Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Wishing to secure bandwidthd and some other webpages

    General pfSense Questions
    3
    5
    2682
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sash99 last edited by

      hi there.

      for those that wish to secure bandwidthd  an possible other insecure pages in pfsense

      I always found it kind of funny  pfsense is a firewire wall but some sections are very insecure, such as bandwidthd  and possibly others

      here is a simple  way to secure them up if some one wishes too..

      it based of mysql  so you will need  to point it to a mysql server or install mysql server on pfsense ( some could make sqlite  version)

      create a mysql database
      database called - password
      a table called -  members
      3 columes  each one name after these
      id
      username
      password

      then add a member  using sql query  (phpmyadmin)
        ie:

      INSERT INTO members VALUES (1, 'john', '1234');

      then simply rename your original index.php to index2.php and add these lines to the very begining of the page

      session_start();
      if(!session_is_registered(myusername)){
      header("location:index.php");
      }
      ?>

      and edit checkinlogin.php to point to your database and  your log on particulars

      create  this page index.php

      
      | **Member Login**  |
      | Username | : |  |
      | Password | : |  |
      |   |   |  |
      
       |
      
      

      then create this webbage  checklogin.php

      $host="localhost"; // Host name
      $username=""; // Mysql username
      $password=""; // Mysql password
      $db_name="password"; // Database name
      $tbl_name="members"; // Table name
      // Connect to server and select databse.
      mysql_connect("$host", "$username", "$password")or die("cannot connect");
      mysql_select_db("$db_name")or die("cannot select DB");
      // username and password sent from form
      $myusername=$_POST['myusername'];
      $mypassword=$_POST['mypassword'];// To protect MySQL injection (more detail about MySQL injection)
      $myusername = stripslashes($myusername);
      $mypassword = stripslashes($mypassword);
      $myusername = mysql_real_escape_string($myusername);
      $mypassword = mysql_real_escape_string($mypassword);
      $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
      $result=mysql_query($sql);
      // Mysql_num_row is counting table row
      $count=mysql_num_rows($result);
      // If result matched $myusername and $mypassword, table row must be 1 row
      if($count==1){
      // Register $myusername, $mypassword and redirect to file "login_success.php"
      session_register("myusername");
      session_register("mypassword");
      header("location:index2.php");
      }
      else {
      echo "Wrong Username or Password";
      }
      ?>
      ?
      

      in the case of bandwidthd it is html pages you will need to  copy index.html  rename it to index2.php and inset this code at the very top of the webpage source;
      session_start();
      if(!session_is_registered(myusername)){
      header("location:index.php");
      }
      ?>
        then copy the the above webpages into the  bandwidth d webfolder

      from then on bandwidthd will be a secure page it will always ask for a user name and password to access the page

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        Bandwidthd is a contribution package, It's not part of pfsense install.

        You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.

        1 Reply Last reply Reply Quote 0
        • M
          mahrenstein_pixafy last edited by

          @marcelloc:

          Bandwidthd is a contribution package, It's not part of pfsense install.

          You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.

          Sorry for dragging up an old thread, but you no one mentioned how to add the built in user/session code. Could you please tell me how to do this? Thanks

          1 Reply Last reply Reply Quote 0
          • marcelloc
            marcelloc last edited by

            if you have php skills, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense user's permissions.

            1 Reply Last reply Reply Quote 0
            • M
              mahrenstein_pixafy last edited by

              @marcelloc:

              if you have php skill, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense users permissions.

              Thanks. I'll give it a shot.

              Edit: Where in the file structure could I find those files?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy