The Honeynet Project, List of Projects

The Honeynet Project

Projects

Capture BAT

This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter.

• Find out more

Capture-HPC

Capture-HPC is a high-interaction client honeypot framework. Capture-HPC identifies malicious servers by interacting with potentially malicious servers using a dedicated virtual machine and observing its system for unauthorized state changes. Developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter.

• Find out more

Glastopf

Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by Thorsten Holz of the German Honeynet Project Chapter). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.

• Find out more

Google Hack Honeypot

Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. It is designed to provide reconnaissance against attackers that use search engines as a hacking tool. Developed by Ryan McGeehan & Brian Engert of the Chicago Chapter.

• Find out more

High Interaction Honeypot Analysis Toolkit (HIHAT):

This tool transforms arbitrary PHP applications into web-based high-interaction Honeypots. Apart from the possibility to create high-interaction honeypots, HIHAT furthermore comprises a graphical user interface which supports the process of monitoring the honeypot, analysing the acquired data. Last, it generates an IP-based geographical mapping of the attack sources and generates extensive statistics. HIHAT is developed and maintained by Michael Mueter of the Giraffe Chapter.

• Find out more

HoneyBow

HoneyBow is a high-interaction malware collection toolkit and can be integrated with nepenthes and the mwcollect Alliance’s GOTEK architecture. Developed and maintained by the Chinese Chapter.

• Find out more

HoneyC

HoneyC is a low interaction client honeypot framework that allows to find malicious servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for analysis of malicious content. Developed by Christian Seifert of the New Zealand Chapter.

• Find out more

Honeyd

This is a low-interaction honeypot used for capturing attacker activity, very flexible. Developed and maintained by Niels Provos of the Global Chapter.

• Find out more

Honeymole

Honeymole: This is used for honeypot farms. You deploy multiple sensors that redirect traffic to a centralized collection of honeypots. Developed and maintained by the Portuguese Chapter.

• Find out more

Honeysnap

Honeysnap. Primary tool used for extracting and analyzing data from pcap files, including IRC communications. Developed and maintained by Arthur Clune of the UK Chapter.
For more information/questions, please join the mailing list (details on the project home page)

• Find out more

Honeystick

Honeystick: This is a bootable Honeynet from a USB device. It includes both the Honeywall and honeypots from a single, portable device. Developed and maintained by the UK Honeynet Project.

• Find out more

Honeytrap

This is a tool for observing novel attacks against network services by starting dymanic servers. It performs some basic data analysis and downloads malware automatically. Developed by Tillmann Werner of the Giraffe Chapter.

• Find out more

Honeywall CDROM

Honeywall CDROM is our primary high-interaction tool for capturing, controling and analyzing attacks. It creates an architecture that allows you to deploy both low-interaction and high-interaction honeypots, but is designed primarily for high-interaction.
For more information, please see the project TRAC page

• Find out more

nepenthes – the finest collection

Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities.

• Find out more

Pehunter

Pehunter is a snort dynamic preprocessor that grabs Windows executables off the network. It is intended to sit inline in front of high-interactive honeypots. Developed and maintained by Tillmann Werner of the Giraffe Chapter.

• Find out more

PicViz – Data Visualization Tool

Picviz is a parallel coordinates[1] plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize your data and discover interesting results quickly. This way, you can find in million of events malicious things you were not thinking about and that no regex based program would find for you.

[1] http://en.wikipedia.org/wiki/Parallel_coordinates

• Find out more

Sebek

Sebek is kernel module installed on high-interaction honeypots for the purpose of extensive data collection. It allows administrators to collect activities such as keystrokes on the system, even in encrypted environments. Designed primarily for Win32 and Linux systems.

• Find out more

Tracker

Tracker facilitates the identification of abnormal DNS activity. It will find domains that are resolving to a large number of IP’s in a short period of time then continue to track those hostname->IP mappings untill either the hostname nolonger responds or the user decides to stop tracking that hostname. Really efficient at finding fast-flux domains and other dodgy A-Record rotations. Tracker is a tool developed by the Honeynet Project Australian Chapter.

• Find out more



Managing Users To use user authentication, you’ll need to edit and manage user files and group files

Managing Users To use user authentication, you’ll need to edit and manage user files and group files

.

---

Using htpasswd to manage user files

To deal with user files, we provide a program in the support directory of the distribution called htpasswd. Usage:

htpasswd [-c] file user

The -c, if present, tells htpasswd to create a new passwd file of the specified name instead of editing an old one. file is the pathname of the user file you wish to edit. The user parameter is the name of the user you wish to add or edit.

If htpasswd finds the user you specified, it will ask you to change the user’s password. Type the new password (it will ask twice). HTTPd will then update the file.

If htpasswd doesn’t find the specified user, it will ask you to give the user an initial password.

---

Group files

The format of the group file is as follows:

groupname: member1 member2 ...

Or, each line contains the name of a group, and a list of members separated by spaces.

---

---

<Directory /u/Web>

Options All

<Limit GET>
order allow,deny
allow from all
</Limit>

</Directory>

<Directory /u/Web/docs/info>
AuthType Basic
AuthUserFile /usr/local/etc/httpd/conf/.htpasswd
AuthGroupFile /usr/local/etc/httpd/conf/.htgroup
</Directory>

<Directory /u/Web/docs/info/ncsaonly>
<Limit GET>
order deny,allow
deny from all
allow from .ncsa.uiuc.edu
</Limit>
</Directory>

<Directory /u/Web/docs/info/nonncsa>
<Limit GET>
order allow,deny
allow from all
deny from .ncsa.uiuc.edu
</Limit>
</Directory>

<Directory /u/Web/docs/info/carlosonly>
AuthName Carlos Gold Info
<Limit GET>
require user cvarela
</Limit>
</Directory>

<Directory /u/Web/docs/info/xmosdonly>
AuthName The X Club
<Limit GET>
require group mosaic-x-dev
</Limit>
</Directory>

<Directory /u/Web/docs/info/carlos-and-void>
AuthName Carlos Gold Info
<Limit GET>
order deny,allow
deny from all
allow from void.ncsa.uiuc.edu
require user cvarela
</Limit>
</Directory>

<Directory /u/Web/docs/info/carlos-or-void>
AuthName Carlos Gold Info
<Limit GET>
order mutual-failure
deny from all
allow from void.ncsa.uiuc.edu
require user cvarela
</Limit>
</Directory>

International Computer Science Institue Networking Articles

Publications Networking

__/__/2009 Efficient MAC in Cognitive Radio Networks: A Game-Theoretic Approach M. Felegyhazi, M. Cagalj, and J.-P. Hubaux Transactions on Wireless Communications (TWC), to appear __/__/2009 Barter Trade Improves Message Delivery in Opportunistic Networks L. Buttyan, L. Dora, M. Felegyhazi, and I. Vajda Elsevier Ad Hoc Networks Journal, to appear 04/__/2009 Efficient Application Placement in a Dynamic Hosting Platform Z. Al-Qudah, H. Alzoubi, M. Allman, M. Rabinovich, and V. Liberatore Proceedings of International World Wide Web Conference, Madrid, Spain, to appear 04/__/2009 Comments on Selecting Ephemeral Ports M. Allman ACM Computer Communication Review, under submission 03/__/2009 Open Source vs. Closed Source Software: Towards Measuring Security G. Schryen and R. Kadura Proceedings of the Annual ACM Symposium on Applied Computing, Honolulu, Hawaii, to appear 03/__/2009 Automating Analysis of Large-Scale Botnet Probing Events Z. Li, A. Goyal, Y. Chen, and V. Paxson Proceedings of ACM Symposium on Information, Computer, and Communication Security (ASIACCS 2009), Sydney, Australia, to appear 02/__/2009 Tiered Fault Tolerance for Long-Term Integrity B. Chun, P. Maniatis, S. Shenker, and J. Kubiatowicz Proceedings of USENIX Conference on File and Storage Technologies (FAST), San Francisco, California, to appear 02/__/2009 Minuet: Rethinking Concurrency Control in Storage Area Networks A. Ermolinskiy, D. Moon, B. Chun, and S. Shenker Proceedings of USENIX Conference on File and Storage Technologies (FAST), San Francisco, California, to appear 02/__/2009 Detecting Forged TCP Reset Packets N. Weaver, R. Sommer, and V. Paxson Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), San Diego, California, to appear __/__/2008 An Analysis of Internet Voting Security: The Case of Estonia G. Schryen Proceedings of the Workshop on e-Business (WEB 2008), Paris, France, 13 December 2008. Also to appear in Lecture Notes on Business Information Processing, Springer Heidelberg 10/__/2008 Spamalytics: An Empirical Analysis of Spam Marketing Conversion C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage Proceedings of the 15th ACM Conference on Computer and Communications Security (ACM CCS), Alexandria, Virginia, pp. 3-14 10/__/2008 Revocation Games in Ephemeral Networks M. Raya, M. H. Manshaei, M. Felegyhazi, and J.-P. Hubaux Proceedings of ACM Computer and Communications Security (CCS), pp. 199-210, Alexandria, Virginia 10/__/2008 Reducing Transient Disconnectivity Using Anomaly-Cognizant Forwarding A. Ermolinskiy and S. Shenker Proceedings of the 7th ACM Workshop on Hot Topics in Networks (HotNets-VII), Calgary, Canada, pp. 91-96 10/__/2008 Pathlet Routing P. B. Godfrey, S. Shenker, and I. Stoica Proceedings of the 7th ACM Workshop on Hot Topics in Networks (HotNets-VII), Calgary, Canada, pp. 97-102 10/__/2008 Rethinking Packet Forwarding Hardware D. Moon, M. Casado, T. Koponen, and S. Shenker Proceedings of ACM Special Interest Group on Data Communications Workshop on Hot Topics in Networks (HotNets-VII), Calgary, Canada, pp. 1-6 09/__/2008 Predicting the Resource Consumption of Network Intrusion Detection Systems H. Dreger, A. Feldmann, V. Paxson, and R. Sommer Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Cambridge, Massachusetts, pp. 135-154 08/__/2008 Enriching Network Security Analysis with Time Travel G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider Proceedings of ACM Special Interest Group on Data Communications Conference (SIGCOMM 2008), pp. 183-194, Seattle, Washington 08/__/2008 TCP Slow Start Survey: Standards and Issues M. Allman IETF Internet-Draft, Draft-ietf-tcpm-early-rexmt-00.txt, in progress 08/__/2008 Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination A. Anand, A. Gupta, A. Akella, S. Seshan, and S. Shenker Proceedings of ACM Special Interest Group on Data Communications Conference (SIGCOMM 2008), San Diego, California, pp. 219-230 08/__/2008 Accountable Internet Protocol (AIP) D. Andersen, H. Balakrishnan, N. Feamster, T. Koponen, D. Moon, and S. Shenker Proceedings of ACM Special Interest Group on Data Communications Conference (SIGCOMM 2008), Seattle, Washington, pp. 339-350 07/__/2008 RFC 5290: Comments on the Usefulness of Simple Best-Effort Traffic S. Floyd and M. Allman Request for Comments 5290, Informational 07/__/2008 IMRG Workshop on Application Classification and Identification Report T. Strayer, M. Allman, G. Armitage, S. Bellovin, S. Jin and A. W. Moore Editorial contribution to ACM Computer Communication Review, Vol. 38, Issue 3, pp. 87-90, July 2008 07/__/2008 Principles for Developing Comprehensive Network Visibility M. Allman, C. Kreibich, V. Paxson, R. Sommer, and N. Weaver Proceedings of USENIX Workshop on Hot Topics in Security (HotSec ’08), San Jose, California 07/__/2008 A Tool for Offline and Live Testing of Evasion Resilience in Network Intrusion Detection Systems L. Juan, C. Kreibich, C.-H. Lin, and V. Paxson Proceedings of the 5th GI International Conference on Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA), Paris, France, pp. 267-278 07/__/2008 NOX: Towards an Operating System for Networks N. Gude, T. Koponen, J. Pettit, B. Pfaff, M. Casado, N. McKeown, and S. Shenker ACM SIGCOMM Computer Communications Review, Vol. 38, Issue 3, pp. 105-110, 06/__/2008 Diverse Replication for Single-Machine Byzantine-Fault Tolerance B.-C. Chun, P. Maniatis, and S. Shenker Proceedings of USENIX Annual Technical Conference, Boston, Massachusetts, pp. 287-292 05/__/2008 Efficient and Robust TCP Stream Normalization M. Vutukuru, H. Balakrishnan, and V. Paxson Proceedings of IEEE Symposium on Security and Privacy, Oakland, California, pp. 96-110 04/__/2008 NetComplex: A Complexity Metric for Network System Designs B-G. Chun, S. Ratnasamy, and E. Kohler To appear in Proceedings of NSDI 2008 04/__/2008 A Reactive Measurement Framework M. Allman and V. Paxson Proceedings of Passive and Active Measurement Conference, Cleveland, Ohio, pp. 92-101 04/__/2008 On Community-Oriented Internet Measurement M. Allman, L. Martin, M. Rabinovich, and K. Atchinson Proceedings of Passive and Active Measurement Conference, Cleveland, Ohio, pp. 112-121 04/__/2008 What Ought a Program Committee to Do? M. Allman Proceedings of USENIX Workshop on Organizing Workshops, Conferences, and Symposia for Computer Systems (WOWCS), San Francisco, California 04/__/2008 Thoughts on Reviewing M. Allman ACM Computer Communication Review, Vol. 38, Issue 2, pp. 47-50 04/__/2008 On the Spam Campaign Trail C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, California 04/__/2008 OpenFlow: Enabling Innovation in Campus Networks