home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] Apache sercuity question

On 11-12-13 12:37 PM, Bart Trojanowski wrote:

http://www.jukie.net/~bart/html_test/?foo=foo

html_test/index.html is just a static html.  It returns 200. the foo=foo
seems to be ignored.

-Bart
________

All this stuff is predicated on the webserver allowing bad things to happen. In the apache configuration files, you specifically allow or deny access to directories on the server - and whether or not the server should follow symbolic links. If you make sure Apache can't get outside the usual /var/www space, and that the webserver is running as the proper user, it should not be a problem. Apache does ONLY what you allow, and will try pretty hard to prevent what you do not allow. Understanding the configuration files completely is pretty important. Just because someone tries to sneak a peek inside your system doesn't mean they can see anything.

Scripting or server side interpreted languages like PHP, Java etc. make it easily possible to do silly things - the gun is in your hand and where you point it is your fault. Read about hardening your code, and configuration.

Going down the road of actively monitoring logs and altering iptables on the fly seems like a good idea, but in the real world, the number of bad guys (millions) outnumbers the good guy (only you) by a huge amount. Your iptables chains will quickly get monstrous, and not statistically provide any better sleep. Your best protection is good firewalling preventing access other than 80, 443 and 22. Do not allow FTP, do not allow password based access even for SSH, and configure Apache properly.

Reduce the number of holes you punch through your firewalling to the absolute minimum, configure Apache properly, write solid server side code of any kind, audit the third party code you allow on your server (I don't allow ANY third party code without source inspection).

Testing is good, but not a panacea for failing to do the homework upfront. No matter how well you test, there are better folks out there that will find things you didn't.

If you read ANY configuration files for Apache, PHP or whatever scripting languages are in use and do not fully understand the keywords and directives there, the ball is squarely in your court. Trusting default settings and permissions is a recipe for disaster.

--
Bill Strosberg