Securing Firefox: How to avoid hacker attacks on Mozilla’s browser

July 12, 2007 at 1:27 pm | Posted in Firefox, Security | Leave a comment

Security problems with Microsoft’s dominant Internet Explorer browser helped pave the way for Mozilla Firefox to emerge as an alternative for Web surfers.However, Firefox users should be aware that hackers can exploit software flaws and design features to launch attacks.

The following configuration changes, recommended by CERT/CC, can disable various features and set up the browser to run in a secure state, limiting the damage from malware attacks.

To get started, select Tools, then Options.

In the General tab, you can manually set your home page and check to ensure Firefox is your default browser

In the Privacy tab, select the Cookies sub-category. Here you can disable cookies or change your preferences for how the browser handles them.CERT/CC recommends enabling cookies for the original site only. Additionally, by enabling the option unless I have removed cookies set by the site, a web site can be “blacklisted” from setting cookies when its cookies are removed manually. See below:
ff secure

In general, CERT/CC recommends you do not use the Firefox feature to store passwords.If you decide to use the feature, be sure to use the measures available to protect the password data on your computer.

Under Firefox’s Privacy category, the Passwords subcategory contains various options to manage stored passwords, and a Master Password feature to encrypt the data on your system.

Use this option if you decide to let Mozilla Firefox manage your passwords.

From the Content category, you can configure Firefox to block pop-up ads and warn when web sites try to install extensions or themes.You should also Disable Java unless required by the site you wish to visit. Again, you should determine if this site is trustworthy and whether you want to enable Java to view the site’s content.

CERT/CC recommends disabling all of the options displayed in this dialog.
ff secure

Click on “Advanced” to disable specific JavaScript features. Also you might want to try out NoScript extention found here:

Firefox’s Downloads tab offers the option to change actions taken when files are downloading.Any time a file type is configured to open automatically with an associated application, this can make the browser more dangerous to use. Vulnerabilities in these associated applications can be exploited more easily when they are configured to open automatically.

Click the View & Edit Actions button to view the current download settings and modify them if necessary.

The Download Actions dialog shows the file types and the actions the browser will perform when it encounters a given file type.

For any file type listed, click on either Remove Action or Change Action.

If you click on Change Action (from previous slide), select Save them on my computer to save files of that type to the computer.

This helps prevent automated exploitation of vulnerabilities that may exist in these applications.

Firefox also includes a feature to Clear Private Data to give users the option to remove potentially sensitive information from the web browser.

Click on Tools, then Save Private data to find the settings (See next slide…)


A beginner’s introduction to the GNU/Linux command line—Managing processes

July 12, 2007 at 12:28 pm | Posted in CLI, User Management | Leave a comment

Please See: Intro to the Commandline

Function Securely off a USB Key (dated)

July 6, 2007 at 8:11 pm | Posted in Uncategorized | Leave a comment

You can also find this article as a “Part 2” on Traveling Forever, here as this was written as a continuation of an article posted here . So most of the credit goes to this guy, I’ve just added a ton more to it to ensure that you are anonymous and secure. So don’t be suprised if some of the things here are directly copied and pasted. Descriptions for Firefox exntensions mentioned are copied from their linked locations as well.

So whether you’re just a paranoid guy looking to not be monitored, or a kid at school trying to browse Myspace.. I have some tips.

We’ll be working with running everything from a USB key so no trace (or very little) of use of the application will be on your computer. Firefox and OpenOffice will leave a small registry key but it doesn’t convey much.

This How To has gotten pretty long. So for a quick summary, these are the things that i will be covering:
1. What is a Portable Application
2. How to setup encryption and password protect your USB Key
3. Run and tweak TorPark (Firefox + Tor routing app)
4, Run and tweak a portable Firefox
5. The best extensions for Firefox and Torpark
6. Howto get and use Portable Thunderbird with GPG Encryption
7. Howto get and use Portable GAIM
8. How to setup encryption through GAIM
9. How to use GAIM through Tor
10. How to run & encrypt uTorrent from the USB key
11. How to run OpenOffice from your USB key and tweak it for speed
12. How to use RealVNC to connect to your home compute
13. Use PStart as a launcher for your USB programs
14. Encrypt Files and Folders within TrueCrypt with Challenger
15. Run Skype from your USB key
16. Other USB applications you might find useful
17. Installing Tor Onion Routing to a Hard-drive
18. Generic proxy sites
19. AnonymOS
20. Test your privacy and anonymity

What is a Portable Application?

First off, what is a portable application? They are software programs that are not required to be “installed” onto a computer’s permanent storage device to be executed, and can be stored on a removable storage such as a USB flash drive and used on multiple computers. Ideally it can be configured to read its configuration from the same location as the software. Portable applications come in a zip file. Contained in the zip file is their folder. There is NO installation process. The program runs from the folder itself without requirements of a Windows registry, without the requirements of putting DLL files in C:/Windows/Sytem32, without the need to create folders in your hidden folder C:/Documents and Settings/Username/Application Data (among other areas) MOST of the time. Occassionally some programs will leave a small footprint on a hard-drive, but we’ll address that. Portable Apps simply run from the files on the USB key and it knows the location of supporting files that Windows already has (such as codecs, fonts, and such).


First thing’s first. What good is it to have your data stored, or portable applications running from, a removable disc if someone who connects remotely can access that disc? What if you lose that disc? Everything must be encrypted.

First you want to make sure that at minimum you have at least a 512MB USB Drive (aka thumb drive, jump drive, etc). You’ll need at least 1 GB USB drive if you wish to do every single thing listed here.

We’re going to be using TrueCrypt to do this. Which you can download here:

What we’re about to do is create a file, and create a hidden “volume” (it’ll show up as another drive) in that file and we’re going to password protect it. Encryption is automatic, real-time (on-the-fly) and transparent. It provides two levels of plausible deniability, in case an adversary forces you to reveal the password. The first is b/c it’s a hidden volume(steganography), the 2nd is that no TrueCrypt volume can be identified (volumes cannot be distinguished from random data). The encryption algorithms it uses are as follows: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.

You want to download this application and run the installer. Do not install it to it’s default location.

Install it to your USB drive. The program will run on every computer from the USB drive. Once installed click the “Create Volume” button. This will guide you through the creation of two volumes, one viewable and one hidden. The hidden one is impossible to prove existing, and thus, the software you will install next won’t exist to someone who steals your key. During creation of the viewable volume, you want to make sure that you have a little breathing room so the drive can still be used without TrueCrypt..and enough so that TrueCrypt can still exist on the disc outside of the hidden volume. When you go to create the hidden volume the data path needs to be to your USB drive of course. 5-10 MB free will be enough. So if you’re running a 512MB USB stick, make you’re viewable volume 500MB (the hidden volume will the the same size).

