Wishing to secure bandwidthd and some other webpages
-
hi there.
for those that wish to secure bandwidthd an possible other insecure pages in pfsense
I always found it kind of funny pfsense is a firewire wall but some sections are very insecure, such as bandwidthd and possibly others
here is a simple way to secure them up if some one wishes too..
it based of mysql so you will need to point it to a mysql server or install mysql server on pfsense ( some could make sqlite version)
create a mysql database
database called - password
a table called - members
3 columes each one name after these
id
username
passwordthen add a member using sql query (phpmyadmin)
ie:INSERT INTO
members
VALUES (1, 'john', '1234');then simply rename your original index.php to index2.php and add these lines to the very begining of the page
session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>and edit checkinlogin.php to point to your database and your log on particulars
create this page index.php
| **Member Login** | | Username | : | | | Password | : | | | | | | |
then create this webbage checklogin.php
$host="localhost"; // Host name $username=""; // Mysql username $password=""; // Mysql password $db_name="password"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];// To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "login_success.php" session_register("myusername"); session_register("mypassword"); header("location:index2.php"); } else { echo "Wrong Username or Password"; } ?> ?
in the case of bandwidthd it is html pages you will need to copy index.html rename it to index2.php and inset this code at the very top of the webpage source;
session_start();
if(!session_is_registered(myusername)){
header("location:index.php");
}
?>
then copy the the above webpages into the bandwidth d webfolderfrom then on bandwidthd will be a secure page it will always ask for a user name and password to access the page
-
Bandwidthd is a contribution package, It's not part of pfsense install.
You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.
-
Bandwidthd is a contribution package, It's not part of pfsense install.
You can make this suggestion to package maintainer or include pfsense buit in user/session code instead of creating a second auth database.
Sorry for dragging up an old thread, but you no one mentioned how to add the built in user/session code. Could you please tell me how to do this? Thanks
-
if you have php skills, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense user's permissions.
-
if you have php skill, take a look on sarg package(sarg_reports.php and sarg_frame.php), I've limited it's access to pfsense users permissions.
Thanks. I'll give it a shot.
Edit: Where in the file structure could I find those files?