diff options
author | Joshua Slive <slive@apache.org> | 2002-07-12 17:45:59 +0000 |
---|---|---|
committer | Joshua Slive <slive@apache.org> | 2002-07-12 17:45:59 +0000 |
commit | e64ee27bbb675042144918588f19c35927f8981f (patch) | |
tree | 328296a6d01c385b567c0ecee1c54fd42f89328b /docs/manual/misc/security_tips.html | |
parent | 1fae3fdf07afe000dd4878e7f41ca79d01687997 (diff) | |
download | httpd-e64ee27bbb675042144918588f19c35927f8981f.tar.gz |
Some more security tips.
Submitted by: thomas@northernsecurity.net
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96035 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/misc/security_tips.html')
-rw-r--r-- | docs/manual/misc/security_tips.html | 103 |
1 files changed, 81 insertions, 22 deletions
diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html index 190bdbf734..26a47fbfa1 100644 --- a/docs/manual/misc/security_tips.html +++ b/docs/manual/misc/security_tips.html @@ -20,17 +20,20 @@ <li><a href="#ssi">Server Side Includes</a></li> + <li><a href="#cgi">CGI in General</a></li> + <li><a href="#nsaliasedcgi">Non Script Aliased CGI</a></li> <li><a href="#saliasedcgi">Script Aliased CGI</a></li> - <li><a href="#cgi">CGI in General</a></li> - - <li><a href="#systemsettings">Protecting System + <li><a href="#systemsettings">Protecting System Settings</a></li> <li><a href="#protectserverfiles">Protect Server Files by Default</a></li> + + <li><a href="#watchyourlogs">Watching Your Logs</a></li> + </ul> <hr /> @@ -140,6 +143,29 @@ <hr /> + <h2><a id="cgi" name="cgi">CGI in General</a></h2> + + <p>First of all, you always have to remember that you must trust + the writers of the CGI scripts/programs or your ability to spot + potential security holes in CGI, whether they were deliberate or + accidental. CGI scripts can run essentially arbitrary commands + on your system with the permissions of the web server user and can + therefore be extremely dangerous if they are not carefully + checked.</p> + + <p>All the CGI scripts will run as the same user, so they have + potential to conflict (accidentally or deliberately) with other + scripts <em>e.g.</em> User A hates User B, so he writes a + script to trash User B's CGI database. One program which can be + used to allow scripts to run as different users is <a + href="../suexec.html">suEXEC</a> which is included with Apache + as of 1.2 and is called from special hooks in the Apache server + code. Another popular way of doing this is with <a + href="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</a>.</p> + + <p></p> + <hr /> + <h2><a id="nsaliasedcgi" name="nsaliasedcgi">Non Script Aliased CGI</a></h2> @@ -176,25 +202,6 @@ <p></p> <hr /> - <h2><a id="cgi" name="cgi">CGI in General</a></h2> - - <p>Always remember that you must trust the writers of the CGI - script/programs or your ability to spot potential security - holes in CGI, whether they were deliberate or accidental.</p> - - <p>All the CGI scripts will run as the same user, so they have - potential to conflict (accidentally or deliberately) with other - scripts <em>e.g.</em> User A hates User B, so he writes a - script to trash User B's CGI database. One program which can be - used to allow scripts to run as different users is <a - href="../suexec.html">suEXEC</a> which is included with Apache - as of 1.2 and is called from special hooks in the Apache server - code. Another popular way of doing this is with <a - href="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</a>.</p> - - <p></p> - <hr /> - <h2><a id="systemsettings" name="systemsettings">Protecting System Settings</a></h2> @@ -276,6 +283,56 @@ <dl> <dd><samp>UserDir disabled root</samp></dd> </dl> + + <p></p> + <hr /> + + <h2><a id="watchyourlogs" name="watchyourlogs"> + Watching Your Logs</a></h2> + + <p>To keep up-to-date with what is actually going on against your + server you have to check the <a href="../logs.html">Log Files</a>. + Even though the log files only reports what has already happend, + they will give you some understanding of what attacks is thrown + against the server and allows you to check if the necessary level + of security is present.</p> + + <p>A couple of examples:</p> + <ol> + <li><samp>grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" + access_log</samp></li> <li><samp>grep "client denied" error_log | + tail -n 10 </samp></li> + </ol> + + <p>The first example will list the number of attacks trying to + exploit the <a + href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat + Source.JSP Malformed Request Information Disclosure + Vulnerability</a>, the second example will list the ten last denied + clients, for example:</p> + + <dl> + <dd><samp>[Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] + client denied by server configuration: + /usr/local/apache/htdocs/.htpasswd</samp></dd> + </dl> + + <p>As you can see, the log files only report what already has + happend, so if the client had been able to access the + <samp>.htpasswd</samp> file you would have seen something similar + to <samp>foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET + /.htpasswd HTTP/1.1"</samp> in your <a + href="../logs.html#accesslog">Access Log</a>. This means you + probably commented out the following in your server configuration + file:</p> + + <pre> + <Files ~ "^\.ht"> + Order allow,deny + Deny from all + </Files> + </pre> + <hr /> <p>Please send any other useful security tips to The Apache @@ -289,3 +346,5 @@ </body> </html> + + |