Wishing to secure bandwidthd and some other webpages



  • hi there.

    for those that wish to secure bandwidthd  an possible other insecure pages in pfsense

    I always found it kind of funny  pfsense is a firewire wall but some sections are very insecure, such as bandwidthd  and possibly others

    here is a simple  way to secure them up if some one wishes too..

    it based of mysql  so you will need  to point it to a mysql server or install mysql server on pfsense ( some could make sqlite  version)

    create a mysql database
    database called - password
    a table called -  members
    3 columes  each one name after these
    id
    username
    password

    then add a member  using sql query  (phpmyadmin)
      ie:

    INSERT INTO members VALUES (1, 'john', '1234');

    then simply rename your original index.php to index2.php and add these lines to the very begining of the page

    session_start();
    if(!session_is_registered(myusername)){
    header("location:index.php");
    }
    ?>

    and edit checkinlogin.php to point to your database and  your log on particulars

    create  this page index.php

    
    | **Member Login**  |
    | Username | : |  |
    | Password | : |  |
    |   |   |  |
    
     |
    
    

    then create this webbage  checklogin.php

    $host="localhost"; // Host name
    $username=""; // Mysql username
    $password=""; // Mysql password
    $db_name="password"; // Database name
    $tbl_name="members"; // Table name
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");
    // username and password sent from form
    $myusername=$_POST['myusername'];
    $mypassword=$_POST['mypassword'];// To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);
    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result);
    // If result matched $myusername and $mypassword, table row must be 1 row
    if($count==1){
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    session_register("myusername");
    session_register("mypassword");
    header("location:index2.php");
    }
    else {
    echo "Wrong Username or Password";
    }
    ?>
    ?
    

    in the case of bandwidthd it is html pages you will need to  copy index.html  rename it to index2.php and inset this code at the very top of the webpage source;
    session_start();
    if(!session_is_registered(myusername)){
    header("location:index.php");
    }
    ?>
      then copy the the above webpages into the  bandwidth d webfolder

    from then on bandwidthd will be a secure page it will always ask for a user name and password to access the page



  • Bandwidthd is a contribution package, It's not part of pfsense install.

    You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.



  • @marcelloc:

    Bandwidthd is a contribution package, It's not part of pfsense install.

    You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.

    Sorry for dragging up an old thread, but you no one mentioned how to add the built in user/session code. Could you please tell me how to do this? Thanks



  • if you have php skills, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense user's permissions.



  • @marcelloc:

    if you have php skill, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense users permissions.

    Thanks. I'll give it a shot.

    Edit: Where in the file structure could I find those files?


Log in to reply