From: Joshua Slive Date: Fri, 12 Jul 2002 17:45:59 +0000 (+0000) Subject: Some more security tips. X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9881e9ad7684acd41c1334acac43dd6e546cfbe4;p=apache Some more security tips. Submitted by: thomas@northernsecurity.net git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96035 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html index 190bdbf734..26a47fbfa1 100644 --- a/docs/manual/misc/security_tips.html +++ b/docs/manual/misc/security_tips.html @@ -20,17 +20,20 @@
  • Server Side Includes
  • +
  • CGI in General
  • +
  • Non Script Aliased CGI
  • Script Aliased CGI
  • -
  • CGI in General
  • - -
  • Protecting System +
  • Protecting System Settings
  • Protect Server Files by Default
  • + +
  • Watching Your Logs
  • +
    @@ -140,6 +143,29 @@
    +

    CGI in General

    + +

    First of all, you always have to remember that you must trust + the writers of the CGI scripts/programs or your ability to spot + potential security holes in CGI, whether they were deliberate or + accidental. CGI scripts can run essentially arbitrary commands + on your system with the permissions of the web server user and can + therefore be extremely dangerous if they are not carefully + checked.

    + +

    All the CGI scripts will run as the same user, so they have + potential to conflict (accidentally or deliberately) with other + scripts e.g. User A hates User B, so he writes a + script to trash User B's CGI database. One program which can be + used to allow scripts to run as different users is suEXEC which is included with Apache + as of 1.2 and is called from special hooks in the Apache server + code. Another popular way of doing this is with CGIWrap.

    + +

    +
    +

    Non Script Aliased CGI

    @@ -176,25 +202,6 @@


    -

    CGI in General

    - -

    Always remember that you must trust the writers of the CGI - script/programs or your ability to spot potential security - holes in CGI, whether they were deliberate or accidental.

    - -

    All the CGI scripts will run as the same user, so they have - potential to conflict (accidentally or deliberately) with other - scripts e.g. User A hates User B, so he writes a - script to trash User B's CGI database. One program which can be - used to allow scripts to run as different users is suEXEC which is included with Apache - as of 1.2 and is called from special hooks in the Apache server - code. Another popular way of doing this is with CGIWrap.

    - -

    -
    -

    Protecting System Settings

    @@ -276,6 +283,56 @@
    UserDir disabled root
    + +

    +
    + +

    + Watching Your Logs

    + +

    To keep up-to-date with what is actually going on against your + server you have to check the Log Files. + Even though the log files only reports what has already happend, + they will give you some understanding of what attacks is thrown + against the server and allows you to check if the necessary level + of security is present.

    + +

    A couple of examples:

    +
      +
    1. grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" + access_log
    2. grep "client denied" error_log | + tail -n 10
    3. +
    + +

    The first example will list the number of attacks trying to + exploit the Apache Tomcat + Source.JSP Malformed Request Information Disclosure + Vulnerability, the second example will list the ten last denied + clients, for example:

    + +
    +
    [Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] + client denied by server configuration: + /usr/local/apache/htdocs/.htpasswd
    +
    + +

    As you can see, the log files only report what already has + happend, so if the client had been able to access the + .htpasswd file you would have seen something similar + to foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET + /.htpasswd HTTP/1.1" in your Access Log. This means you + probably commented out the following in your server configuration + file:

    + +
    +   <Files ~ "^\.ht">
    +    Order allow,deny
    +    Deny from all
    +   </Files>
    +   
    +

    Please send any other useful security tips to The Apache @@ -289,3 +346,5 @@ + +