httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeremy Tinley" <jtin...@unirez.com>
Subject RE: [users@httpd] how to block hackers ?
Date Tue, 21 Jan 2003 16:37:01 GMT
DocumentRoot is chroot environment, meaning someone can't access
http://yourserver/../../etc/passwd, however, if they have access to the
filesystem, this is still an option.

To be honest, if you're not using shadows in place of the passwd file, you're
asking for trouble to begin with.

The workarounds really depend upon what kind of environment you have setup.
If there will be trusted vs. untrusted users accessing your machine, what type
of content you are serving, etc.  If you feel comfortable, provide some detail
as to what this server will be doing so that others can make more meaningful
suggestions about your environment:

Who has access to change the content?
Are you going to be allowing FTP access or will the modifications come
directly on the server?
If so, are these users trusted users, employees, or customers?

As for your other question, there is a directive for the httpd.conf file (that
usually comes turned on by default) that disallows viewing of the .htaccess
files, so yes, you can restrict certain IPs (either blocked, or allowed) to
certain actions.

-J

-----Original Message-----
From: R'twick Niceorgaw [mailto:public@utkalika.net] 
Sent: Tuesday, January 21, 2003 10:26 AM
To: apache user list
Subject: [users@httpd] how to block hackers ?

Hi all,
is there any way i can specify in httpd.conf or htaccess file to deny access
to a specific IP if certain criteria is met in the request  like if some one
tries to access /.htaccess or ../../etc/passwd ?

Regards
R'twick



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message