Hi Kai, > A few weeks ago I restored a raq4r and it was done without too much > difficulty. But there are about 160 sites on that server, and most of > them have something wrong in .htaccess or something. They no longer > need password looking at stats
My first suspicion would be that some permissions got screwed up when you restored the websites back onto the server. The question is also which Webalizer-Package you use. There are several Weblizer-PKGs available, with different implementations of where the stats directory is located. One placeferent implementations of where the stats directory is located. One places the stats in /home/sites/siteXX/web/stats/ and the other one in /home/sites/siteXX/users/stats/web/ The later implementation might have problems if the .htaccess file in the web directory is owned by someone else than the person who owns that "user" directory, I assume. However, there might be one very easy way to fix this in one go: Webalizer re-creates the .htaccess files each run - if they do not already exist. So what you could do is to run a search on /home/sites/ to locate all .htaccess files and to delete those belonging to Webalizer. Make sure you do not outright delete all of 'em, because Frontpage and/or your users might have create a few extras. Some shell wizards on the list might strangle me for the suggestion, but for this kind of search and replace I'd suggest "Midnight Commander". It has a nice search function which panelizes the search result and makes it easy to find, tag and delete just the right files. You can grab the RPM here: ftp://fr2.rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/mc-4.5.42-10.i386.rpm It will install fine on a RaQ4. On a RaQ3 you'll need the RPM for gpm as well. You'll need a telnet or SSH client which supports use of the F-keys (f1-f10) to properly use Midnight Commander. To start the programm just type "mc" once the RPM is installed. > and when trying to password protect a directory using > .htacccess file the server act like there is no password protection. Could be a syntax error in the .htaccess file or a permission problem with the .htaccess file. > The weird thing is that some sites are ok, and on some of the others you get > asked for password when entering stats, but it allso accept username and > password taken from sites located nearby and give them access. Does the .htaccess file ask for a specific username, or does it check for memberships in a specific group? Look at the .htaccess file in an editor to find that information. s the stats in /home/sites/siteXX/web/stats/ and the other one in /home/sites/siteXX/users/stats/web/ The later implementation might have problems if the .htaccess file in the web directory is owned by someone else than the person who owns that "user" directory, I assume. However, there might be one very easy way to fix this in one go: Webalizer re-creates the .htaccess files each run - if they do not already exist. So what you could do is to run a search on /home/sites/ to locate all .htaccess files and to delete those belonging to Webalizer. Make sure you do not outright delete all of 'em, because Frontpage and/or your users might have create a few extras. Some shell wizards on the list might strangle me for the suggestion, but for this kind of search and replace I'd suggest "Midnight Commander". It has a nice search function which panelizes the search result and makes it easy to find, tag and delete just the right files. You can grab the RPM here: ftp://fr2.rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/mc-4.5.42-10.i386.rpm It will install fine on a RaQ4. On a RaQ3 you'll need the RPM for gpm as well. You'll need a telnet or SSH client which supports use of the F-keys (f1-f10) to properly use Midnight Commander. To start the programm just type "mc" once the RPM is installed. > and when trying to password protect a directory using > .htacccess file the server act like there is no password protection. Could be a syntax error in the .htaccess file or a permission problem with the .htaccess file. > The weird thing is that some sites are ok, and on some of the others you get > asked for password when entering stats, but it allso accept username and > password taken from sites located nearby and give them access. Does the .htaccess file ask for a specific username, or does it check for memberships in a specific group? Look at the .htaccess file in an editor to find that information. Here is a sample .htaccess file, which will only allow one specific user access: order allow,deny allow from all require user admin Authname Cobalt Authtype Basic The one below will allow all valid users from a specific group: order allow,deny allow from all require group site11 Authname Cobalt Authtype Basic If you restored your websites from a backup and the site uses this authentication scheme, then you've got problems. Example: www.customer-one.com used to be site11 on the old server. Now, after the restore of the backup its site34. But it still has the .htaccess file in it, which will allow only valid members from site11 to see the stats. So check your .htaccess files to see what kind auf authentication you have in there. If it asks for "group" and not a specific username, then you're screwed and have to either fix 'em all manually, or you delete 'em all and wait for Webalizer to recreate the .htaccess files upon its next run. -- With best regards, Michael Stauber SOLARSPEED.NET _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