N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner ACM Computer Communication Review, Vol. 38, Issue 2, pp. 69-74 04/__/2008 Detecting In-Flight Page Changes with Web Tripwires C. Reis, S. Gribble, T. Kohno, and N. Weaver Proceedings of USENIX Symposium on Networked Systems Design and Implementation (NSDI), San Fracnsico, pp. 31-44 03/__/2008 RFC 5166: Metrics for the Evaluation of Congestion Control Mechanisms S. Floyd RFC 5166, Information, March 2008 03/__/2008 Towards a Common TCP Evaluation Suite L. Andrew, C. Marcondes, S. Floyd, L. Dunn, R. Guillier, W. Gang, L. Eggert, S. Ha, and I. Rhee Proceedings of the International Workshop on Protocols for Fast Long-Distance Networks (PFLDnet), Manchester, United Kingdom __/__/2007 Distributed Algorithmic Mechanism Design J. Feigenbaum, M. Schapira, and S. Shenker Chapter in Algorithmic Game Theory, Cambridge University Press, pp. 363-384 __/__/2007 A Modular Sensornet Architecture: Past, Present, and Future Directions A. Tavakoli, P. Dutta, J. Jeong, S. Kim, J. Ortiz, P. Levis, S. Shenker WWSNA 2007 __/__/2007 An Architecture for Energy Management in Wireless Sensor Networks X. Jiang, J. Taneja, J. Ortiz, A. Tavakoli, P. Dutta, J. Jeong, D. Culler, P. Levis, and S. Shenker WWSNA 2007 __/__/2007 Loss and Delay Accountability for the Internet K. Argyraki, P. Maniatis, O. Irzak, A. Subramanian, and S. Shenker ICNP 2007 __/__/2007 Attested Append-Only Memory: Making Adversaries Stick to their Word B.-G. Chun, P. Maniatis, S. Shenker, and J. Kubiatowicz SOSP 2007 11/__/2007 Enabling an Energy-Efficient Future Internet Through Selectively Connected End Systems M. Allman, K. Christensen, B. Nordman, and V. Paxson Proceedings of ACM Special Interest Group on Data Communications Workshop on Hot Topics in Networks (ACM SIGGCOMM HotNets-VI), Atlanta, Georgia 10/__/2007 A Data-oriented (and Beyond) Network Architecture T. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy, K.H. Kim, S. Shenker, and I. Stoica Computer Communication Review, Vol. 37, Issue 4, ACM, pp. 181-192 10/__/2007 Issues and Etiquette Concerning Use of Shared Measurement Data M. Allman and V. Paxson Proceedings of ACM SIGCOMM Conference on Internet Measurement, San Diego, California, pp. 135-140 10/__/2007 A Brief History of Scanning M. Allman, V. Paxson, and J. Terrell Proceedings of ACM SIGCOMM Conference on Internet Measurement, San Diego, California, pp. 77-82 10/__/2007 Shunting: A Hardware/Software Architecture for Flexible, High-Performance Network Intrusion Prevention J. Gonzalez, V. Paxson, and N. Weaver Proceedings of ACM Computer and Communication Security Conference (ACM CCS), Alexandria, Virginia, pp. 139-149 10/__/2007 An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants J. Franklin, V. Paxson, A. Perrig, and S. Savage Proceedings of ACM Computer and Communication Security Conference (ACM CCS), Alexandria, Virginia, pp. 375-388 09/__/2007 The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware M. Vallentin, R. Sommer, J. Lee, C. Leres, V. Paxson, and B. Tierney Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Queensland, Australia 08/__/2007 Resolving Inter-domain Policy Disputes C.T. Ee, V. Ramachandran, B.-G. Chun, K. Lakshminarayanan, and S. Shenker Proceedings of Conference on Applications, Technologies, Architechtures, and Procols for Computer Communications (SIGCOMM 2007), ACM, pp. 157-168, Kyoto, Japan 08/__/2007 Specifying New Congestion Control Algorithms S. Floyd and M. Allman Request For Comments 5033, Best Current Practice 133 08/__/2007 Hidden-Action in Network Routing M. Feldman, J. Chuang, I. Stoica, and S. Shenker IEEE Journal on Selected Areas in Communications, Vol. 25, Issue 6, IEEE Computer Society, pp. 1161-1172 08/__/2007 Ethane: Taking Control of the Enterprise M. Casado, M. Freedman, J. Pettit, N. McKeown, and S. Shenker SIGCOMM 2007 08/__/2007 Achieving Convergence-Free Routing using Failure-Carrying Packets K. Lakshminarayanan, M. Caesar, M. Rangan, T. Anderson, S. Shenker, and I. Stoica SIGCOMM 2007 08/__/2007 The Strengths of Weaker Identities: Opportunistic Personas M. Allman, C. Kreibich, V. Paxson, R. Sommer, and N. Weaver Proceedings of USENIX Workshop on Hot Topics in Security (HotSec ’07), Boston, Massachusetts 08/__/2007 Stress Testing Cluster Bro N. Weaver and R. Sommer Proceedings of USENiX DETER Community Workshop on Cyber Security Experimentation and Test, Boston, Massachusetts 07/__/2007 On the Adaptive Real-Time Detection of Fast-Propagating Network Worms J. Jung, R. Milito, and V. Paxson Proceedings of the 4th GI International Conference on Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA), Lucerne, Switzerland, pp. 175-192. Also Journal on Computer Virology, Vol. 4, Number 1, pp. 197-210, February 2008 05/__/2007 Determining an Appropriate Sending Rate Over an Underutilized Network Path P. Sarolahti, M. Allman, and S. Floyd Computer Networks Special Issue on Protocols for Fast, Long-Distance Networks, 51(7), May 2007 05/__/2007 An Architecture for Exploiting Multi-Core Processors to Parallelize Network Intrusion Prevention V. Paxson, R. Sommer, and N. Weaver Proceedings of IEEE Sarnoff Symposium, pp. 1-7, Princeton, New Jersey 04/__/2007 X-trace: A Pervasive Network Tracing Framework R. Fonseca, G. Porter, R.H. Katz, S. Shenker, and I. Stoica Proceedings of Sumposium on Networked Systems Design and Implementation (NDSI 2007), USENIX/ACM , pp. 271-284, Cambridge, Mass. 04/__/2007 RFC 4828: TCP Friendly Rate Control (TFRC): the Small-Packet (SP) Variant S. Floyd and E. Kohler RFC 4828, Experimental, April 2007 04/__/2007 A Declarative Sensornet Architecture A. Tavakoli, D. Chu, J. Hellerstein, P. Levis, and S. Shenker in ACM SIGBED Review, Special Edition on International Workshop on Wiresless Sensor Network Architechture (WWSNA 2007), Vol. 4, Issue 3, pp. 55-60, Cambridge, Mass. 02/__/2007 The Shunt: An FPGA-Based Accelerator for Network Intrusion Prevention N. Weaver, V. Paxson, and J.M. Gonzalez Proceedings of International Symposium on Field Programmable Gate Arrays (FPGA), Monterey, California, pp. 199-206 02/__/2007 Congestion Control Without a Startup Phase D. Liu, M. Allman, S. Jin, and L. Wang To appear in Proceedings of Protocols for Fast, Long Distance Networks Workshop 01/__/2007 RFC 4782 Quick-Start for TCP and IP S. Floyd, M. Allman, A. Jain, and P. Sarolahti Request For Comments 4782 __/__/2006 End-host Controlled Multicast Routing K. Lakshminarayanan, A. Rao, I. Stoica, and S. Shenker Elsevier Computer Networks, Special Issue on Overlay Distribution Structures and their Applications. __/__/2006 The Design and Implementation of a Declarative Sensor Network System D. Chu, L. Popa, A. Tavakoli, J. Hellerstein, P. Levis, S. Shenker, and I. Stoica Technical Report EECS-2006-132, EECS Department, University of California, Berkeley __/__/2006 Service Portability S. Singh, S. Shenker, and G. Varghese Proceedings of Hotnets 2006

Perl CGI Script to manage multiple usernames/passwords

NOTE: Not Freeware.

.htaccess manager : New Version 3.3

This is a perl CGI script used to manage multiple usernames/passwords for .htaccess/.htpasswd directory protection. This works on most web sites and can be used to handle many password protected folders. In addition to storing the username and encrypted password, you may add additional info for your members such as name, e-mail and comments to help you manage who has access to your “members only” web site. New features include setting an expiration date for a user, keyword search of your members’ list and batch removal of users.

FEATURES

Adding a New user

The “Add User” function is the first that appears after logging into the script. You just need to supply a username and password then click “Add User”. All the other fields are optional. Even the password field can be left blank and the program will pick one at random. You can also supply the member’s name, e-mail address and a short comments field. If you check the box “Check to email new entry to user”, this will tell the program to send out an email with pre-configured text welcoming the user as a new member to your password protected area. If you do check this box, then you can also provide additional text in the large “Extra E-mail Text” box which will be passed along in the email sent out.

You can now add an expiration date for the user, enter it in the format YYYYMMDD (20030631 for example). The script does not automatically delete users but you have the option of sorting your user list by expiration date. This field is optional and you do not have to enter an expiration date.

View, Modify and Delete Users

The “List User” screen does three things, it provides a list of all your members, allows you to delete a member and modify any information for a particular member. The user list shows “Username – Member Name – Email address – comments”. You can easily control the size of this box by changing the scrollsize option in the program settings. To delete a user all you have to do is highlight then click the delete button. To Modify a user, you also highlight the record then you can modify the password, name, email and comments field. You can even check the box to resend their confirmation email. If one of your members forgets their password, you just come to this screen, highlight them, enter a new password, check the “e-mail” box and click “Modify User”.

Sort By Expiration : Will sort all of your members by expiration date in ascending order.
Sort by username : Sorts the list by username (the default view)
Keyword Search : Will search the username, name, email, comments and expiration field for whatever you type in

Change Directory

“Change Protected Directory” screen allows you to manage password protection on another folder. This also makes it easier than going back to the login screen. This screen displays the path you have setup where your password protected directories will be located. You just type in the new folder name and click “Change Directory”. This way you can use the script to manage as many password protected folders as you like. If you are protecting a folder within another folder then you type in for example : member_area/secure1 and then the script will manage the “secure1″ folder located in the “member_area” folder. You will also find two additional buttons on this screen. One is to view the .htaccess file and the other for the .htpasswd file. This is a good thing to do every now and then so you can make backups of your member database.

Generate .htaccess File

When you first setup password protection on a folder, you need to create a .htaccess file inside it. You can either do this manually or have the script create this file for you. You do not need to do this every time you add a user. Once a .htaccess file has been created in a folder, you don’t need to run this function again. The Directory field will display the folder name you are about to generate a .htaccess file for. The Realm is for the message that will be displayed in the pop-up box that appears when a user tries to login to your secure area. If you want the script to create the file, then check the “Create .htaccess file on Server”. As for the format you want, the majority of unix servers use “.htaccess file for apache” Some web hosting companies use Cobalt RAQ or Zeus.

Password Retrieval (Version 3.2+)

You can now have your members generate new passwords for themselves if they forget their login information. To activate this feature in the script, send your users to :

http://www.yourdomain.com/admin.cgi?action=F&targetdir=dirname

Where “dirname” is the name of the directory you are protecting (same directory you type in when accessing admin.cgi)
If a member forgets their username, they just type in their email address and it will be sent to them. If they forget their password, they just type in their e-mail and username then a new password will be generated.

Version 3.3 just added the option for users to select their own new password if they supply their username and their old password.

Extract E-mails

Extract E-mails allows you to export a list of all your members’ email addresses. The list will be formatted one email address per line. Some email programs require that each address have a comma after it which you can select when exporting. The addresses will appear on the next page which you can then copy/paste into Eudora/Outlook etc.

Mass E-mails (Version 3.2+)

Allows you to send a broadcast email message to all members. E-mails can be configured to send specific information about each user using the %tag%.
Example : Hello %name%,
Your userid is : %username%
Your email is : %email%
Your account expires on : %expiration%
Comments about your account : %comments%

Manual Import

If you have a large list of usernames that you want to add as members in just one click then the Manual Import feature will handle this. All you do is copy/paste or type the list into the large text box. Here is a sample of what the list would look like :
username,password
joe,joe123
jack,jack887
jane,janepass

You can also import the additional fields :
username, password, name, email, comments, expiration
joe,joe123,Joe Smith,joe@smith.com,friend
jack,jack887,Jack Smith,jack@smith.com,

Also, you can even leave the password field blank to have the script automatically generate it for you :
joe,,Joe Smith,joe@smith.com
jack,,Jack Smith,jack@smith.com
(note the two commas after eachother)

You can also automatically send an email to each member that you import by checking the “Send E-mail” box. Even the comments field can be sent if you wish.
Whenever you run the import, the script will always check to make sure that the username doesn’t already exits. If any username in your list exists, no records will be imported.

Import From File

The import from file feature is if you have a list of members too large to fit in the manual import box or maybe you have another program that exports the list of usernames/passwords to a file that need to be imported later. By default, the name of the file that the program looks for is called htimport.txt and will be located in the directory you are protecting. The format for records to be imported is the same as the manual import :
username,password
or
username,password,name,email,comments, expiration
or
username,,name,email,comments

Whenever you run the import, the script will always check to make sure that the username doesn’t already exits. If any username in your list exists, no records will be imported.

Change Program Settings

This screen allows you to update configurations in the program without having to manually edit the admin.cgi script. The settings you can change are :
Base directory : The physical server path to where your protected folder or folders are located. (Not to be confused with the URL or domain name to your web site). example : /www/yourdomain/htdocs/

Password : The master password to access the admin.cgi script with.
Sendmail : The path to sendmail for your server.
Scroll Size : The number of members that will be displayed in the “List Users” screen before it scrolls.
Email From : Your e-mail address goes here. This is also the address used when sending email confirmations to your new members, they will see this in the From field. You can also add your name in parenthesis : joe@smith.com (Joe Smith)
Email Subject : The subject of the emails which are sent out to new members.
Top of Email : The text that will appear in the email sent to users. After this text will come the username and password.
Bottom of Email : The text that will appear after the username/password and the end of the email.
The data for all these variables is stored in a file called adminvars.cgi
You do not need to create this file on the server. If the file is not there it will be created with default settings. If for some reason your script does not have permission to create the file, you may need to upload a blank one and chmod it to 777. The default admin password is test.

FAQ

Does my server support .htaccess ?
In the majority of cases, if it’s unix and runs the apache server then yes. The best way to find out is by uploading a .htaccess file to a subdirectory on your server then access it with your browser and see if it asks you for a login.

• Here’s one you can use on your site : .htaccess upload this file to a directory on your server (in ASCII mode), example : yourdomain.com/members/ then rename it to .htaccess (yes, that’s a period infront of “htaccess”)
• Then using your browser, go to http://www.yourdomain.com/members/ If you’re prompted to enter a username and password, then it will work!

After a member enters their username/password to the protected directory, do they need to re-enter it each time they access a new file ?
No, the way .htaccess works, is it protects all files in the directory it is in. So once a user is authenticated, they have access to everything in that folder. But if a user bookmarks a page in the secure area, they will be required to re-enter the user/pass if they shut down their web browser and restart.

Can I protect multiple directories with the same list of users ?
Yes, in this case, you would have the admin.cgi script only manage one of the directories for you, then all you would need to do is copy the same .htaccess file over to the new directory you want to protect. If you look in the .htaccess file, it says right there the full path to the .htpasswd file it will look for to authenticate users AuthUserFile /home/secure/.htpasswd.

Can I protect multiple directories with a different list of users ?
Yes, in this case, you just run the admin.cgi script and tell it to refresh to a new directory to access that list of users. By doing this, each directory will have its own .htpasswd and .htaccess file.

Will this work with Frontpage Extensions ?
Yes, 90% of the time it will. Just as long as the directory you are protecting is setup as a regular directory in frontpage and not a “subweb”. The idea is to tell Frontpage not to overwrite the .htaccess file that admin.cgi creates

Can the script automatically send passwords to users who forget their login ?
Yes, this feature is available as of version 3.2. Just provide a link for your members to admin.cgi?action=F&targetdir=dirname. They just have to supply their e-mail address and username then the script will generate a new password and e-mail it to them.

How do I configure the e-mail that is sent to members ?
When you add a new user, you have the option of sending them an e-mail with their new username/password (saves you the time of having to do it manually each time). You can configure the subject of the emails, the sender’s name and e-mail address (you) and the text in the body of the email. These settings can be changed by logging into admin.cgi and scrolling down to the section labeled “Change Program Settings”. You can read about this in the Features page.

How do I add a long list of users at once (instead of adding them one at a time) ?
This is what the Manual Import feature does. After running the script, scroll down to “Manual Import” and you’ll see a large TEXT box, this is where you can copy/paste your list of users. See the Features page.

Will this script work on NT server ?
No.

I don’t know anything about CGI, chmod etc. can I still use it ?
Not a problem, we’ll install the script for you. When you place your order, be sure to provide your URL (http://….) ftp username and password. Almost all installs are completed the same day you place your order.

What if the program does not run on my server, is there a refund ?
We will not charge your credit card until the program works successfully on your web hosting account/server. Credit cards are usually processed a few days after you submit your order.

File Permission Security on Shared Web Hosting

Some web hosts allows you to create multiple users per account. Each user can have domain assigned to its home home directory accessible via FTP or SSH/SCP. The problem with multiple users on the same account is that they share the same default unix group, and default permissions allow their files to be easily modified by the members of this group. Usually this doesn’t pose a problem as each user is probably trusted by account owner to not to mess with others files, but if one of the users have their web application hacked then all other users on the same account will be in danger.

By default (on DreamHost) all files in your account are created with 644 privileges and directories are with 775. That means any user can read your files and any user from the same account can move and add files in your freshly made directories. Your home directory is different, though. By default it carries 751 attribute meaning that only members of your group can see your files, but can’t add any new. These group access schemes are possible, because every user in your account has its primary/default group set to “pgxxxxxx”, which is assigned to every new file you create by default. The normal way to secure users from web-intrusion is to assign a separate group to the web-server user, removing it from default group. This way, exploited scripts will not be able to traverse into home directories of other users on your account. To allow account users to update centralized web-site they could be added to web-site group explicitly. But this “normal way” doesn’t work with DreamHost, because you can’t delete web-user from the default group and unless you set access for every new file explicitly, it will be possible for an intruder to read it.

To make managing privileges easier in interactive sessions “umask 007″ command can be specified in your .bash_profile – this makes all new files carry xx0 mask. You also need to control your scripts (web based or cron/shell) so that they set mask for critical files explicitly. To secure account users from access by means of hacked user script you would also like to define another group for every user in your account and change group ownership of the user’s home directory to that group with “set gid” bit set (and optional umask 007 in .bash_profile).

1. Add a separate user and group for every domain where apache will be running
2. Add a separate group for other user accounts
3. Change the default group for new files created by your users by changing the group of their home directory and setting set gid bit for it (it is impossible to do this with FTP accounts, therefore you will need to login in each account via SSH)
4. Add users who need access to web-site into the web-user group
5. Optionally set umask 007 in .bash_profile for every user to tweak default DreamHost 775/664 permissions to something like 770/660 for directories and files that are not meant to be read by Apache (660 could also be used for all web scripts including .php as they are not read by dhapache CGI, but merely executed)

Apache Security

All your web files that need to be read by Apache should be readable by everyone as Apache itself is run under dhapache user. However, executable scripts like .php are executed under your own user and do not have to be world readable as they are not actually read by Apache, but executed via suEXEC. Quite the opposite – to prevent your code or database settings from being messed by any third-parties you SHOULD set permissions to these files explicitly to something like 640 or even 600 depending on who do you trust.

Multiuser security setup example

For our example, we will create a example_www user and a new_webroot group for serving web files with apache and setup a example user with a ‘rfrc group to manage mail and keep other files on DH privately. Since these records already exist, you will need to subsitute your own names.

• Login to DreamHost panel and create the users example_www and example with shell access.
• From groups tab create two groups – new_webroot and rfrc. Note that users created in previous step are still members of the same default pgxxxxxx group.
• Add example_www to ‘the ‘new_webroot group and example to both the new_webroot and rfrc groups
• Move your domain to example_www account (mine is example.org)
• Now login to SSH with your example_www user and change the default group for your home directory with “sgid” bit set to make all current and new files/directories created in this directory have the same new_webroot group.

 $ chgrp -R new_webroot .
 $ chmod 2751 .
 $ chmod 2771 example.org

By setting 2771 the directory will be writable by the owner, the group and will be only executable by others. The contents of an executable only directory cannot be listed, but the files inside it can be read (if the permissions of the file allow it). It is important that the directory can be executable in order to allow static content (e.g. .html files) inside it to be read. Remember that directories you don’t want anyone to have web access to, should be 0770 (writable by the owner and group, or 0750 writable by the owner and readable by group). Such strict permissions should by applied to password files, php include files or databases files (such as SQLite, BDB, etc).

• Do the same for example user, but specify rfrc group instead.

chgrp -R rfrc .
chmod 2751 .

• Optionally modify umask in .bash_profile in user’s home to 007 to make all files created by this user have 660 permissions set by default. If you want that newly created files by accessible by the web, you need to manually setup it’s permissions to 664.

Now I can login as the user “example” and update the web-site in the ../example_www/example.org directory. There is one more setup needed. Because files copied from other accounts can have 644 permissions set instead of 664, you need a script which will update permissions to 664 or 660 to allow other group members modify such files.

Automatic Post-commit Checkout

Subversion can be a very useful tool for developing Web sites or Web-based applications. You may wonder, though, how that would work. After you commit your changes to your repository, how do you have them reflected on your site? The easiest method is to have your site’s directory on the server be a working copy checked out from your Subversion repository. If you elect to do this be certain to modify your site’s .htaccess to prevent users from browsing Subversion’s control files. Something simple in the root of your site such as the following will suffice.

RedirectMatch 403 /\.svn.*$

Additionally you can configure your site to automatically check out the current sources from your repository by using Subversion’s “hook scripts“. In short, the script called hooks/post-commit will be executed by the web server each time new sources are checked into your repository. Be advised that when the web server executes this script it is running in the security context of the dhapache user — this user does not and should not (for security reasons) have the necessary permissions to modify the files in your web site’s directory. As such we need to arrange for the post-commit script to run the update in the security context of a user with the privileges necessary to update your site.

Users familiar with UNIX systems will recognize that this is a task for a setuid binary. Unfortunately the DreamHost /home/ directories are NFS filesystems which are, for security reasons, mounted with setuid disabled. Fortunately the workaround is trivial — simply set up your update script as a CGI script and have the Subversion post-commit hook invoke this script. Instructions follow.

1. Create a private directory on your website to host your updater script such as /home/username/mysite.com/cgi-bin/pri

1b. And set its permissions so that only the user has write access to it.

chmod 755 pri

2. Secure the private directory by creating a .htaccess file with contents similar to the following.

AuthName "Dialog prompt"
AuthType Basic
AuthUserFile /home/username/mysite.com/cgi-bin/pri/.htpasswd
Require valid-user

3. Using the htpasswd utility create the .htpasswd file by running the following command in your /home/username/mysite.com/cgi-bin/pri directory. For security reasons make up a new username and password and do not re-use the username and password of a user you have created on your server or a user you have given access to your subversion repository.

htpasswd -bc .htpasswd someuser somepasswd

4. Now that you have created and secured a directory for this special CGI script to live in, create a script in that directory called do_update.cgi with the following contents.

#!/bin/sh
set -f
echo "Content-type: text/plain; charset=iso-8859-1"
echo
/usr/bin/svn update /home/username/mysite.com

4b. Don’t forget to give execution privilege to your file. Only the user can have write access to it.

chmod 755 do_update.cgi

5. Finally, modify your /home/username/svn/projectname/hooks/post-commit to invoke your CGI script so your site will update after each commit.

#!/bin/bash
wget --http-user=someuser --http-passwd=somepasswd -O - http://mysite.com/cgi-bin/pri/do_update.cgi

5b. Don’t forget to give execution privilege to your file. Again, only the user can have write access to it.

chmod 755 post-commit

Blocking Abuse by IP Address

IP Abuse Detection Script

This shell script checks the access and error logs generated by apache for a particular domain, looking for the IP addresses that have connected to your site the most. It checks for IP addresses that trigger a Concurrent Connection Limit Exceeded error, which is a good sign they are an automated bot of some kind, making over 20 requests to your site at the same time. This script also checks for Internal Recursion Errors which can have very negative effects on your speed and resources, and are basically internal looping problems generally caused by improperly configured Htaccess setups.

Once the script finishes scanning your logs for those events, it automatically generates .htaccess code that you may add to your sites root .htaccess file to block those IP addresses the script identified as abusive. The only IP addresses included in the generated .htaccess file are those that have no reverse dns.

Installation

1. Log in to your account using SSH
2. Save this code in your $HOME directory as ip-abuse-lookup.sh
   1. Run pico $HOME/ip-abuse-lookup.sh
   2. Copy the code to the screen by clicking the right-mouse-button
   3. Hold down the Ctrl button and then press x to save
3. Run the command dos2unix -dv $HOME/ip-abuse-lookup.sh to fix line break issues
4. Run the command chmod -v 744 $HOME/ip-abuse-lookup.sh to make executable

Running the Script

From your $HOME directory (cd $HOME), run ./ip-abuse-lookup.sh to execute the program.

Example Generated .htaccess

This script will also generate code that you can place in your .htaccess file to block specific abusers.

## IP-ABUSE-LOOKUP
Order Allow,Deny
Allow from All
Deny from 6.132.177.129 27.67.117.178 6.135.166.102 8.93.225.133
Deny from 21.194.136.15 22.120.61.3 6.252.139.246 9.64.50.83
Deny from 8.123.144.98 21.249.83.87 29.85.238.28 25.214.237.62
Deny from 22.115.130.23 13.57.156.241 14.121.4.82 6.208.172.177

ip-abuse-lookup.sh

#!/bin/sh
# Version 0.2, 2008-04-20

# User-contributed script. Not sponsored by DreamHost.
# Script created 2008-01-16 by AskApache 

### SHELL OPTIONS
set +o noclobber  # allowed to clobber files
set +o noglob     # globbing on
set +o xtrace     # change to - to enable tracing
set +o verbose    # change to - to enable verbose debugging
set -e            # abort on first error

The full script is here, but the authors has an updated Ip Abuse Blocking with .htaccess page.

Apache mod_auth_digest authentication

Digest authentication is described in RFC 2617.

Directives

# AuthDBGroupFile

# AuthDBUserFile

# AuthDBAuthoritative

# AuthDBMGroupFile

# AuthDBMUserFile

# AuthDBMAuthoritative

# AuthDigestFile

# AuthDigestGroupFile

# AuthDigestQop

# AuthDigestNonceLifetime

# AuthDigestNonceFormat

# AuthDigestNcCheck

# AuthDigestAlgorithm

# AuthDigestDomain

# Using Digest Authentication

Using Digest Authentication

Using MD5 Digest authentication is very simple. Simply set up authentication normally, using “AuthType Digest” and “AuthDigestFile” instead of the normal “AuthType Basic” and “AuthUserFile”; also, replace any “AuthGroupFile” with “AuthDigestGroupFile”. Then add a “AuthDigestDomain” directive containing at least the root URI(s) for this protection space. Example:

AuthType Digest

AuthName "private area"

AuthDigestDomain /private/ http://mirror.my.dom/private2/

AuthDigestFile /web/auth/.digest_pw
Require valid-user

Note: Digest authentication is more secure than Basic authentication, but only works with supporting browsers. As of September 2004, major browsers that support digest authentication include Amaya, Konqueror, MS Internet Explorer for Mac OS X and Windows (although the Windows version fails when used with a query string — see “Working with MS Internet Explorer” below for a workaround), Mozilla, Netscape 7, Opera, and Safari. lynx does not support digest authentication. Since digest authentication is not as widely implemented as basic authentication, you should use it only in environments where all users will have supporting browsers.

Apache module mod_auth_digest

Some AuthDigest Configuration Directives

static const command_rec digest_cmds[] =
{
    AP_INIT_TAKE1("AuthName", set_realm, NULL, OR_AUTHCFG,
     "The authentication realm (e.g. \"Members Only\")"),
    AP_INIT_ITERATE("AuthDigestProvider", add_authn_provider, NULL, OR_AUTHCFG,
                     "specify the auth providers for a directory or location"),
    AP_INIT_ITERATE("AuthDigestQop", set_qop, NULL, OR_AUTHCFG,
     "A list of quality-of-protection options"),
    AP_INIT_TAKE1("AuthDigestNonceLifetime", set_nonce_lifetime, NULL, OR_AUTHCFG,
     "Maximum lifetime of the server nonce (seconds)"),
    AP_INIT_TAKE1("AuthDigestNonceFormat", set_nonce_format, NULL, OR_AUTHCFG,
     "The format to use when generating the server nonce"),
    AP_INIT_FLAG("AuthDigestNcCheck", set_nc_check, NULL, OR_AUTHCFG,
     "Whether or not to check the nonce-count sent by the client"),
    AP_INIT_TAKE1("AuthDigestAlgorithm", set_algorithm, NULL, OR_AUTHCFG,
     "The algorithm used for the hash calculation"),
    AP_INIT_ITERATE("AuthDigestDomain", set_uri_list, NULL, OR_AUTHCFG,
     "A list of URI's which belong to the same protection space as the current URI"),
    AP_INIT_TAKE1("AuthDigestShmemSize", set_shmem_size, NULL, RSRC_CONF,
     "The amount of shared memory to allocate for keeping track of clients"),
    {NULL}
};

/*
 * client list code
 *
 * Each client is assigned a number, which is transferred in the opaque
 * field of the WWW-Authenticate and Authorization headers. The number
 * is just a simple counter which is incremented for each new client.
 * Clients can't forge this number because it is hashed up into the
 * server nonce, and that is checked.
 *
 * The clients are kept in a simple hash table, which consists of an
 * array of client_entry's, each with a linked list of entries hanging
 * off it. The client's number modulo the size of the array gives the
 * bucket number.
 *
 * The clients are garbage collected whenever a new client is allocated
 * but there is not enough space left in the shared memory segment. A
 * simple semi-LRU is used for this: whenever a client entry is accessed
 * it is moved to the beginning of the linked list in its bucket (this
 * also makes for faster lookups for current clients). The garbage
 * collecter then just removes the oldest entry (i.e. the one at the
 * end of the list) in each bucket.
 *
 * The main advantages of the above scheme are that it's easy to implement
 * and it keeps the hash table evenly balanced (i.e. same number of entries
 * in each bucket). The major disadvantage is that you may be throwing
 * entries out which are in active use. This is not tragic, as these
 * clients will just be sent a new client id (opaque field) and nonce
 * with a stale=true (i.e. it will just look like the nonce expired,
 * thereby forcing an extra round trip). If the shared memory segment
 * has enough headroom over the current client set size then this should
 * not occur too often.
 *
 * To help tune the size of the shared memory segment (and see if the
 * above algorithm is really sufficient) a set of counters is kept
 * indicating the number of clients held, the number of garbage collected
 * clients, and the number of erroneously purged clients. These are printed
 * out at each garbage collection run. Note that access to the counters is
 * not synchronized because they are just indicaters, and whether they are
 * off by a few doesn't matter; and for the same reason no attempt is made
 * to guarantee the num_renewed is correct in the face of clients spoofing
 * the opaque field.
 */

/*
 * Get the client given its client number (the key). Returns the entry,
 * or NULL if it's not found.
 *
 * Access to the list itself is synchronized via locks. However, access
 * to the entry returned by get_client() is NOT synchronized. This means
 * that there are potentially problems if a client uses multiple,
 * simultaneous connections to access url's within the same protection
 * space. However, these problems are not new: when using multiple
 * connections you have no guarantee of the order the requests are
 * processed anyway, so you have problems with the nonce-count and
 * one-time nonces anyway.
 */

SSL Encrypted Logins for WordPress

Awesome post by Ryan on the changes in the usage of SSL and cookies in WordPress.  As we’ll see soon, this will effect your htpasswd and htaccess setups if you are using SSL.

SSL and Cookies in WordPress 2.6

Mon Jul 14 2008 by Ryan

If your host supports SSL, WordPress 2.6 enables you to make use of that support in a secure manner.  Enjoy, and help us make SSL support better by reporting any bugs you find.

The auth cookie, on the other hand, is delivered only for the admin area and can be used to make changes to the blog.  If you login via https, your auth cookie will be delivered only for SSL sessions.  If you login over https and later visit your admin via regular http, you will have to log in again to get a non-SSL auth cookie. By default, you have the option of visiting your admin either via http or https.  If you want to force all admin sessions to be over https, add the following to your wp-config.php:

define(’FORCE_SSL_ADMIN’, true);

This will prevent non-SSL logins to your blog. This means you will never have an auth cookie delivered in the clear.  If you want to force logins to be over SSL to prevent usernames and passwords from being sent in the clear while letting your users have the choice of using http or https when visiting the admin, add this to your wp-config.php:

define(’FORCE_SSL_LOGIN’, true);

This does not force all cookies to be delivered over SSL.  The user has a choice between the greater security of an https session and the greater speed of an http session.  If you want to remove this choice and force secure https sessions, FORCE_SSL_ADMIN is for you.

With these new cookies comes new secret keys for signing them.  Recall that WordPress 2.5 introduced SECRET_KEY as a means of adding a little extra security to cookie signing.  If you intend to use the SSL support in 2.6, you will probably want to define the secret key for the secure cookie.  If you don’t intend to use SSL, you can stick with your existing SECRET_KEY.  Here’s an example of what the new secret key definitions look like:

define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);

You should change those sample phrases to unique, preferably random phrases.  Each key should have a different phrase.  Visit http://api.wordpress.org/secret-key/1.1/ to get a set of random keys that you can cut-and-paste into your wp-config.php.  Once again, if you don’t intend to use SSL, you can stick with the SECRET_KEY you already have.

This should be mostly transparent to plugins and themes. I say mostly because there are some themes that send POST and AJAX requests to files within the themes directory.  The auth cookies are delivered only to the wp-admin and wp-content/plugins directories, so files directly loaded from wp-content/themes will not see the cookies.  Themes should send their POST and AJAX requests to the admin-post.php or admin-ajax.php files.  I’ve added a short article to the codex on how themes and plugins should handle their POST and AJAX requests.

Plugins might also create links that are not properly prefixed with ‘https’.  Any content loaded into a secure page must come via an https link to avoid warnings from the browser about the content being only partially encrypted.  WordPress 2.6 introduces five new functions that take care of using the proper protocol when loading CSS, JS, and other files into an SSL-encrypted admin page.  They are site_url(), admin_url(), includes_ur(), plugins_url(), and content_url().  Each accepts an optional path relative to the site, admin, include, plugins, and content urls, respectively.  For example, to link to wp-content/plugins/foo/foo.php use plugins_url(’foo/foo.php’).  Plugins that load CSS and JS via relative links do not need to use these functions.  Relative links will automatically use the proper protocol.