Make sure the passwords you create for the viewable and hidden volumes are different. The hidden volume password should be alpha-numeric, not contain any common words or names, and at minimum 12 character long. (Also make sure you remember them b/c if you forget them you’re screwed).

Back at the Truecrypt main menu. We are going to need to mount the hidden volume. So what you do is press the Select File Button, and select the file you used to create the volume. Click mount volume, put in your password for the hidden volume and be sure to check the protect hidden volume option if you plan on writing to the volume everyone can see. This prevents us from accidentally corrupting our hidden programs or files. TrueCrypt will mount your hidden volume as a drive letter.

If all of this wasn’t quite clear, I did post a “HowTo” install and setup TrueCrypt over at TalkingForever’s Forums. This HowTo will walk you through screenshots, step by step on how to create an encryption hidden volume on a USB key.

Step by Step HowTo: Setup TrueCrypt

Starting with Portable Applications
And here’s where the fun begins.


Torpark is Firefox and the Tor Onion Routing Software Combined. To explain Onion routing, Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing your transactions over several places on the Internet, so no single point can link you to your destination. The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you—and then periodically erasing your footprints. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the data came from or where it’s going.

Tor in itself requires a computer install, but not with Torpark. Note: the tor aspects of Torpark only work for this browser. For more info on how Tor works see:

Download TorPark here:

Extract the zip file to your newly created Hidden Volume. The hidden volume will show up as a 2nd local disc on your My Computer. Chances are the drive letter is Z: (but not always by anymeans). And that’s it. It’s installed.

Browsing through TorPark is signifigantly slower than a regular connection. Here you will have to decide what’s more important, speed, or staying anonymous. Unless you build and host a Tor server yourself, you can’t complain.

Tweak TorPark
But alas there are hacks/tweaks to make TorPark run faster. (This can also be used on Portable Firefox as well).

First we’ll Kill the amount of RAM Firefox uses for it’s cache feature
Here’s how to fix it:
1. type “about:config” (no quotes) in the browser address bar
2. Find browser.sessionhistory.max_total_viewer
2. set it’s value to “0”

Increase the Speed in Which Firefox loads pages
1. stay in about:config
2. Alter the entries as follows:
Set “network.http.pipelining” to “true”
Set “network.http.proxy.pipelining” to “true”
Set “network.http.pipelining.maxrequests” to some number like 30 (this might piss off some website owners as it will request the page 30 times)

3. Lastly right-click anywhere and select New-> Integer. Name it “nglayout.initialpaint.delay” and set its value to “0”.

This value is the amount of time the browser waits before it acts on information it receives.

Kill RAM usage to 10mb when FF is minimized
This little about:config hack will drop Firefox’s/Torpark’s RAM usage down to 10 Mb when minimized

1. Open Firefox and go to the Address Bar. Type in about:config and then press Enter.
2. Right Click in the page and select New -> Boolean.
3. In the box that pops up enter config.trim_on_minimize. Press Enter.
4. Now select True and then press Enter.
5. Restart Firefox or Torpark.

Torpark Switch Proxy Extension
You may decide you don’t want 2 browsers on your USB key, but you don’t always want to use the Tor network to do your browsing due to speed. If this is the case install the Switch Proxy Extension and configure it.

(Note, this will undue Torpark’s default settings)
1. To Configure, install the extension, then restart TorPark.
2. A new toolbar has appeared.
3. Torpark already has a proxy configured.
4. Make sure the selected proxy says “None” and Hit Apply Now Torpark is no longer using Tor.

To set the option to turn Tor on:
1. So we’ll press Add
2.. Select “Standard” and “Next”
3.. Name it Tor and select “Manual Proxy Configuration”
4. Add the values to the SOCKS Host and Port 81 (note, port 81 is just for Torpark. With a hard-drive install of Tor Firefox and Thunderbird will run through 8118.)
5. Socksv5 should be Selected
6. Hit Apply. Now Torpark is using Tor and you have the ability to switch back and forth.

(If you use Tor off the hard-drive and not just TorPark, the Switch Proxy extension can be used in Thunderbird to send e-mail as well. To download, you right click the install file and “Save As”, then in Thunderbird go to File –> Open. You’d configure it the same as the above.)

Portable Firefox

There’s a multitude of reasons you may not wish to use TorPark. And below is some reasons why:
1) Too slow and you value speed more than anonymous traffic
2) If you’re running applications through a hard-disk installed version of Tor (which you might decide to do with GAIM) you cannot run 2 Tor circuits simultaneously. You’d either have to run TorPark, or GAIM through Tor, but not both at the same time.

Download from here:
Portable Firefox

and do the same thing we did with TorPark. Unzip it to your hidden volume.

Firefox and TorPark Extensions
There’s a ton of extensions for usability and other issues that i love and use, but i’m not going to cover these. I’m only going to cover issues of a security nature.

All firefox plugins work with both TorPark and Portable Firefox. You will have to install an instance of each, to use them on both. Or just install them on the browser you chose to use most often. I do recommend these extensions for ALL versions of Firefox (portable, tor, or not).

NoScript – (already included in TorPark) Disables all website Java script by default and allows you to whitelist the sites you chose.

Customize Google– This will allow you to block Google ads, anonymize your Google cookie ID, and it’ll stop you from sending traffic to google analytics.

AdBlock-(already included in TorPark) Websites call ads that are actually just hot link scripts, flash files, images from other sites. These have the potential to install spyware. Best to block them. Ad block allows you to right click and ad and get rid of it for good.

Adblock Filterset G.Update– This loads a filterlist of most internet ad sites out there. This saves alot of time compared to manually blocking ads. It also updates itself automatically.

CookieSafe– This extension will allow you to easily control cookie permissions. It will appear on your statusbar. Just click on the icon to allow, block, or temporarily allow the site to set cookies.

SafeHistory– Restricts the marking of visited links on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites. A link on pointing at will only be marked visited if you previously visited the page with a referrer in the domain of On-site links work normally. Checks cookie settings (allow, originating site only, deny) to determine your desired privacy level (segmented by origin, don’t mark links visited in offsite frames, or never mark links visited).

SafeCache– Segments the cache on the basis of the originating document, defending against web privacy attacks that remote sites can use to determine your browser history at other sites. For example, a image appearing on an page would have a separate cache entry from the same image appearing on a page, so cannot use timing techniques to determine if you have visited before. Checks cookie settings (allow, originating site only, deny) to determine your desired privacy level (segmented cache, cache originating site only, or never cache).

ClamGlue (will only work if WinClam is installed on the hard-drive.) This plugin uses WinClam anti-virus to scan every file Firefox downloads for viruses.

Portable Thunderbird with GPG Encryption

Download it here

Same process. Download, unzip, setup to connect to your mail server. When you want to send an email, use Portable Thunderbird w/ Enigmail & GPG. Secure and anonymous e-mail has been addressed much earlier than secure and anonymous web browsing. This means the technology for e-mail is more mature, and has been tested a whole lot longer. We know GPG encryption can be relied upon to make sure all of our email transmissions are at least as secure as sealed mail. It works by creating a public key and a private key. You give your public key to anyone you want to write to. They give you their public key, and you encrypt your email with the public key of the person you’re talking to. Your email is then only readable by the person you send it to. With plenty of anonymous emailers around to send our email through, we can also be reassured our communication is anonymous. In other words, we can say it’s technically impossible to prove an email was sent by us. This is a good thing.

Portable Gaim, Encryption and Tor
We have 2 routes we can go here. The portable way, or the non-portable.

First, place the PortableGaim directory on your hidden share. We must also install GAIM on the hard-drive first (the full version) in order to install GAIM encryption. Currently the GAIM encryption will not let you change the install location so we’ll have to move the plugin manually. ( FYI: Gaim-Encryption uses NSS to provide transparent RSA encryption as a Gaim plugin.)

Download PortableGAIM here

Lets get Encryption Working on Portable Gaim

1. Uncompress Portable Gaim into your hidden volume.(you may have already)
2. Download GAIM (the full version for Windows) and install it.
3. Download GAIM Encryption
4. Install Gaim Encryption on your hard-drive
5. Now it gets complex. We need to copy a series of files (about 20) from one location to another. Below is a list of the files that need to be copied from the install folder on your hard-drive, to the corresponding folder on your hidden volume. (If the folder isn’t there on the hidden volume, it needs to be created)

What a pain in the ass you say!?! Well i wrote a batch file to automate this. You’re welcome.

You MUST have your hidden volume mounted at Z:\ for this to work. and your Gaimportable directory needs to be directly in that volume. So.. Z:\Gaimportable should exist. Then right click and save this zip file, then extract it and run it.

If that file doesn’t work..Download it here, Right Click and Save As Once downloaded, right click and change the name. Change the extension from txt to bat. Double click to run it. and voila.

It copies these files and directories:

C:\Program Files\Gaim\plugins\encrypt.dll
C:\Program Files\Gaim\locale\cs\LC_MESSAGES\
C:\Program Files\Gaim\locale\da\LC_MESSAGES\
C:\Program Files\Gaim\locale\de\LC_MESSAGES\
C:\Program Files\Gaim\locale\es\LC_MESSAGES\
C:\Program Files\Gaim\locale\fr\LC_MESSAGES\
C:\Program Files\Gaim\locale\hu\LC_MESSAGES\
C:\Program Files\Gaim\locale\it\LC_MESSAGES\
C:\Program Files\Gaim\locale\ja\LC_MESSAGES\
C:\Program Files\Gaim\locale\nl\LC_MESSAGES\
C:\Program Files\Gaim\locale\pl\LC_MESSAGES\
C:\Program Files\Gaim\locale\pt_BR\LC_MESSAGES\
C:\Program Files\Gaim\locale\ru\LC_MESSAGES\
C:\Program Files\Gaim\locale\sl\LC_MESSAGES\
C:\Program Files\Gaim\locale\uk\LC_MESSAGES\
C:\Program Files\Gaim\locale\zh_TW\LC_MESSAGES\

6. Load Gaim and go to Tools –> Plugins and you should have the option to set encryption (Don’t click it yet)

7. Uninstall Gaim and Gaim Encryption from your computer in Add/Remove programs. Delete any residual folders in Program Files. and now test to see if the encryption plugin loads and creates a key.

This ONLY works if you’re chatting with someone else using encryption. Good to note, that most simple packet sniffers that capture and translate AIM/Yahoo/MSN/Jabber traffic tend to read person to person conversations, not chat rooms. More sophisticated ones read both without a hitch. Encryption is meaningless in chatroom for AIM, MSN, and Yahoo. It simply does nothing.

If you want to have a secure connection that’s encrypted for a chat room, (this is great of business conferences across the web), GAIM can connect you to another client. SILC. It will automatically assign you a name and password and prompt you to accept or deny encryption keys. Of course the people you chat with, will to use SILC as well.

Route GAIM through Tor
You can still chose to just use the above setup if you wish.. or you can use GAIM + encryption plugin loaded onto your hard drive and route it through Tor.

You’ll need to install Tor Bundle for Windows (on the hard-drive.. it’s not a portable application) and change the proxy for each account you’re chatting on to a SOCKS4 proxy.
1.Go to Create a new or Modify an existing account.
2.Select “Show More Options”. Here you can input proxy data.
3.Select Socksv4. You’ll want to use the term “localhost” (no quotes) as the proxy (this will access the tor circuit). The port you’d chat on would be 9050.


Download the standalone application here

uTorrent is the most lightweight bit torrent application i can find. Weighing in at 154kb (smaller than this tutorial). Beware though, you can route this through Tor if you have a hard-drive install, but otherwise it’s unencrypted. I also don’t recommend doing bit torrent through the Tor network. Tor’s network is slow enough as it is without people hogging it with bit torrent traffic. There’s also no SafePeer-like plugin like there is for Azureus. I’m currently working to find an alternative that will allow you to load blocklists of IP addresses to ensure the RIAA or MPAA isn’t tracking what files you’re leeching/seeding. (among other issues). So use at your own risk. You know, if you’re using it for illegal purposes. But you know, none of us would dare do that, would we?

If you could care less about if it’s a portable app, i’d say go with Azureus and get the Safepeer plugin.

Encrypt uTorrent
Taken from here
More and more ISP’s are limiting throttling BitTorrent traffic on their networks. By throttling BitTorrent traffic the speed of BitTorrent downloads decrease, and high speed downloads are out of the question.

The list of ISP’s that limit BitTorrent traffic, or plan to do so is growing every day, and according to the BBC, the ‘bandwidth war’ has begun. Are you not sure if your traffic is being throttled Check the list of bad ISP’s.

But there is a solution. Encrypting your torrents will prevent throttling ISP’s from shaping your traffic. I will explain how to enable encryption in µtorrent.

1. Go to: Options > Preferences > Network
2. Go to ‘Protocol encryption’, you can choose between ‘enabled’ and ‘forced’. ‘Enabled’ will give you more connections but offers less protection against traffic shapers. I would recommend to try ‘enabled’ first, if that doesn’t increase your speeds you need to swich to ‘forced’.
3. Ticking ‘Allow legacy incoming connections’ allows non ecrypted clients to connect to you. This improves compatibility between clients but makes you more vulnerable to traffic shapers.

That’s it, your Bittorrent traffic is encrypted now.

I would recommend to tick this box, but if that doesn’t increase your speeds, untick it!

Portable Open Office and Abi Word
People tend to define their office software by the quality of the word processor more than anything. OpenOffice’s Writer just doesn’t add up, but the rest of the suite is more than suitable IMO. You can choose to go with or without Abi Word as Open Office does come with Writer, their word processor. I just prefer Abi Word over Writer myself.

I pick these apps, not only because they’re portable, but unlike MS Office (which isn’t portable) they don’t leave behind data showing who made the file, edits and changes that were done to the file over time, etc. MS Office has the ability to turn those features off, but it’s a pain in the ass.

Download and unzip just like all the rest.

Here for Open Office Here for Abi Word

OpenOffice tends to open up a bit slow. Once extracted to the hidden volume you can improve this by doing the following. Open any of OpenOffice’s apps (Writer, Calc, Impress, Draw, Base, Math) and do the following:
1. Go to Tools
2. Go to Options
3. Go to Memory
4. Change number of steps to 10.
5. Change “Use for Open Office” to 30.
6. Change “Memory per Object” to 7.
7. Change “Remove After Memory” to 0:00:05
8. Change Number of Objects to 10
9. Close the app.


VNC can allow us to do some nifty tricks as well, or you may just need it to aid in technical problems of another, but we’ll focus on hiding our network activity here.

  1. Download it here
  2. Install it (make sure to get the zip file, not the exe)
  3. And run vncviewer.exe

Now how to browse the web, chat, and e-mail from anywhere on your home computer:

1. You can install this on your home computer (this time install both the server and the viewer).
2. Password protect the server.
3. Make sure port 5900 is open on your firewall.
4. If you have a router, make sure your router forwards port 5900 to the private IP address of the machine you installed the VNC server on. (More than likely 192.168.x.x or 10.0.x.x)
5. Now mount your hidden volume on a computer at your place of business, education, a library, or a from friend/family’s house. Open VNCViewer, type the IPaddress and password to your home computer. Now you should be able to view the desktop of your home machine.. and use that to browse, chat, send e-mail. All traffic analyzing would see is that you’re passing ARP packets and bmp files on port 5900. You’re web activity on your home computer is untracable to the LAN you’re connected to.

Creates a tray icon that allows you to link in your portable applications. It simplifies access to the programs,rather than continually having to dig through folders to get the executable.

Challenger Encryption
So lets say you do something really stupid and you have extra senstive files you absolutely cannot have anyone have access to. Bank records, credit card records, files in regards to your business, etc.. and you leave your hidden volume mounted and walk away from your machine? These files are now exposed to a threat. Now, we wouldn’t ever want this situation happening. But it happens, and interested parties could take advantage of it.

This is where Challenger comes in. Download the app here.

1. Use 7-zip to extract the folders.
2. Place these folders in a folder on your hidden volume
3. The app is in the device folder and is named cha.exe
4. Type Berlin for the first word pass
5. Click Activate Phrase
6. Select A “Masterphrase” and click new. Then input your password. Do not forget it.
7. Then go to File > Settings.
8. Make sure all 3 on security are checked, and the drop downs are all 7-vsitr (NSA 7 Pass)
9. Hit Encrypt File or hit Folder-or-Drive
10. Select the folder or file(s) that you need protected.

What this will do is encrypt the files. The file extension will change to a *.cha file, and the original file will be deleted with 7 passes (garbage re-writes). When you go to unencypt the file, the encrypted file will also be deleted with 7 passes. Leave the files you need to absolutely protect as encrypted until you need to access them. If these files are that important, it’s a good idea to have a secure and encrypted backup of them somewhere as well.

The encryption behind Skype’s VoIP is amazing. So it’s rather great the folks over at U3P to make a portable version of the software. You can obtain the U3P file here

Download it, use a program like 7-Zip to extract it your to hidden volume and in the Skype/host directory is the Skype.exe.

Other Portable Applications

These Portable Apps you may or may not need.

ClamWin Anti-Virus
VLC Media Player
GIMP Image Editor
Notepad2 (open source Notepad with more functionality than MS’s notepad
FoxitPDF Reader
Cyber Shredder (has NSA 7 Pass deletion method)
Angry IP Scanner
Rootkit Revealer
XAMPP: portable Apache, mySQL, PHP and phpMyAdmin
Microburner (CD burning app)
Locknote: create an encrypted note to yourself on the fly

I’ve created a zip file for download via rapid share, a torrent will be coming soon. The zip contains these portable applications.

  1. Crap Cleaner (you must run the RunCCleaner.bat to run the application)
  2. Foobar2000 Media Player
  3. GiveMeToo Packet Sniffer (easier than Ethereal, leaves a folder C:\GrabbedStuff for logs)
  4. Portable Ad-Aware
  5. Portable Spybot
  6. Portable Spyware Blaster (comes with VB and Java lib install files in case the app doesn’t work)
  7. Restoration (Restores files deleted by a normal Windows delete)
  8. utool (uninstalls apps, sees apps Add/Remove programs do not, light weight and speedy)
  9. Avast Antivirus (scaled down version, only finds about 50 major viruses)
  10. Calculator
  11. Flushcode
  12. HiJackThis (advanced spyware removal)
  13. MsPaint
  14. Process Monitor
  15. Putty (telnet and ssh client)
  16. SafeXP (make it easy to shut off system broadcasts and services)
  17. McAfee Stinger (scaled down version to remove viruses)
  18. TweakUI
  19. UPXShell
  20. Killbox (deletes files that windows won’t allow you to)
  21. Winpooch (monitors system folders for spyware)

Download it here from rapidshare
Download all these apps via bit torrent (430MB)

and… we’re done for the Portable stuff. Now you have a USB key you can take around with you and open your TrueCrypt volumes anywhere and run this software anywhere with a heightened sense of security. Whether at school, a library, work, a family’s house.. your private business, stays private. Just don’t be cocky. There’s no such thing as being 100% secure, and 100% anonymous.

Common Sense Tips

1. Make sure you’re firewall is on, and make sure it’s configured well. Allowing through only the programs you need to allow through.
2. Get a registry or spyware monitor. Regmon is a good registry monitor. Winpooch is an excellent Registry and system file monitor and can prevent system changes (it can also hook WinClam anti-virus, and gives it real time active scanning ability.. which it doesn’t have).
3. If it’s a computer you use often, get some anti-spyware apps and some anti-virus apps if allowed and installed them on the hard-drive, run them at the very least weekly.
4. Try using the latest software and keeping up to date with security updates on a machine.

Installing Tor to a Hard-drive

I’ve mentioned several times throughout the article, that there are advantages to having Tor run locally on the machine. You can download and install the application here:

Proxy Sites

You can also go this route of going through a proxy site. There’s hundreds of them. But be warned. Alot of websites also block these proxies. So don’t be suprised if you can’t post on your favorite message board with them. Also, it’s generally a bad idea to input a password into a site while browsing through one of these. As your cookies for the site are stored on their servers and all information you input can be extracted from their servers. Also, these should be used to get around web filters more than anything. Don’t expect them to keep you anonymous on your LAN, or on the servers of the pages you’re accessing. There are packet sniffers that can see where you’re going even through a web proxy

It should also be noted, that a proxy that will never go away is simply.. Google’s translate function. Take your favorite website and get Google to translate it to English. Google will then automatically act as a proxy for your activity on the site.
GO Anon


For the truly dedicated, this is also a route to take. To do anonymous web activity (i wouldn’t suggest this in a work place or a school..) Download this Live CD, burn the ISO as a bootable disc, boot your computer on it, and use this to access someone else’s WiFi network. All your Windows Portable apps will not work with this as this is a version of Linux with applications installed for you. You merely boot your computer off the cd and the operating system loads. When you’re done, eject the cd, boot your computer back up, and you’ll be back to normal with Windows and all. From their homepage:

kaos.theory’s Anonym.OS LiveCD is a bootable live cd based on OpenBSD that provides a hardened operating environment whereby all ingress traffic is denied and all egress traffic is automatically and transparently encrypted and/or anonymized.

Download it here

It would be good to note that if you use a LiveCD such as this one coupled with your USB key for permanent storage of files you download, it ensures a much higher level of security. Since absolutely nothing gets written to the harddrive. AnonymOS isn’t by far the only LiveCD out there (you got Knoppix, Damn Small Linux, etc), but it’s by far the best in terms of security so far.

Simple Tests
As the title says, SIMPLE. Meaning, just because you pass these tests doesn’t mean you’re 100% secure or anoymous (on the LAN side or the WAN side).

The easiest thing you can do to test your anonymity is to go to and see if the IP showing up is yours or not.

After that you can check out services like:

AuditmyPC Privacy & Spyware Check


And then there are various proxy tests:

Proxy Test
and Proxy Checker.

Here you can see if your machine is leaking any info.

How To Install Zimbra Collaboration Suite (ZCS) On Ubuntu

July 6, 2007 at 3:34 pm | Posted in Ubuntu, zimbra | Leave a comment

How To Install Zimbra Collaboration Suite (ZCS) On Ubuntu

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 03/05/2007

This guide shows how to install the Zimbra Collaboration Suite (ZCS) on Ubuntu 6.10 (Edgy Eft) and 6.06 (Dapper Drake) server systems. Zimbra is a full-featured, open source collaboration suite – email, group calendaring, contacts, and web document management and authoring. It has a feature-rich AJAX web interface and is compatible with clients such as Microsoft Outlook, Apple Mail, and Novell Evolution so that mail, contacts, and calendar items can be synchronised from these to the ZCS server. It can also be synchronized to many mobile devices. ZCS makes use of many existing open source projects such as Postfix, MySQL, and OpenLDAP.

if (!window.netshel_ord) { netshel_ord=Math.random()*10000000000000000; } if (!window.netshel_tile) { netshel_tile=1; } document.write(”); netshel_tile++; I do not issue any guarantee that this will work for you!

1 Preliminary Note

Please download the Ubuntu 6.10 or 6.06 server CD from and install a basic Ubuntu system with it. Don’t install/enable any services (e.g. like LAMP or DNS) – if you do, you’ll have to disable them later on as they might interfere with Zimbra!

After the installation of the base system, we’ll do some additional configuration, e.g. enable the root account, install an SSH daemon, apply a static IP address and a hostname to the system.

I will use the hostname in this tutorial together with the IP address Adjust this to your needs, but make sure that has a valid MX record in DNS (Zimbra needs this!). I assume you want to create email accounts for instead of, so you should have an MX record for as well.

In this example the Zimbra server is in a local network ( is a private IP address) behind a router, so make sure you use the router’s public IP address ( in this example) in the DNS records – of course this IP address should be static. If you have a dynamic IP address, you could use a service such as, but keep in mind that most public IP addresses are blacklisted nowadays.

So if you use BIND on the authoritative name server for, you should have something like this in‘s zone file:

[...]        A        MX 0             MX 0


If your Ubuntu server is behind router, make sure that you forward at least port 25 from your router to your Ubuntu server.

If your Ubuntu server is in a data center, it most likely has a static public IP address and a hostname, so you can skip chapter 1.3, but still you must make sure that this hostname has a valid MX record.

1.1 Enable The root Account

To enable the root account, run

sudo passwd root

and specify a password for root.

Afterwards, become root by running


All following commands in this tutorial are executed as root (unless something else is written)!

1.2 Install The SSH Daemon

Just run

apt-get install ssh openssh-server

to install the SSH daemon.

1.3 Apply A Static IP Address And Hostname

Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address

vi /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static

Then restart your network:

/etc/init.d/networking restart

Then edit /etc/hosts. Make it look like this:

vi /etc/hosts localhost.localdomain localhost mail

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Now run

echo > /etc/hostname

and reboot the system:

shutdown -r now

Afterwards, run

hostname -f

Both should show

From now on you can use an SSH client such as PuTTY and connect from your workstation to your Ubuntu server and follow the remaining steps from this tutorial.

1.4 Disable The Ubuntu CD In /etc/apt/sources.list

I like to install all packages over the internet instead of from the Ubuntu CD, therefore I disable the Ubuntu CD in /etc/apt/sources.list now:

vi /etc/apt/sources.list

On Ubuntu 6.10 (“Edgy Eft”), comment out this line:

#deb cdrom:[Ubuntu-Server 6.10 _Edgy Eft_ - Release i386 (20061025.1)]/ edgy main restricted

On Ubuntu 6.06 (“Dapper Drake”), it’s this line:

#deb cdrom:[Ubuntu-Server 6.06 _Dapper Drake_ - Release i386 (20060531)]/ dapper main restricted

Then update the packages database by running

apt-get update

1.5 Disable Services

If this is no fresh system and you have some services already running (such as Postfix, Apache, OpenLDAP), you must disable them first before installing Zimbra. Otherwise Zimbra will fail to install.

For example, to disable Postfix on your system, run

/etc/init.d/postfix stop
update-rc.d -f postfix remove

The commands for the other services are similar.

2 Change The Default Shell (Ubuntu 6.10 Edgy Eft Only)

If you are on Ubuntu Edgy Eft, most probably /bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

rm -f /bin/sh
ln -s /bin/bash /bin/sh

If you don’t do this, you will most likely get an error like this during the Zimbra installation:

Creating SSL certificate…Done
Initializing ldap…TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:352
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354
TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
main: TLS init def ctx failed: -1
ERROR – failed to start slapd


On Ubuntu Dapper Drake, /bin/sh points to /bin/bash by default, so everything is ok.

3 Install Zimbra

First let’s install some prerequisites for Zimbra:

apt-get install curl fetchmail libpcre3 libgmp3c2 libexpat1 libxml2 libtie-ixhash-perl

Afterwards, go to and download the Ubuntu 6 (.tgz) package to /usr/src, for example like this:

cd /usr/src

(Replace the download URL with the one you get from SourceForge.)

if (!window.netshel_ord) { netshel_ord=Math.random()*10000000000000000; } if (!window.netshel_tile) { netshel_tile=1; } document.write(”); netshel_tile++; Afterwards, unpack the Zimbra .tgz file and start the installer:

tar xvfz zcs-4.5.3_GA_733.UBUNTU6.tgz
cd zcs/

The installer will ask a few questions. Answer them like this:

Operations logged to /tmp/install.log.4416
Checking for existing installation…
zimbra-ldap…NOT FOUND
zimbra-logger…NOT FOUND
zimbra-mta…NOT FOUND
zimbra-snmp…NOT FOUND
zimbra-store…NOT FOUND
zimbra-apache…NOT FOUND
zimbra-spell…NOT FOUND
zimbra-core…NOT FOUND


License Terms for the Zimbra Collaboration Suite:

Press Return to continue <– <ENTER>

Install zimbra-ldap [Y] <– <ENTER>

Install zimbra-logger [Y] <– <ENTER>

Install zimbra-mta [Y] <– <ENTER>

Install zimbra-snmp [Y] <– <ENTER>

Install zimbra-store [Y] <– <ENTER>

Install zimbra-spell [Y] <– <ENTER>

The system will be modified. Continue? [N] <– y

Main menu

1) Hostname:
2) Ldap master host:
3) Ldap port: 389
4) Ldap password: set
5) zimbra-ldap: Enabled
6) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create:
******* +Admin Password UNSET
+Enable automated spam training: yes
+Spam training user:
+Non-spam(Ham) training user:
+Global Documents Account:
+SMTP host:
+Web server HTTP port: 80
+Web server HTTPS port: 443
+Web server mode: http
+Enable POP/IMAP proxy: no
+IMAP server port: 143
+IMAP server SSL port: 993
+POP server port: 110
+POP server SSL port: 995
+Use spell check server: yes
+Spell server URL:

7) zimbra-mta: Enabled
8) zimbra-snmp: Enabled
9) zimbra-logger: Enabled
10) zimbra-spell: Enabled
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

Address unconfigured (**) items (? – help) <– 6

Store configuration

1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create:
** 4) Admin Password UNSET
5) Enable automated spam training: yes
6) Spam training user:
7) Non-spam(Ham) training user:
8) Global Documents Account:
9) SMTP host:
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) Enable POP/IMAP proxy: no
14) IMAP server port: 143
15) IMAP server SSL port: 993
16) POP server port: 110
17) POP server SSL port: 995
18) Use spell check server: yes
19) Spell server URL:

Select, or ‘r’ for previous menu [r] <– 4

Password for (min 6 characters): [8BD.yZtFh] <– [specify a password for the admin user, e.g. howtoforge]

Select, or ‘r’ for previous menu [r] <– <ENTER>

Main menu

1) Hostname:
2) Ldap master host:
3) Ldap port: 389
4) Ldap password: set
5) zimbra-ldap: Enabled
6) zimbra-store: Enabled
7) zimbra-mta: Enabled
8) zimbra-snmp: Enabled
9) zimbra-logger: Enabled
10) zimbra-spell: Enabled
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

*** CONFIGURATION COMPLETE – press ‘a’ to apply
Select from menu, or press ‘a’ to apply config (? – help) <– a
Save configuration data to a file? [Yes] <– <ENTER>
Save config in file: [/opt/zimbra/config.5762] <– <ENTER>
Saving config in /opt/zimbra/config.5762…Done
The system will be modified – continue? [No]
<– y

You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Suite.
The only information that will be transmitted is:
The VERSION of zcs installed (4.5.3_GA_733_UBUNTU6)

Notify Zimbra of your installation? [Yes] <– [if you want to notify Zimbra of your installation, type y, otherwise n]

Configuration complete – press return to exit <– <ENTER>

That’s it already. To test if all Zimbra services are running, become the zimbra user:

su – zimbra

and run

zmcontrol status

The output should look like this:

zimbra@mail:~$ zmcontrol status
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running

If not all services are started, run

zmcontrol start



to become root again.

4 The Zimbra Web Interface

Zimbra comes with a web interface for the administrator ( and normal users ( I’m going to show some basic screenshots here, but no help on how to use Zimbra. To learn how to use Zimbra, please refer to and

4.1 The Administration Console

You can now open a browser and open the Zimbra Administrator web interface. The URL is Log in with the username admin and the password you specified during the Zimbra installation:

This is how the admin panel looks like:

You can find all pre-configured email addresses under Accounts:

If you want to add a new domain (e.g. because you want email addresses of the form instead of, click on Domains and then on New:


Afterwards, is listed in the domains list:

To create a new user, go to Accounts and click on New:

Follow the wizard to create a new email account. Take care that you select the right domain ( vs.

Afterwards, mark the new account in the accounts list and click on Edit:

Specify a password for the new account on the General Information tab and click on Save:

4.2 The User Webinterface

Now that you’ve created a normal user account, you can log out of the admin panel and go to Log in with the email address and the password of the new account:

This is how the user webinterface looks like. You have tabs to manage your emails, address book, calendar, documents, etc.

5 Uninstall Zimbra

If you want to uninstall Zimbra, do it like this:

Go the the Zimbra installation directory (I hope you didn’t delete it):

cd /usr/src/zcs

Then run

./ -u

and delete the Zimbra installation directory afterwards:

cd /usr/src
rm -rf zcs

6 Links

How To Utilize Your New Multimedia Keyboard Under Linux

July 6, 2007 at 2:15 pm | Posted in keyboard, Linux, xbindkeys | 1 Comment


Xbindkeys is a program that allows you to launch shell commands with your keyboard or your mouse under X Window. It links commands to keys or mouse buttons, using its configuration file. It does not depend on the window manager and can capture all keyboard keys.


  • a keyboard with special/multimedia buttons
  • xbindkeys
  • working X Window, doesn’t matter if it is KDE, Gnome or any other



Now you are familiar with the scope of this tuto, so let’s start! First of all xbindkeys can be obtained from two sources:

  • If you are on a Debian-based system you can use apt-get to install it. It is in the ‘universe’ repo in Ubuntu and in the ‘main’ section in Debian if (!window.netshel_ord) { netshel_ord=Math.random()*10000000000000000; } if (!window.netshel_tile) { netshel_tile=1; } document.write(”); netshel_tile++;

    apt-get install xbindkeys

    (can be done as root or with sudo)

  • You can download the latest source from here:

After that go to the directory where you downloaded the source and unpack it with tar:

cd your_download_dir

Uncompress the source (1.x.x – refers for your version):

tar xzvf xbindkeys-1.x.x.tar.gz

Change to the new directory (created by tar):

cd xbindkeys-1.x.x

Install the program (as root):

su root
make install


The program is configured by the use of a file, .xbindkeysrc in your home directory. It is recommended to use the default configuration and then you can edit it according to your needs.

xbindkeys –defaults > $HOME/.xbindkeysrc

If you open the file with a text-editor you can see its structure:

# Next Track – Alt + Up

“xmms –fwd”

m:0x8 + c:98

# Previous Track – Alt + Down

“xmms –rew”

m:0x8 + c:104

It is pretty obvious, it has the command to be executed enclosed in quote characters, then a line after the keyboard codes which will cause that command to be executed. The line starts with hashmark (#) is for comment, recommended strongly. To find out the keycode you can do with:

xbindkeys -mk

This will pop up a window and show the keycodes when you hit keys. To quit when you done with your buttons press “q”.
You can check your current keys and commands with:

xbindkeys –show

Once you have setup your .xbindkeysrc you can start the program by running:

xbindkeys &

This runs the command in the background causing to listen for keyboard events and execute the commands it knows about when finds a combination listed in its config file. To start xbindkeys when you login:
the best way to do this, as long as you’re logging in via KDM or GDM, is to put xbindkeys in your ~/.bashrc file.


You can use xbindkeys-config, a GUI utility for editing your .xbindkeysrc. It can be installed with apt-get. Please note, create the config file with

xbindkeys –defaults > $HOME/.xbindkeysrc

before using the graphical application otherwise it will crash on saving.

Now, you are done. You can start using your extra buttons without installing any special driver!

HowTo: Install Alfresco on Linux (Sharepoint Alternative)

July 5, 2007 at 8:29 pm | Posted in Alfresco, Linux | 6 Comments

Alfresco is the leading open source alternative for enterprise content management. The open source model allows Alfresco to use best-of-breed open source technologies and contributions from the open source community to get higher quality software produced more quickly at much lower cost. Our goal is to not only provide an open source offering but to surpass commercial offerings in terms of features, functionality and benefits to the user community. Alfresco is built by a team of leading members from Documentum® and Interwoven® with 15 years experience in Enterprise Content Management (ECM), including the co-founder of Documentum.

  • Enterprise Content Management (ECM)
  • Document Management
  • Collaboration
  • Records Management
  • Knowledge Management
  • Web Content Management
  • Imaging

Alfresco provides a nice package that includes all of the programs you need for using Alfresco on your Linux machine. To download it, visit and select the release you want. You will be redirected to the Source Forge download page.

Select the alfresco-<version->linux-community.bin version of the file.

This contains MySQL, Java (JRE), Tomcat and Open Office.

To install simply execute this file. To do so, the following steps will be necessary:

  1. Change the permissions on the download so that it can be executed
    chmod a+x ./alfresco-<version->linux-community.bin
  2. (Optional) Become root to execute the installer
su (or sudo -s on some platforms that have the super user account disabled by default)
  1. Execute the installer

Follow the instructions presented by the installer.

You will be asked for a location to install the software. If you skipped the “become root” step above, your home folder is selected by default. If you intend for Alfresco to be run by other users, or start on startup you should change this to a different location. Exit the installer and become root. If you are root, the default of /opt/alfresco-<version> will be selected. If you want to change it, /usr/local/alfresco-<version> will often be another good choice.

You will be asked to provide an initial password for the MySQL database.

You will be prompted for a MySQL port. If you already have a MySQL server on your machine you will need to change this. The quick installer cannot use a pre-existing MySQL installation. Linux Change Database Config has information on how you can change the database once Alfresco has been installed.

You will be asked for the name of the local domain. If your Linux machine is on a Windows Active Directory network, change this to be your local domain. Otherwise, the default of WORKGROUP will normally be fine.

Press “y” and your computer will begin installing Alfresco.

Decide if you want to view the Readme

Press “y” to start Alfresco.

    Job done! Wait a few seconds to allow Tomcat to start and fire up your favourite web browser and browse to The first time you use Alfresco, your username will be admin and your password will be admin.

    If you receive an error about OpenOffice being unable to open the display:

    1. Stop Alfresco by running <install location>/bin/ stop
    2. Follow these instructions to register OpenOffice and create a virtual XWindows environment for OpenOffice to run in
    3. Start Alfresco by running <install location>/bin/ start

    Howto Convert a .nrg (Nero) file to a .iso file in Ubuntu

    July 5, 2007 at 3:49 pm | Posted in Nero, Ubuntu | Leave a comment

    If you want to convert .nrg file to .iso file you can use nrg2iso tool to create this. nrg2iso is a program that extracts ISO9660 data from Nero “.nrg” CD-ROM image files.Install nrg2iso in Ubuntu

    sudo apt-get install nrg2iso

    Using nrg2iso


    nrg2iso [nrg-file] [iso-file]


    nrg2iso image.nrg image.iso

    Now you can burn your iso with your preferred linux burning app.

    Speed up dynamic linking Using Prelink in Ubuntu

    July 5, 2007 at 3:49 pm | Posted in prelink, Ubuntu | Leave a comment

    LF prelinking utility to speed up dynamic linking.The prelink package contains a utility which modifies ELF shared libraries and executables, so that far fewer relocations need to be resolved at runtime and thus programs come up faster.Install Prelink in Ubuntu

    First you need to make sure you have enables Universe repositories in /etc/apt/sources.list file and you need to update source list using the following command

    sudo apt-get update

    Install prelink using the following command

    sudo apt-get install prelink

    This will complete the installation

    Configuring Prelink

    You need to edit the /etc/default/prelink file with your favorite editor, as sudo/root

    sudo vi /etc/default/prelink

    Near the top of the file chnage the following line




    Adjust the other options if you know what the you’re doing.Defaults work well Save and exit the file.

    To start the first prelink it will take long time using the following command

    sudo /etc/cron.daily/prelink

    In the future, prelink performs a quick prelink (a less-than-1-minute procedure on most systems) daily, usually at midnight. Every 14 days, or whatever you changed it to be, a full prelink will run.

    If you just did a major apt-get upgrade that changed systemwide libraries (i.e. libc6, glibc, major gnome/X libs, etc etc etc) and experience cryptic errors about libs, run the following command again

    sudo /etc/cron.daily/prelink

    To undo prelink,

    You need to edit the /etc/default/prelink file with your favorite editor, as sudo/root

    sudo vi /etc/default/prelink

    Near the top of the file chnage the following line




    Save and exit the file and rerun the following command

    sudo /etc/cron.daily/prelink

    Scanning for rootkits with chkrootkit

    July 5, 2007 at 2:46 pm | Posted in chkrootkit, Linux | Leave a comment

    Please See :Scanning for rootkits with chkrootkit

    How do I password-protect my website using .htaccess?

    July 5, 2007 at 2:39 pm | Posted in .htaccess, .htpasswd, apache | 2 Comments

    Htaccess can be used to password-protect directories on your web site. All files and any subdirectories within a directory protected by htaccess will also be protected. So, if you wish to protect your entire web site, simply setup htaccess in your public_html directory (the root of your web site). However, if you only wish to protect certain directories, you may do so separately.

    1. Change to the directory that you wish to protect

    In the following example we wish to protect a directory called private in our public_html directory.

    torch: ~$ cd public_html/private
    torch: ~/public_html/private$

    You also need to know the fully qualified path of the directory you wish to protect. So, from this directory, type pwd and remember the fully qualified path (you will need it in step 4).

    torch: ~/public_html/private$ pwd
    torch: ~/public_html/private$

    In the above example, the fully qualified path is /users/cs/johndoe/public_html/private.

    The remaining steps in this guide assume we are still in this directory.

    2. Create a file named .htaccess

    Use your favourite editor to create a file called .htaccess (note the period at the beginning of the filename). In the below example we will use pico.

    torch: ~/public_html/private$ pico .htaccess

    3. Add the appropriate lines to the .htaccess file.

    Using the editor you chose in step 2, input the following. You will need to modify the first 2 lines to match your configuration (see modifications below).

    AuthUserFile /users/cs/johndoe/public_html/private/.htpasswd
    AuthName "Title for Protected Site"
    AuthType Basic
    Require valid-user


    1. Beside AuthUserFile, put the fully qualified path you obtained in Step 1, with /.htpasswd immediately following it. The above example shows /users/cs/johndoe/public_html/private/.htpasswd
    2. Beside AuthName, input the words or phrase that you wish to appear as the title for the username/password input box.

    4. Create the .htpasswd file by adding usersNext use the htpasswd command to create your password file and username/password pairs:

    torch: ~/public_html/private$ htpasswd -c .htpasswd bob
    New password:
    Re-type new password:
    Adding password for user bob
    torch: ~/public_html/private$

    This creates the .htpasswd file and the username bob. You will then be prompted for a password for bob, which will be stored in the .htpasswd file (note that it will be encrypted in this file for security).

    So, to create new users and change the password for existing users, switch to the protected directory you wish to add a user for, and type htpasswd -c .htpasswd username

    torch: ~$ cd public_html/private
    torch: ~/public_html/private$ htpasswd -c .htpasswd username

    5. Set the permissions on your .htaccess and .htpasswd file

    Finally, from within your protected directory, make both the .htaccess and .htpasswd files world-readable. You can do this with the command chmod a+r .htaccess .htpasswd.

    torch: ~/public_html/private$ ls -al
    total 10
    drwxr-xr-x   2 johndoe    csugrad      512 Jan  7 14:30 .
    drwxr-xr-x   8 johndoe    csugrad      512 Jan  7 11:50 ..
    -rw-------   1 johndoe    csugrad      156 Jan  7 12:05 .htaccess
    -rw-------   1 johndoe    csugrad       18 Jan  7 11:59 .htpasswd
    torch: ~/public_html/private$ chmod a+r .htaccess .htpasswd
    torch: ~/public_html/private$ ls -al
    drwxr-xr-x   2 johndoe    csugrad      512 Jan  7 14:30 .
    drwxr-xr-x   8 johndoe    csugrad      512 Jan  7 11:50 ..
    -rw-r--r--   1 johndoe    csugrad      156 Jan  7 12:05 .htaccess
    -rw-r--r--   1 johndoe    csugrad       18 Jan  7 11:59 .htpasswd
    torch: ~/public_html/private$

    Above we can see that the permissions on .htaccess and .htpasswd change from -rw——- to -rw-r–r–.

    All done!

    Now, anytime you attempt to view your protected directory, any file within it, or recursively any subdirectory of it, you will be prompted for a username and password. Please refer back to Step 4 if you wish to add more users or change a user’s password.

    Troubleshooting / Common Problems

    Below are the most common problems experienced by users attempting to setup htaccess.

    1. Permissions on both .htaccess and .htpasswd – Both the .htaccess and .htpasswd files need to be world readable. Please refer to Step 5 to ensure this has been done properly.
    2. Fully qualified path to .htpasswd incorrect – The correct fully qualified path to a valid .htpasswd file must appear beside AuthUserFile in the .htaccess file. Please refer to Step 3 and verify this is correct.
    3. The username doesn’t exist in .htpasswd – When attempting to login as a user, they need to have been correctly added to the .htpasswd file using the htpasswd command. Please refer to Step 4 to double-check.

    How do I remove htaccess protection?

    To remove htaccess protection, simply delete or rename the .htaccess file in the directory you wish to remove protection from. The below example shows how to rename .htaccess to .htaccess-old.

    torch: ~/public_html/private$ mv .htaccess .htaccess-old

    Security Concerns

    Should I be using .htaccess to protect highly sensitive data?

    If you decide to protect something using .htaccess, be sure to understand one thing: the protection of your data relies upon the web server configuration. This means if the configuration changes, it might be possible for someone to retreive your data. As a general rule, it’s bad practice to place anything highly confidential or critical on a web server, period. There are numerous other options for storing and accessing sensitive data. Always remember, the web was originally designed for public access, and so access control is really an addition.

    Username/Password Transmission

    If the page you are protecting is http and not secure http, then your username and password will be sent across the network in plain text. A secure http address is always prefixed with https:// instead of http://. If you are accessing any site through http://, you should be aware that it is possible for someone to capture your traffic and extract your password. A good guideline to follow is ensuring that all htaccess passwords do not correspond with any other passwords. Do not forget that you are solely responsible for keeping your password private.


    If you’re looking to implement this on your own web server, then you should bypass htaccess altogether and simply enter the commands into the httpd.conf (apache configuration) file and specify which directories to which this should apply. The commands that are valid within htaccess are also valid in your apache configuration file. Putting it in the apache configuration helps to speed things up and simplifies web server management.

    « Previous PageNext Page »

    Create a free website or blog at
    Entries and comments feeds.