httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Sjögren <tho...@northernsecurity.net>
Subject [PATCH] security_tips.html
Date Fri, 12 Jul 2002 01:25:14 GMT
Modified "CGI in general" and moved it so it's available earlier then the other 
CGI security tips.
Added info to "Watching Your Logs".
Added "Using Passphrases instead of Passwords" which is about chosing better
passwords when using client authentication.

No wordwrap and diff -u, this patch better work. :)


Index: ./httpd-docs-2.0/manual/misc/security_tips.html
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/manual/misc/security_tips.html,v
retrieving revision 1.28
diff -u -r1.28 security_tips.html
--- ./httpd-docs-2.0/manual/misc/security_tips.html     19 Jan 2002 17:44:08 -0000      1.28
+++ ./httpd-docs-2.0/manual/misc/security_tips.html     12 Jul 2002 01:10:39 -0000
@@ -20,17 +20,21 @@

       <li><a href="#ssi">Server Side Includes</a></li>

+      <li><a href="#cgi">CGI in General</a></li>
+
       <li><a href="#nsaliasedcgi">Non Script Aliased CGI</a></li>

       <li><a href="#saliasedcgi">Script Aliased CGI</a></li>

-      <li><a href="#cgi">CGI in General</a></li>
-
-      <li><a href="#systemsettings">Protecting System
+     <li><a href="#systemsettings">Protecting System
       Settings</a></li>

       <li><a href="#protectserverfiles">Protect Server Files by
       Default</a></li>
+
+      <li><a href="#watchyourlogs">Watching Your Logs</a></li>
+
+      <li><a href="#usingpassphrases">Using Passphrases instead of Passwords</a></li>
     </ul>
     <hr />

@@ -140,6 +144,25 @@

     <hr />

+    <h2><a id="cgi" name="cgi">CGI in General</a></h2>
+
+    <p>First of all: you always have to remember that you must trust the writers of
+    the CGI script/programs or your ability to spot potential security
+    holes in CGI, whether they were deliberate or accidental.</p>
+
+    <p>All the CGI scripts will run as the same user, so they have
+    potential to conflict (accidentally or deliberately) with other
+    scripts <em>e.g.</em> User A hates User B, so he writes a
+    script to trash User B's CGI database. One program which can be
+    used to allow scripts to run as different users is <a
+    href="../suexec.html">suEXEC</a> which is included with Apache
+    as of 1.2 and is called from special hooks in the Apache server
+    code. Another popular way of doing this is with <a
+    href="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</a>.</p>
+
+    <p></p>
+    <hr />
+
     <h2><a id="nsaliasedcgi" name="nsaliasedcgi">Non Script Aliased
     CGI</a></h2>

@@ -176,25 +199,6 @@
     <p></p>
     <hr />

-    <h2><a id="cgi" name="cgi">CGI in General</a></h2>
-
-    <p>Always remember that you must trust the writers of the CGI
-    script/programs or your ability to spot potential security
-    holes in CGI, whether they were deliberate or accidental.</p>
-
-    <p>All the CGI scripts will run as the same user, so they have
-    potential to conflict (accidentally or deliberately) with other
-    scripts <em>e.g.</em> User A hates User B, so he writes a
-    script to trash User B's CGI database. One program which can be
-    used to allow scripts to run as different users is <a
-    href="../suexec.html">suEXEC</a> which is included with Apache
-    as of 1.2 and is called from special hooks in the Apache server
-    code. Another popular way of doing this is with <a
-    href="http://wwwcgi.umr.edu/~cgiwrap/">CGIWrap</a>.</p>
-
-    <p></p>
-    <hr />
-
     <h2><a id="systemsettings" name="systemsettings">Protecting
     System Settings</a></h2>

@@ -276,8 +280,80 @@
     <dl>
       <dd><samp>UserDir&nbsp;disabled&nbsp;root</samp></dd>
     </dl>
+
+    <p></p>
     <hr />

+    <h2><a id="watchyourlogs" name="watchyourlogs">
+    Watching Your Logs</a></h2>
+
+    <p>To keep up-to-date with what is actually going on against your server
+    you have to check the <a href="../logs.html">Log Files</a>.
+    Even though the log files only reports what has already happend, they will give
+    you some understanding of what attacks is thrown against the server
+    and allows you to check if the necessary level of security is present.</p>
+
+    <p>A couple of examples:</p>
+   <ol>
+   <li><samp>grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log</samp></li>
+   <li><samp>grep "client denied" error_log | tail -n 10 </samp></li>
+    </ol>
+
+   <p>The first example will list the number of attacks trying to exploit the
+   <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat Source.JSP
+   Malformed Request Information Disclosure Vulnerability</a>, the second example will
+   list the ten last denied clients, for example:</p>
+
+  <dl>
+  <dd><samp>[Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied
by
+  server configuration: /usr/local/apache/htdocs/.htpasswd</samp></dd>
+  </dl>
+
+    <p>As you can see, the log files only report what already has happend, so if the
client
+   had been able to access the <samp>.htpasswd</samp> file you would have seen
something
+   similar to <samp>foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"</samp>
+   in your <a href="../logs.html#accesslog">Access Log</a>. This means you probably
commented out
+   the following in your server configuration file:</p>
+
+   <pre>
+   &lt;Files ~ "^\.ht"&gt;
+    Order allow,deny
+    Deny from all
+   &lt;/Files&gt;
+   </pre>
+
+    <hr />
+
+    <h2><a id="usingpassphrases" name="usingpassphrases">
+    Using Passphrases instead of Passwords</a></h2>
+
+    <p>If you are using any form of <a href="../howto/auth.html.en">Authentication</a>
+    the biggest problem besides a faulty configuration is the usage of bad passwords.
+    Since Apache lets you choose a password without checking it's strength it allows
+    you to set password <samp>joed</samp> for user <samp>joed</samp>,
which
+    means that any visitor could guess the password in a very small amount of time
+    if the user name was known to him or her.</p>
+
+    <p>Since passwords tend to be modifications of known words like <samp>us3r</samp>
+    it is better to use so called passphrases. Passphrases are basically passwords that
+    is built around a phrase instead of a word.</p>
+
+    <p>A Step-by-step guide to creating a passphrase:</p>
+
+    <ol>
+     <li>Choose a phrase that is pretty easy to remember. The phrase "The number one
+     HTTP server on the Internet" will be used in this example.</li>
+     <li>Take the first letter of each word and merge them into one. The above phrase
+     would result in the <samp>TnoHsotI</samp> passphrase.</li>
+     <li>Since <samp>TnoHsotI</samp> only contains upper and lower case
letters we need
+     to modify it a bit more. With a little bit of imagination the upper case version of
the letter
+    <samp>t</samp> looks like a 7 and <samp>o</samp> looks like a
0.
+    The finished passphrase is therefor <samp>7n0Hs0tI</samp>.</li>
+    </ol>
+
+   <p></p>
+   <hr />
+
     <p>Please send any other useful security tips to The Apache
     Group by filling out a <a href="http://bugs.apache.org/">
     problem report</a>. If you are confident you have found a
@@ -288,4 +364,6 @@
     <p><!--#include virtual="footer.html" --></p>
   </body>
 </html>
+
+

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message