Hunter View Post
    How about setting Chmod 600?
    Powweb's Awstats file, is not here anymore.., is not physically located at domain.com/stats/, so its permissions cannot be changed by a customer.
    Last edited by snowmaker; 5-19-12 at 08:11 PM.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  24. #24
    Mod.. with bite.. Croc Hunter's Avatar
    Join Date
    Sep 2002
    Location
    Australia
    Posts
    7,332
    Rep Power
    26
    How about Powweb setting Chmod 600?
    Croc Hunter MSC :

  25. #25
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    I think they would have tried 'chmod 600' already. But who knows? We are unlikely to be told what PowWeb techs are trying or what is eventually done to lock this down. I will just work on getting my offline stats the way I want, then I will see about disabling the online stats. That should at least "solve" my own problem with this.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  26. #26
    Custom User Title entrecon's Avatar
    Join Date
    Aug 2006
    Location
    Michigan
    Posts
    2,742
    Rep Power
    16
    If the stats aren't physically at that location, what if you actually create a directory path with a file called awstats.pl?
    ________________________________
    Find me on twitter: @entrecon

  27. #27
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Quote Originally Posted by entrecon View Post
    If the stats aren't physically at that location, what if you actually create a directory path with a file called awstats.pl?
    I don't follow?
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  28. #28
    Custom User Title entrecon's Avatar
    Join Date
    Aug 2006
    Location
    Michigan
    Posts
    2,742
    Rep Power
    16
    I can't log into my account from this location, but thought is if the "virtual" path to the file is "not here anymore..", could you actually create those directories and put a dummy file at that location with nothing in it?
    Last edited by snowmaker; 5-19-12 at 08:12 PM.
    ________________________________
    Find me on twitter: @entrecon

  29. #29
    Rick
    Join Date
    May 2002
    Location
    Minneapolis, MN
    Posts
    1,753
    Rep Power
    19
    I expect that access to /stats/ on individual domains is done with an Apache control file httpd.conf at the server level. And due to the load-balancing system in use here, log files must be consolidated or accessed en masse for the analyzing software. All of which would mean that individual sites would have no control over access to this directory and any password protection scheme would have to be implemented at the server level as well. It's probably very difficult to devise a way to do this that would scale well for a shared hosting environment and for webmasters of vastly differing experience.
    Rick Trethewey

  30. #30
    PowWeb Staff
    Join Date
    Sep 2011
    Location
    Phoenix, AZ
    Posts
    93
    Rep Power
    6
    I got word back from engineering on this. It's an unfortunate side-effect of our architecture which has the CGI boxes (which run Perl scripts like the one in question), separate from the ones which run accounts. While offering a lot of advantages - ironically, increased security is one - this does mean that the CGI servers can't have access to information regarding login status for a user, so can't determine whether a user is logged in or not when the awstats.pl script is run.

    If you're concerned about this, I'd suggest locking down the stats directory with a .htaccess file - though that would mean if you go simply to /stats, you'd have to log in to your accoutn first, and then deal with the separate password pop-up.

    In the interests of security, I recommend one of the mods move this thread out of the public area after the weekend [I'm not in after today for a while]. It's probably not an issue, but I tend to think it's best if this information is not openly available.

  31. #31
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Uhm, Jim, someone "out there" already knows about this and exploits it for some reason. To wit, my logs show that. Hiding the fact from your users that anyone can see these logs only means your users have a false sense of security.

    Added: FYI, I have already tried "locking down" /stats/ with .htaccess and .htpasswd files. That does not work to stop this exploit. See this post http://forums.powweb.com/showpost.ph...17&postcount=4
    Last edited by eracc; 5-19-12 at 04:32 PM. Reason: Further information about stats directory locking
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  32. #32
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    Rather than moving this whole thread (which it turns out would've been alot easier..), I've edited each of the posts that contained incriminating text. So please no one type anymore 'full info type stuff'.

    I concur with eracc, and will verify that an htaccess file in the stats directory only protects that directory (and the log files it contains), and it doesn't prevent access to the awstats file directly.

    I also haven't been able to find out how to disable 'stats', and only allow FTP access to the log files. This used to be an option, yes? Somebody share with me how to do this if it can be done, thanks.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

  33. #33
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Quote Originally Posted by snowmaker View Post
    ...
    I also haven't been able to find out how to disable 'stats', and only allow FTP access to the log files. This used to be an option, yes? Somebody share with me how to do this if it can be done, thanks.
    I have been thinking about this. One could probably just script an SFTP session to download the files from /stats/ instead of having them copied to / and then delete all files in /stats/ after download. I would think one could delete files from one's own /stats/ since it is part of the user's directory tree. At least I know I can script that with tools on Linux and probably could on an Apple OS X box as long as the perms allow me to delete the files. I am not so sure about you folks using Microsoft.
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  34. #34
    Just a peon, like you. eracc's Avatar
    Join Date
    Dec 2003
    Location
    USA
    Posts
    180
    Rep Power
    14
    Then again, maybe this cannot be scripted. I cannot delete files in /stats/ when I login with my sftp client or with an ftp client. Oddly enough, I can delete files in /stats/ with the stupid file manager in OPs. Unfortunately, one cannot script that. Also, a bunch of the files appear to be owned by root with group root (0) and have rw-r--r-- when viewed with dir in an ftp session. That is just "rawng".
    Gene Alexander
    ERA Computers & Consulting http://www.eracc.com/ | http://shopping.eracc.com/ | http://blog.eracc.com/ | http://forum.eracc.com/
    Preloaded OSS (Linux, FreeBSD) and eComStation on PCs and Servers.

  35. #35
    target='_blank' snowmaker's Avatar
    Join Date
    Nov 2002
    Location
    Not in Solomons anymore.
    Posts
    3,441
    Rep Power
    21
    I see we were doing something similar, but you found it out quicker than I..

    Quote Originally Posted by eracc View Post
    One could probably just script an SFTP session to download the files from /stats/ and then delete all files in /stats/ after download. I would think one could delete files from one's own /stats/ ..
    The files can of course be downloaded, but can not be deleted. It's a permissions thing, at the ownership level. An end-user doesn't own the files, Powweb does.

    But, the stats directory (which is owned by the end-user) can be renamed. This makes a direct access attempt fail, because the directory that Awstats looks for doesn't exist anymore. Access to stats thru OPS, or domain.com/stats/, fails for the same reason. Now only FTP access to stat files!

    Now this is something I just did, and while it does seem to be a 'working workaround' to this issue, I imagine something will come up when my stats get updated when they're set to. So maybe this is a process that needs to be done every day, time will tell I guess.

    Add: - 05/20 12:35AM - I have set my stats in OPs to never update.. I may not have to worry about 'unauthorized access' to my stats right now, but I may not have anymore stats myself. Until (and if) I turn them back on.
    Last edited by snowmaker; 5-20-12 at 09:01 PM.
    -bruce /* somdcomputerguy */
    'If you change the way you look at things, the things you look at change.'

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •