Wishing to secure bandwidthd and some other webpages

sash99

hi there.

for those that wish to secure bandwidthd  an possible other insecure pages in pfsense

I always found it kind of funny  pfsense is a firewire wall but some sections are very insecure, such as bandwidthd  and possibly others

here is a simple  way to secure them up if some one wishes too..

it based of mysql  so you will need  to point it to a mysql server or install mysql server on pfsense ( some could make sqlite  version)

create a mysql database
database called - password
a table called -  members
3 columes  each one name after these
id
username
password

then add a member  using sql query  (phpmyadmin)
  ie:

INSERT INTO members VALUES (1, 'john', '1234');

then simply rename your original index.php to index2.php and add these lines to the very begining of the page

session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>

and edit checkinlogin.php to point to your database and  your log on particulars

create  this page index.php

| **Member Login**  |
| Username | : |  |
| Password | : |  |
|   |   |  |

 |

then create this webbage  checklogin.php

$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="password"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:index2.php");
}
else {
echo "Wrong Username or Password";
}
?>
?

in the case of bandwidthd it is html pages you will need to  copy index.html  rename it to index2.php and inset this code at the very top of the webpage source;
session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>
  then copy the the above webpages into the  bandwidth d webfolder

from then on bandwidthd will be a secure page it will always ask for a user name and password to access the page

marcelloc

Bandwidthd is a contribution package, It's not part of pfsense install.

You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.

mahrenstein_pixafy

@marcelloc:

Bandwidthd is a contribution package, It's not part of pfsense install.

You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.

Sorry for dragging up an old thread, but you no one mentioned how to add the built in user/session code. Could you please tell me how to do this? Thanks

marcelloc

if you have php skills, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense user's permissions.

mahrenstein_pixafy

@marcelloc:

if you have php skill, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense users permissions.

Thanks. I'll give it a shot.

Edit: Where in the file structure could I find those files?