Good security strategy utilizes layers of protection. The more tactics you employ to secure an asset, the more difficult it becomes for someone to crack your safeguards. AWStats provides a wealth of data about the traffic to your site, but this is not the kind of stuff you just want “laying around” on your website. Here are some suggestions for keeping that data private:
- Change the default URL for AWStats.
- Use an Access Control List in the Apache configuration file to restrict the pages to your local network.
- Secure the stats pages with a strong username and password.
Any one of these three measures provides protection, but layering them together provides far more security than any one of them.
Change the default URL
In the setup for AWStats, you name the configuration file according to the URL you use to access it. In my case, the default name for the file is awstats.www.charleseaustin.com.conf. Because most people accept default settings on software, people who want to snoop around will try those settings first.
If I had followed the defaults, my AWStats page would be available at http://www.charleseaustin.com/awstats/awstats.pl. So instead of using the default, I used a URL that does not have a DNS entry. For instance, I could have used a configuration file named awstats.statistics.charleseaustinstats.com.conf. Even though I changed the default name of the file, the SiteDomain directive inside of the AWStats configuration file is still “www.charleseaustin.com”. Naming the file differently than the default would have made the address for my stats http://statistics.charleseaustinstats.com/awstats/awstats.pl. Because I do not own the web address for charleseaustinstats.com, this URL normally directs people away from my site. The only way I can use it for my stats is to edit the host file on my local PC so that my browser knows where to go. Using notepad on a Windows PC, I open the file C:WINDOWSsystem32driversetchosts
On the last line of the file I added the IP address of my server on my local network, and the fake URL for AWStats:
192.168.1.254 statistics.charleseaustinstats.com
Now to set up my webserver to respond on the new site. From the CLI on my web server:
$:cd /etc/apache2/sites-available
Puts me in the directory with the configuration files for websites on my server.
$: sudo cp charleseaustin charleseaustinstats
Copies the configuration for my webpage to the statistics site I am creating.
$: sudo vi charleseaustinstats
To edit the settings for the new site. Change the Servername line so that it reads
Servername statistics.charleseaustinstats.com.
This allows the server to respond to the fake URL I have created. If you do not have a line at the top of the file that starts with Servername, you have to insert it. You will also need to change the document root to a new directory, in my case
DocumentRoot /var/www/stats
Notice that there is no trailing slash on the declaration of the DocumentRoot. You will also need to insert these lines below the second </Directory> tag:
Alias /awstatsclasses “/usr/local/awstats/wwwroot/classes/”
Alias /awstatscss “/usr/local/awstats/wwwroot/css/”
Alias /awstatsicons “/usr/local/awstats/wwwroot/icon/”
ScriptAlias /awstats/ “/usr/local/awstats/wwwroot/cgi-bin/”
This allows you to access the AWStats scripts from your fake website. Be sure to remove the same lines from your real website’s configuration file, especially if you have run an automated install of AWStats. Even though you have configured the server for the alternate URL, leave this file open so that you can set up the next layer of security.
Use an Access Control List
While you are in the configuration file in /etc/apache2/sites-available, set up the Access Control List to restrict AWStats to your local network. In the second <Directory> section, you should see a few lines like this:
Order allow,deny
allow from all
Change them to read
Order deny,allow
deny from all
allow from 192.168.1.0/255.255.255.0
That is it. Your AWStats page can only be accessed from a computer with an IP address on your local network. Of course, you need to change the 192.18.1.0 to match the network you are using. This ACL can include multiple statements, each separated by a space. Continue to leave the configuration file open so that you can add the third layer of security.
Secure AWStats Page with a User Name and Password
Now you want to add a section at the end of this configuration file that prompts web users for a User Name and Password.
<Directory “/usr/local/awstats/wwwroot”>
Options None
AllowOverride AuthConfig
AuthType Basic
AuthName “anythingyouwant”
AuthUserFile /usr/local/awstats/passwd
Require user anyuniqueusername
</Directory>
This method of securing web content puts much less load on the web server than using htaccess files in the directory you want to protect. The username will be the variable you chose for the “Require user” argument. Now you are ready to save your changes and close the configuration file.
To assign a password for the username you set, you return to the command line and use htpasswd:
$:sudo htpasswd -c /usr/local/awstats/passwd anyuniqueusername
The “-c” tells htpasswd to create a new password file, in the location that follows (in this case /usr/local/awstats/). Once you hit enter, and successfully provide the sudo password, you will be prompted to set the password for the username you created.
Two last sudo command makes the site available:
$:sudo a2ensite
Creates the appropriate links for Apache to show the new site.
$:sudo /etc/init.d/apache2 reload
Refreshes the web server configurations. Congratulations, you have layered multiple layers of security onto your AWStats pages.